PCI Compliance Guide

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. This guide explains the fundamentals of PCI Compliance and what your organization needs to do to comply.

1. Who Needs PCI Compliance?

Any organization that handles cardholder data must be PCI compliant. This includes merchants, payment processors, financial institutions, and service providers. Even if your company processes just one credit card transaction, PCI DSS applies.

2. The 12 PCI DSS Requirements

  • Install and maintain a firewall to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for all personnel

3. Levels of PCI Compliance

There are 4 merchant levels based on the number of credit card transactions processed annually. Each level has different requirements for validation:

  • Level 1: Over 6 million transactions per year
  • Level 2: 1 to 6 million transactions
  • Level 3: 20,000 to 1 million e-commerce transactions
  • Level 4: Fewer than 20,000 e-commerce transactions or up to 1 million other transactions

4. How to Become PCI Compliant

Steps to achieve PCI compliance include:

  • Determine your compliance level
  • Complete the Self-Assessment Questionnaire (SAQ)
  • Conduct a vulnerability scan if required
  • Remediate any security vulnerabilities
  • Submit the Attestation of Compliance (AOC)

5. Maintaining Compliance

Compliance isn’t a one-time event. Your organization must maintain compliance year-round with continuous monitoring, employee training, and periodic assessments.