PCI Compliance Checklist: Understanding Requirements and Levels

There's no denying that this approach to payment boosts convenience, but there's a darker side: it can leave cardholder data susceptible to hackers, identity thieves, and other cybercriminals. To combat these dangers, a vital system of security measures was implemented to safeguard sensitive data for consumers using online payment methods. These were also designed to protect the businesses that accept these payments and even the credit card companies processing the transactions.

These compliance measures are crucial, but they can also be difficult to understand and comply with. To help, we've compiled a thorough guide and PCI compliance checklist. Keep reading to learn how you can keep customers — and your own business — safe as you maintain full compliance.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of standardized guidelines followed by credit card companies in order to ensure that each transaction is safe and secure. Over the last two decades, the major credit card brands have teamed up to regularly update these standards, allowing businesses that accept these cards to operate safely.

The need for this standardized approach is clear: the modern cardholder data environment is a prime target for hackers attempting to use data breaches to access control of stored cardholder data — so it’s crucial that the information security solutions that keep cybercriminals at bay are adopted by all.

In order to keep the transmission of cardholder data secure, a basic framework of security controls was implemented, with the intention that each of the major credit card companies would follow these guidelines. Standardizing the network security for each company ensures that businesses that accept multiple card brands would be safe from harm, as well as the consumers who use those cards.

Strict PCI DSS compliance requirements include far-reaching solutions, such as malware prevention, vulnerability scans and even restricting access to the physical locations in which sensitive data is stored. PCI DSS standards have evolved over time, forcing businesses to keep pace with upgraded standards and new technological solutions.

Who needs compliance and why?

Every business that participates in eCommerce has a role to play in abiding by PCI DSS requirements. The six major payment card companies below can be expected to follow the same compliance checklist as the small businesses and major corporations that accept their cards:

• American Express

• Discover Financial Services

• JCB International

• MasterCard

• Visa Inc.

• UnionPay

If you handle credit card information in any capacity, PCI DSS compliance is absolutely essential. It should come as no surprise, then, that PCI DSS compliance is important for the vast majority of modern businesses. Robust network security and credit card data protection are critical to maintaining consumer trust, both in your business and in the digital economy as a whole.

Consequences of non-compliance

There are several drawbacks to being non-compliant and failing to maintain the appropriate PCI DSS requirements. Not only can negligence lead to fines of between $5,000 and $10,000 per month (depending on the scope of the non-compliance), but service providers such as banks and payment processors can choose not to do business with non-compliant businesses until all PCI compliance requirements are fulfilled.

While each of the major credit card companies adheres to a basic standard, some slight differences in compliance requirements exist. Visa may not have the same exact customer data security requirements as Mastercard or American Express, but these major service providers still follow the same payment card industry data security guidelines.

eCommerce requirements and levels

Businesses that accept credit card payments must adhere to the security requirements set forth by the PCI Security Standards Council. Every business falls into a specific level, depending on the number of credit card transactions they process per year. To illustrate this, here is how Visa defines these levels:

Level 1

At the most stringent level, this involves a business that accepts more than six million transactions per year — or any merchant that Visa feels should meet the most strict adherence requirements (regardless of transaction amounts).

Level 2

This level includes merchants that process between one and six million transactions per year.

Level 3

Businesses that process 20,000 to one million credit card transactions per year fall under this level.

Level 4

Every business that processes fewer than 20,000 yearly transactions receives a level 4 designation. This is typically limited to small businesses.

PCI DSS compliance checklist

At first glance, PCI DSS seems complex. Take a closer look, however, and you may notice that you are already fulfilling many of the requirements as you address general cybersecurity concerns. Still, it's important to take a close look at these standards to ensure that you are fully compliant. Follow these steps to ensure PCI DSS compliance and protect your customers:

1. Install and maintain a firewall to protect cardholder data

No modern security strategy is complete without at least a basic firewall. Proper configuration is critical, which includes limiting traffic to and from the payment system, enabling Network Address Translation to protect internal IP addresses, and installing regular security patches and software updates.

