The Payment Card Industry Data Security Standard (PCI DSS) is a key set of policies and procedures designed to make credit, debit and cash card transactions as secure as possible. If your business takes payments by card, becoming PCI compliant is one the best ways you can secure your business and also protect your customers. PCI compliance helps reduce the risk of card fraud and prevent data breaches. Complying with the PCI isn’t a legal requirement, but it is best practice for keeping your business secure.
There are multiple steps businesses should take if they want to become PCI compliant. Multiple procedures are included in the security standard so there can be many steps to check off your list of things to do, from choosing the best IT tools to maintaining secure passwords.
Understand PCI Compliance
Start by ensuring you understand PCI compliance and what it entails. There are four different compliance levels, which are based on the number of card transactions the business makes. These numbers can vary a little between credit card companies but roughly follow this model:
- Level 1: more than 6 million transactions (or a business that has experienced a data breach)
- Level 2: between 1 million and 6 million transactions
- Level 3: between 20,000 and 1 million transactions
- Level 4: less than 20,000 online transactions or less than 1 million physical card transactions
From levels 2 to 4, businesses conduct annual self-assessments and might be required to perform a quarterly PCI scan. Level 1 businesses must have an annual internal audit and a quarterly PCI scan, which is carried out by an external approved vendor.
Know the 12 Requirements
There are 12 key requirements to comply with in order to make a business PCI compliant. These are:
- Maintain a firewall
- Make all passwords unique
- Protect stored data
- Use encryption to protect the transmission of cardholder data on public networks
- Use and update antivirus software
- Create and maintain secure systems and apps
- Keep access to cardholder data restricted on a need-to-know basis
- Only provide necessary access to system components
- Restrict physical access to cardholder data
- Keep track of access to network resources and cardholder data
- Identify and fix weaknesses in systems and processes through regular testing
- Create and maintain a clear security policy
Use the Self-Assessment Questionnaire
The PCI Self-Assessment Questionnaire (SAQ) is used to determine whether your business currently meets PCI requirements. It will help you see which requirements you are already meeting and where you need to improve. Each of the requirements is broken down into smaller steps, which gives you a more thorough idea of what you should be doing to achieve compliance. You can also fill out the Attestation of Compliance to show that you are complying with PCI.
Carry Out a Vulnerability Scan
A vulnerability scan identifies potential weaknesses and the areas where you might not be meeting the standards set out by the PCI. Approved scanning vendors can complete this task for you. The Self-Assessment Questionnaire can help you determine whether a vulnerability scan is necessary.
Maintain a Secure Network
Building and maintaining a secure network with the right IT tools is key to PCI compliance. Implementing a firewall and testing it regularly is one of the first steps you should take. As well as ensuring that all passwords are unique, it’s recommended that they should be changed every 90 days. This helps reduce the risk of a data breach, keeping everything secure.
Protect Cardholder Data
Cardholder data needs to be protected throughout its whole journey. Mapping out the flow of cardholder data will determine the steps it goes through and where you need to focus your efforts when it comes to security. Storing card data unnecessarily isn’t recommended. You should avoid keeping data such as validation codes or PIN numbers and use both virtual and physical methods to keep data safe. Make sure you’re using IT tools for encryption to protect data transactions.
Submit Documents to Financial Services
Submitting documents on PCI compliance to services such as banks and credit card companies may be a necessary step in ensuring compliance. These service providers might ask to see your Self-Assessment Questionnaire, Attestation of Compliance or results of vulnerability scans as proof that you are complying with key regulations.
Continue to Monitor Compliance
Setting up everything required for PCI compliance is only the first step. It’s also important to stay up to date as your business and the data you store can change. Be sure to continue monitoring your compliance and make changes as they become necessary. Assign a team of security experts to cover this essential task.