If your business handles credit card payments, PCI DSS compliance is crucial. Discover everything you need to know about complying with the Payment Card Industry Data Security Standard in just 6 steps. Protect cardholder data and avoid penalties by following this simple checklist by 6clicks.
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard is a framework that provides a strategy for protecting the credit card information of users against credit card fraud and security breaches. It is supported by banks, credit card companies, merchants, and any organisation that accepts credit card payments. Read more in our blog: All About PCI Compliance & Reporting.
PCI DSS compliance is mandatory for any organisation that stores, processes, or transmits cardholder data. If you accept or process payment cards, you need to comply with PCI DSS. Non-compliance can attract penalties ranging from $5,000 to $100,000.
The 12 requirements for PCI DSS compliance
PCI DSS compliance needs you to meet the following 12 requirements. They include processes, policies, and security systems that help in protecting cardholder data. These requirements can be further broken down into 300 sub-requirements, but we will only look at the 12 primary requirements.
- Firewall protection - This is important to protect cardholder data inside the organisational network.
- Strong password policy - Compliance requires a password policy that encourages strong, unique passwords that are regularly changed.
- Data protection - The data stored in the systems needs physical and virtual security measures.
- Data encryption - Data must be encrypted before transmitting over public networks.
- Antivirus protection - Antivirus must be used and regularly updated to protect all systems that hold sensitive data.
- Vulnerability management - There should be a system in place to search for and manage vulnerabilities on a regular basis.
- Data access restrictions - Access to cardholder data should be restricted and access should be given only on a need-to-know basis.
- System components access restrictions - Access to system components should be restricted and access should only be given after authentication and user validation.
- Restricted physical access - Physical access to cardholder data should be duly restricted.
- Track and monitor access - Access to network resources, system components, and cardholder data must be tracked and monitored to create an audit trail.
- Testing - All security systems and processes must be regularly tested and measures should be taken to improve them.
- Maintain a clear security policy - There needs to be a clear security policy that addresses information security for all personnel involved.
6 steps to achieve PCI DSS compliance checklist
Here’s a 6-step checklist to help you achieve PCI DSS compliance.
Step 1 - Determine the PCI level applicable to you
There are 4 PCI DSS compliance levels loosely based on the number of annual transactions processed by the business. The number might vary slightly based on the credit card companies. Below are the compliance levels.
Level 1 - More than 6 million transactions or if the business has faced a security breach
Level 2 - 1 million to 6 million transactions
Level 3 - 20,000 to 1 million online transactions
Level 4 - less than 20,000 online transactions or less than 1 million physical card transactions
The first step is to find out the number of annual transactions at your organisation and compare it with the requirements of the credit card companies your business supports. This will help you determine the PCI level applicable to your business.
Step 2 - Trace the flow of sensitive data through your network and systems
Take the help of the IT department to trace the flow of cardholder data through your network and systems. This should include all the storage systems, platforms, and networks where the data is either stored or transmitted through.
Step 3 - Complete the Self Assessment Questionnaire (SAQ)
The SAQ is useful to understand whether your organisation meets the 12 requirements of PCI DSS compliance. Each requirement is split into smaller steps and the SAQ is an important tool to validate your organisation’s compliance with the PCI requirements for the appropriate level.
Step 4 - Complete the Attestation of Compliance (AOC)
The Attestation of Compliance varies for different levels. While the SAQ helps you assess whether you fulfil all requirements, the AOC is proof that you do.
Step 5 - Carry out a vulnerability scan
Your system needs to be scanned for vulnerabilities. This can be done by engaging approved scanning vendors or using scanning tools. The SAQ will help you decide better which scanning method to use.
Step 6 - Submit all documents
You might have to submit the SAQ, AOC, and vulnerability scan report to banks, credit card companies, etc.
While the above checklist is for making sure you achieve PCI DSS compliance, do remember that compliance is a continuous process. Even after you have established compliance, vulnerability scans need to be conducted regularly. You will also need to monitor your business, infrastructure, and the data stored after each vulnerability scan.
6clicks for PCI DSS compliance
6clicks gets its name from the fact that the platform is extremely easy to use - as easy as 6 clicks. From documentation and questionnaires to assessments and reporting, every step in achieving and maintaining compliance is brought to a single platform at 6clicks. And with automation and integration with vulnerability scanning tools, your 6-step checklist for PCI DSS compliance is simplified with 6clicks.
Want to know how we do it? Get started with 6clicks and see for yourself.
Related useful resources
Written by Heather Buker
Heather has been a technical SME in the cybersecurity field her entire career from developing cybersecurity software to consulting, service delivery, architecting, and product management across most industry verticals. An engineer by trade, Heather specializes in translating business needs and facilitating solutions to complex cyber and GRC use cases with technology. Heather has a Bachelors in Computer Engineering, Masters in Engineering Management, and a Doctorate in Information Technology with a specialization in information assurance and cybersecurity.