PCI compliance checklist and guide
A PCI compliance checklist is a must for any business that processes credit cards. If your business accepts payment cards from MasterCard, Visa, American Express, Discover, or JCB, you are required to be PCI compliant as determined by your transaction volume.
Payment Card Industry Data Security Standard (PCI DSS) or, more commonly, PCI compliance, is important because it establishes a list of requirements that help business owners protect sensitive cardholder information. PCI standards protect your customers from security breaches and go a long way towards preventing identity theft.
A PCI compliance checklist ensures:
The secure storage of credit card data on-site, both virtually and physically. This standard applies only to companies that store credit card data.
Secure transmission of credit card data across public networks. Data can be vulnerable when it's in transit, and passwords, PIN numbers, and other methods can keep cardholder information safe.
PCI compliance checklist to protect cardholder data
- Install and maintain a firewall, which is a network security system that uses a pre-established set of rules to monitor and control traffic going to and coming from a network.
- Protect stored cardholder data
- Maintain updated anti-virus software
- Encrypt transmission of cardholder data across public networks
- Use and frequently update system passwords and other security parameters that are supplied by vendors
- Ensure you are maintaining the security of your systems
- Regularly test security systems
- Restrict virtual and physical access to cardholder data
- Assign a unique ID to each person with computer access
- Track and monitor all access to network resources and cardholder data
- Train your staff in how to help maintain effective security of customer data
Compliance levels and requirements
The first step to a PCI compliance checklist is to figure out which level of compliance your business falls under. Not all compliance reporting requirements are the same and differ based on your processing volume.
While each of the five credit card brands listed above has its own data security programs that require merchants to safeguard credit card processing data, here is an overview of merchant levels to determine how to stay PCI compliant.
Merchant level 1
Whom it applies to:
- Businesses that process over 6 million transactions per year
- Any merchant that has had a data breach or attack that resulted in an account data compromise
- Any merchant identified by any card association as Level 1.
Level 1 PCI requirements:
- Annual Report on Compliance by a Qualified Security Assessor , also known as a Level 1 onsite assessment , or internal auditor if signed by an officer of the company
- Quarterly network scan by approved scan vendor
- Attestation of Compliance form
Merchant level 2
Whom it applies to:
Businesses that process 1 million to 6 million transactions per year.
Level 2 PCI requirements:
- Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor
- Complete the relevant Attestation of Compliance in its entirety
- Submit the SAQ, evidence of a passing scan and the Attestation of Compliance, along with any other requested documentation, to your acquirer
Merchant level 3
Whom it applies to:
Businesses that process between 20,000 and1M e-commerce transactions per year.
Level 3 PCI requirements:
- Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor
- Complete the relevant Attestation of Compliance in its entirety
- Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer
Merchant level 4
Whom it applies to:
Businesses that process 20,000 e-commerce transactions or less and all other sellers that process up to 1M transactions per year.
PCI requirements:
- Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor
- Complete the relevant Attestation of Compliance in its entirety
- Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer
Why PCI compliance matters and what it costs
While PCI compliance is not enforced legally, there are consequences for business owners who do not maintain PCI standards, including data breaches, fines, card replacement costs, costly forensic audits, and investigations into your business, not to mention losing the trust of your customers.
Monthly PCI compliance fees typically range from $4.99 to $19.99. PCI non-compliance fees, for businesses that fail to maintain proper security standards and procedures as outlined by their credit card processor, are about $20 per month.
PCI compliance fees are levied by credit card processors and can be accompanied by some benefits for the business owner paying them. Reputable processors provide support and guidance to business owners on how they can remain PCI compliant. Others, unfortunately, will simply charge the fee without providing much value. Doing a little bit of legwork can ensure that you are getting your money's worth for the PCI compliance fees you are paying.
PCI compliance myths
As you go through your PCI checklist, be mindful that there are a number of myths and misconceptions pertaining to this relatively poorly understood area on credit card processing.
Myth #1: PCI compliance is only necessary if you are a big business.
While the different merchant levels seem to imply that PCI compliance is geared only towards large businesses with millions of annual transactions, the safety and security of customer data is perhaps even more critical for small businesses.
Myth #2: Breach protection insurance fees protect against data breaches, even if you're non-compliant.
Myth #3: PCI compliance only applies to businesses that store credit card information.
Myth #4: The PCI data security standard is open to interpretation.
How Sekure can help with PCI compliance
A PCI compliance checklist involves many steps. As you're working your way to being PCI compliant, remember the person whom your efforts will impact the most: your customer. The number one reason to achieve PCI compliance is to earn your customers' trust so they know you are keeping their personal information safe and secure.
Sekure helps you protect customer data and meet PCI compliance standards with our partner, North a company safeguarding sensitive cardholder data for more than 25 years. To learn more about achieving PCI compliance, contact us today.