PCI compliance guide for businesses

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed by the Payment Card Industry Security Standard Council. Its purpose is to enhance existing security measures and ensure the protection of cardholder data.

PCI DSS compliance applies to any organisation that handles credit card data from major issuers like Visa, Mastercard, Discover, American Express, and JCB, whether they store, process, or transmit such data.

PCI compliance is crucial for small businesses that handle credit card information because it helps protect the sensitive information of their customers. Failure to comply with PCI DSS standards can result in serious consequences, such as costly fines, legal action, loss of reputation, and a decline in customer trust.

Small businesses are particularly vulnerable to cyberattacks and data breaches because they may have limited resources and IT infrastructure. Therefore, implementing strong security measures to protect against such threats is essential. Compliance with PCI DSS standards provides a framework for businesses to establish and maintain security policies and procedures that can safeguard sensitive information.

In addition to protecting customers' data, PCI compliance can also benefit small businesses by increasing customer trust and confidence in their services.

In this guide we’ve created a checklist to help you ensure you are fully compliant with PCI standards, covering:

• PCI compliance checklist
• PCI compliance requirements

Here is everything you need to know about the PCI standard and what you need to do.

PCI Compliance Checklist

Organisations must meet 12 requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS) to achieve compliance. Here is a PCI DSS compliance checklist to help you understand what you need to do to comply:

• Firewall configuration must be installed and maintained to protect cardholder data. Firewalls are essential for controlling network traffic and should deny public access and untrusted traffic, except for necessary protocols. Firewall configuration must be reviewed at least every six months.
• Avoid using default passwords in payment card infrastructure. Password management is a top security priority, and organisations must ensure that they do not use default passwords that follow a predictable pattern.
• Protect cardholder data, which includes protection of data elements in storage, transit, processing, or physical form.
• Different defences must be adopted based on where the sensitive information is and who handles it. The Standard requires limiting data storage and retention time and not storing sensitive authentication data after authorisation.
• Encryption must be used to transmit cardholder data. Encryption makes transmitted data unreadable to unauthorised persons, and it should be considered whenever there is a risk of data falling into the wrong hands.
• Protect against malware by detecting malicious software promptly with anti-malware and antivirus software. Malware comes in many forms, but cybercriminals typically plant it in emails or exploit known vulnerabilities.
• Secure systems and applications by promptly patching vulnerabilities, adopting secure coding practices, and following change control procedures and other secure software development practices.
• For credit card PCI compliance, the checklist requires you to restrict access to cardholder data by implementing systems and processes that limit access based on a need-to-know basis.
• Determine what information is relevant to each job role and give employees access to only that data.
• Assign a unique ID to each employee with computer access to monitor who logs in and what they access. This can be useful in finding the source of a compromised account.
• Restrict physical access to cardholder data with key cards, locked filing cabinets, and visitor logs to maintain a physical audit trail of who enters and exits restricted parts of the building.
• The PCI credit card compliance checklist requires you to monitor access to network resources and cardholder data with logging mechanisms to track and analyse any anomalies on the system.
• Regularly test security systems and processes to ensure they work as intended and update and patch applications to keep up with threat management for malware and viruses.
• The final part of the PCI compliance UK checklist is to create and maintain an information security policy that reflects your commitment to PCI DSS compliance, including plans to implement technological defences and provide training programmes to staff.

PCI compliance requirements

Compliance levels for PCI regulations can vary based on whether a business is a merchant or a service provider. E-commerce merchants are subject to four different compliance levels, each with slight variations depending on the credit card scheme. To determine their compliance level, businesses must evaluate the number of transactions they process annually through their respective credit card provider.

Visa, Discover, and Mastercard have their own compliance levels, and the PCI compliance requirements for each level are as follows:

PCI Compliance Level 1

This is the highest level and applies to merchants who process more than six million transactions annually or payment facilitators that process over 300,000 transactions per year. Level 1 requires a yearly self-assessment using the PCI SSC SAQ, quarterly network vulnerability scans by an approved scanning vendor or vulnerability management program, attestation of compliance form and submitted documentation, and completion of an Annual Report on Compliance (ROC) and quarterly network scan and attestation of compliance by a Qualified Security Assessor (QSA).

PCI Compliance Level 2

This applies to merchants who process between one million and six million transactions annually, and payment facilitators that process fewer than 300,000 transactions each year. Level 2 requires a yearly self-assessment using the PCI SSC SAQ, quarterly network scans by an approved scanning vendor, and attestation of compliance form and submitted documentation.

PCI Compliance Level 3

This level applies to smaller e-commerce merchants who process between 20,000 and one million transactions annually. Level 3 requires a yearly self-assessment using the PCI SSC SAQ, quarterly network scans by an approved scanning vendor, and attestation of compliance form and submitted documentation.

PCI Compliance Level 4

And finally, this level applies to companies that process smaller amounts of transactions annually. Merchants who process fewer than 20,000 transactions per year fall under this level. Level 4 requires a yearly self-assessment using the PCI SSC SAQ, quarterly network scans by an approved scanning vendor, and attestation of compliance form and submitted documentation.

You can find out more about why PCI compliance is essential in Dojo’s guide here.