Request a Quote

PCI DSS Security Compliance

Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all merchants and service providers that store, process, or transmit cardholder data. No matter how you process payments, EMV or otherwise, it is your responsibility to fulfill these requirements.

  • Understand your security obligations
  • Learn how to validate your compliance
  • Get answers to your questions

Compliance Validation

BB&T requires all merchants to validate their PCI DSS compliance. We recommend that you engage a Qualified Security Assessor (QSA) to assist you through this process.

To validate compliance, merchants must take the following steps:

  • Complete and pass an annual PCI DSS Self-Assessment Questionnaire (SAQ) appropriate for your merchant processing environment
  • If you are storing or processing cardholder data on or through an Internet-facing environment, you must also pass quarterly vulnerability scans of your network.

Additional certification requirements may apply based on your processing environment and the number of transactions you process annually.

Network Scans

The PCI DSS requires that all merchants with external-facing IP addresses perform quarterly, external network scans to achieve compliance. Scans identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. A current list of qualified scanning vendors can be found at PCI SSC.

PCI DSS Requirements

Identity theft and data security have become worldwide concerns for both consumers and businesses. The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including Visa® Inc., MasterCard® Worldwide, American Express®, Discover® Financial Services and JCB International to facilitate the broad adoption of consistent data security measures on a global basis.

All merchants, whether small or large, that process, store or transmit cardholder data must adhere to the following requirements for PCI DSS compliance:

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect data.
  • Avoid using vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  • Protect stored data.
  • Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

  • Use and regularly update antivirus software.
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Restrict access to data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.

Regularly Monitor and Test

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security.

Some of the standards above may not be applicable to all processing environments.

PCI DSS compliance does not guarantee that a security breach will never occur, but it does greatly minimize the chance of a successful breach occurring. If your business is validated as compliant at the time of a breach, the payment networks may give you safe harbor from fines.


What is the PCI DSS? Who defines this standard?

Where can I get more information on the actual published PCI DSS, or on the individual credit card brands' security programs?

Who is required to comply, and what are the validation requirements?

Will I need to upgrade my equipment, software or networks to become PCI DSS compliant?

How is an IP-based point-of-sale (POS) environment defined?

How is the transaction volume that determines a merchant's compliance level measured?

Can my compliance requirements change?

What if I change the way I process transactions including storage or transmission of cardholder data, do I have to recertify my compliance?

How is cardholder data defined?

When is it acceptable to store magnetic stripe data?

What if my business does not comply with PCI DSS?

What is a network security scan?

Is there a cost to use a qualified security assessor (QSA) or approved scanning vendor (ASV)?

How can I find a list of approved security assessors and scanning vendors?

I use a PCI DSS compliant terminal/gateway. Why do I need to certify I am PCI DSS compliant?

I currently use a PCI-compliant (and validated) Service Provider. Why do I need to certify I am PCI DSS compliant?

What should I do if I suspect a breach has occurred and cardholder data may have been compromised?

Who can I speak to at BB&T if I have questions?

Get Assistance

By Phone

Call a Merchant Consultant at 866-238-2420.
Register for Merchant Connection online access by calling 877-672-4228.

By Email

Request maintenance on your existing merchant account by email.

Contact Us

Send us an email
or call 866-238-2420


More search options