Merchant Resources

Merchant Resources

With a strong data security foundation you can protect your customer payment data and prevent data breaches that can put you out of business. A strong data security foundation starts with people, process and technology. Learn more about PCI resources and tools that can help you secure payment data.

Hire qualified and trusted partners and train your staff to understand payment data security essentials.

Put the right policies and practices in place to make payment security a priority every day.

Make sure you are using the right technology and implementing it correctly to get the best security and business benefits.

Threat Center

Criminals use malicious software to infiltrate a computer system and steal payment data. Ransomware is the fastest growing malware threat.

Phishing emails are a common delivery
vehicle for malware. These emails look
legitimate, such as an invoice or electronic
fax, but they include malicious links and/or attachments that can infect your computer and system.

Criminals can gain access to your systems
that store, process, or transmit payment
data through weak remote access controls. Remote access may be used by your payment terminal vendors, for example, to provide support to your terminal or to provide a software update.

More than 80% of data breaches involve
stolen/or weak passwords.
*Verizon 2017 DBIR

Criminals look for outdated software to
exploit flaws in unpatched systems.

Criminals attach small hardware "skimming devices" to card readers which can sweep customer payment data when they use payment cards at your store. Criminals use the stolen data to create counterfeit cards and make illegal purchases.

Data Security Essentials Resources

These resources provide simple guidance on why and how to keep customer payment data safe. Start educating your small business customers and partners on payment security basics by downloading these resources now

Guide to Safe Payments

Guide to Safe Payments

Simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft, and where to go for help. Available in spiralbound format too – click here to order.

Common Paymnent Systems

Common Payment Systems

Real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it.

Questions to Ask Your Vendors

Questions to Ask your Vendors

A list of the common vendors small businesses rely on and specific questions to ask them to make sure they are protecting customer payment data.

Glossary of Payment and Information Security Terms

Glossary of Payment and Information Security Terms

Easy-to-understand explanations of technical terms used in payment security

Data Security Essentials Evaluation Tool

Data Security Essentials Evaluation Tool

This online tool and accompanying evaluation forms provide a preliminary evaluation of a small merchant’s security posture.

PCI Firewall Basics

PCI Firewall Basics

A one-page infographic on firewall configuration basics.

Videos and Infographics

Payment Data Security Essential: Strong Passwords

The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by changing vendor default passwords to strong ones, and never sharing passwords.

Payment Data Security Essential: Secure Remote Access

Insecure remote access is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimizetheir chances of being breached by only allowing remote access when necessary and using multi-factor authentication.

Payment Data Security Essential: Patching

Unpatched software is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by installing software patches quickly.

Payment Data Security Essential: Strong Passwords

The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by changing vendor default passwords to strong ones, and never sharing passwords.

Payment Data Security Essential: Secure Remote Access

Insecure remote access is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimizetheir chances of being breached by only allowing remote access when necessary and using multi-factor authentication.

Payment Data Security Essential: Patching

Unpatched software is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by installing software patches quickly.

Co-Brand

Your customers trust you with their business. Show them you take their data protection just as seriously by co-branding the PCI Data Security Essentials for Small Merchants with your company logo.

  • Order 20+ generic spiraI bound books
  • Order 1,000+ customized spiral bound books, cobranded with your company logo
  • Customize, co-brand the digital version with your company logo

For more information on co- branding or bulk orders, click here

Recommended Training

  • Entry level option: PCI Awareness training is available online 24/7/365. Learn about the 12 PCI Requirements at your own pace to improve your security posture and reduce risk to cardholder data.
  • More advanced option: PCI Professional (PCIP) training is a
    self-paced eLearning course for those with a minimum of two years IT experience. This course delivers you tools to help build a secure payment environment and help your rganization achieve PCI compliance. Earn a three-year renewable credential and get listed on the PCI website.
  • Additional educational resources: Check out PCI SSC
    payment security educational resources for infographics, videos, webinars and other useful tools for learning how to protect payment data.

Frequently Asked Questions

The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data. If you accept or process payment cards, PCI DSS applies to you.

Each of PCI SSC’s founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data.  Entities should contact the payment brands directly for information about their compliance programs. Contact details for the payment brands can be found in How do I contact the payment card brands?

Questions regarding compliance requirements for payment card account data affiliated with other payment networks or brands should be referred to the applicable payment network or brand.

PCI SSC also encourages entities to be aware of potential nuances in local laws and regulations that could affect applicability of the PCI standards.

Use of encryption in a merchant environment does not remove the need for PCI DSS in that environment.  The merchant environment is still in scope for PCI DSS due to the presence of cardholder data. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction and may also have paper reports or receipts with cardholder data. Similarly, in card-not-present environments, such as mail-order or telephone-order, payment card details are provided via channels that need to be evaluated and protected according to PCI DSS.

Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS Requirement 3.4.  However, encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.

The following are each in scope for PCI DSS:

  • Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
  • Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
  • Encrypted cardholder data that is present on a system or media that also contains the decryption key
  • Encrypted cardholder data that is present in the same environment as the decryption key
  • Encrypted cardholder data that is accessible to an entity that also has access to the decryption key

Where a third party receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met.  For further guidance, refer to FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Additionally, for information about how a merchant may receive scope reduction through use of a validated P2PE solution, please see the FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended meet the needs of particular types of environments. 

Each SAQ contains a “Before you Begin” section, which outlines the type of environment that the SAQ is intended for. All the eligibility criteria for a particular SAQ must be met in order to use that SAQ. 

Additional guidance is also provided in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines document in the Document Library.

Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume.  When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protecting, which can help reduce their PCI DSS compliance effort.  

Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or payment brand they do business with, as applicable.