The ultimate PCI compliance checklist
Explore why obtaining PCI compliance is critical for your business
With around 127 million (or almost half of all) Americans having had a fraudulent charge on their credit card, it’s important that you take consumers’ concerns about credit card data seriously as a business owner. [1]
Achieving PCI compliance is one of the most effective ways to show customers that you can keep their sensitive data secure and that your business is trustworthy.
Continue reading to learn about the requirements your business needs to meet to achieve PCI compliance.
What is PCI compliance?
PCI DSS stands for Payment Card Industry Data Security Standard which is a set of security protocols that aim to keep customer credit card information safe. Any business that accepts or processes credit card data must be PCI compliant.
PCI DSS was created by a group of major companies to set a standard of protection for consumers and help to reduce fraud and data breaches.
Three main components of PCI compliance
PCI compliance involves three main aspects:
- Handling credit card information. Businesses that handle credit card data are required to achieve PCI compliance by complying with the requirements outlined by the PCI security standard.
- Securing stored data. Any business that stores credit card data should maintain separate systems that handle and store this data. If a business chooses not to have a system for credit card information separate from regular business operations, they will also need to ensure that all of their systems and platforms adhere to the PCI compliance requirements.
- Validating annually. The PCI validation form must be completed annually by businesses that must remain PCI compliant. This validation can contain forms and questionnaires where you have to provide information on the number of transactions, if your business experienced a data breach, and more.
Learn more:
How to build a cyber security strategy for your business
What are PCI compliance levels?
There are four PCI compliance levels that your business could be assigned depending on the number of transactions you process annually. Different level businesses may have different requirements to achieve and maintain their PCI compliance.
- Level 1: Level 1 businesses are those that process over 6 million card transactions each year or businesses that have experienced a data breach. These businesses must complete an annual report on compliance through a qualified security assessor as well as a quarterly network PCI scan by an external auditor.
- Level 2: Businesses under this level process between 1 million and 6 million transactions annually. Level 2 businesses must complete a self-assessment questionnaire each year and a quarterly network PCI scan by an approved scan vendor.
- Level 3: Level 3 businesses process between 20,000 and 1 million e-commerce transactions annually. These businesses are required to complete a self-assessment questionnaire each year and a quarterly network PCI scan by an approved scan vendor.
- Level 4: Businesses that fall under this level are those that process under 20,000 e-commerce transactions each year. Level 4 businesses must complete a self-assessment questionnaire each year and a quarterly network PCI scan by an approved scan vendor.
What are the requirements for PCI compliance?
In order for your business to become PCI compliant, you must comply with over 300 sub requirements that are split up into 12 requirement groups:
- Install and maintain a firewall to protect cardholder data.
- Create unique passwords and change them frequently, and be sure to not use vendor-supplied default passwords.
- Protect stored cardholder data.
- Encrypt the transmission of any cardholder information across public networks
- Implement and regularly update antivirus software.
- Develop and maintain secure systems.
- Restrict access to cardholder data by business need-to-know.
- Identify and authenticate access to symptoms.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for employees and contractors. [2]
Learn more:
How your business can protect its cloud data
How does a business become PCI compliant?
There are steps your business must follow and processes you must complete before becoming PCI compliant.
- Determine your business’s PCI level. This is the first step you must complete, as it’s critical you know exactly what is required of your business.
- Map the flow of cardholder data. Track where credit card data is coming from, which system it is stored on, and who has access to this data.
- Complete and submit the self assessment questionnaire (SAQ). The SAQ is a tool that you and your team must complete to ensure that your business meets the 12 requirements. If your business falls under the Level 1 category, an approved auditor will determine if your business meets these requirements.
- Fill out and submit the Attestation of Compliance (AOC). This form ensures that your business meets all 12 requirements.
- Monitor and maintain your systems. PCI compliance is not a one-time process. Whether your business is a level 1 or level 4 business you will need to reassess your business’s protocols annually at minimum. It is an ongoing process, and it’s important to keep up with software updates and ensure your systems and networks are secure.
Looking for an IT partner to assist with PCI compliance?
At InterNetwork IT, our team of experienced IT professionals have provided IT services to small and medium-sized businesses across Central Florida for nearly 10 years.
We offer a wide range of IT services and packages including managed IT package, professional IT package, and an IT security package that covers Cyber Security Insurance PCI Compliance, and more.
Ready to get started?
Contact us today to learn more!
Sources:
1: Security.org | Credit Card Fraud 2021 Annual Report
2: PCI Security Standards Council | Maintaining Payment Security