2. Do not use vendor-supplied default security settings

Hackers and other cybercriminals take the path of least resistance when attempting to gain unauthorized access to customer data. Often, the easiest method is to simply use the default passwords issued by the vendor operating the payment processing. This can be easily remedied by doing away with all default usernames and passwords — and modifying the default security settings at the vendor level.

3. Protect the cardholder’s stored sensitive data

Data breaches obviously impact the financial security and trust of targeted consumers, but that's not where the damage ends. They can also impact associated financial or business institutions long-term. As such, protecting primary account numbers and other sensitive data is crucial.

There are several ways to accomplish this. Options highlighted by the PCI Security Standards Council include using encryption for stored data, only storing said data if it’s absolutely necessary, and confirming that any third parties who process customer cards are complying as well.

The technical guidelines for protecting customer data disclose what information is allowed to be stored. The Primary Account Number (PAN) —as well as the cardholder name, service code, and expiration date — can be stored on a local server. Sensitive authentication data (such as PIN numbers, card validation codes, and any data from the card's magnetic stripe or chip) should never be stored.

4. Encrypt cardholder data transmission

Strong encryption ensures that customer data is safe and secure, even as it is transferred away from the company in question. Prevent hackers from accessing information off public networks by implementing encryption protocols that filter out weaker security standards such as WEP. Cardholder data should never be distributed via email, on-site messaging clients, or other forms of communication that cybercriminals can easily monitor.

5. Protect against malware attacks

One of the first lines of defense against a malware attack, antivirus software must be updated on a regular basis to ward off malicious threats. Do not allow users to disable or change these settings. They should be deployed on servers, personal computers, and any devices that are a common target for malware.

6. Develop and maintain secure systems and applications

Functioning as a checklist within a checklist, this risk assessment involves scrutinizing your current security setup for any vulnerabilities — and repairing them before they cause harm. Establish a stringent process that will identify the most harmful risks first, before addressing them in a timely manner.

Penetration testing is a valuable method for finding weak points that could be addressed. As mentioned previously, security patches should be installed as soon as possible to limit exposure to threats.

7. Restrict access to cardholder data

There’s no reason to expose customer data to people who don’t need to access it. This is where a distinct version of the rule of least privilege comes into play: the fewer eyes on a particular set of data, the better. An access control system will prevent unauthorized access and safeguard sensitive data.

8. Assign unique user IDs

Create a unique ID for each person with access to data. This makes it easier to determine who has access, and for what reason. Combine this with multi-factor authentication for first-party users with access to data. This strategy should also apply to third-party vendors or anyone else attempting to access data remotely.

9. Restrict physical access to cardholder data

Lost in the fast-paced and evolving world of information security is the notion that data is physically stored on servers and devices that exist in real-world locations. Protect these servers by limiting access via standard building security methods. If possible, start with onsite security personnel, who can limit access to only those with key cards or security tokens. Other essentials include keeping backup servers in secure locations and destroying any data or media that is no longer in use.

Be mindful of an emerging threat, in which hackers install skimmers and other data-stealing devices over point-of-sale solutions. Check all devices that come into physical contact with payment cards on a regular basis.

10. Track and monitor public network access

Implement an audit trail that will log the activity of everyone accessing your network. This will help you monitor specific activities such as new account creation, password change requests, individual customer log-ins, and more. Armed with this data, you’ll quickly notice suspicious activity and react to it in a timely manner.

11. Regularly test networks and secure systems

The best defense is useless if it’s never tested for weaknesses. Regular penetration testing and vulnerability scans will give you a solid idea as to what areas can be improved upon. A regular audit of these testing practices will also ensure that they are completed on a regular basis. A brand new battery of tests should be implemented whenever there is a major change to the network.

12. Have an information security policy

Every employee should be well aware of security policies. At a minimum, schedule an annual review, centered around important reminders and new developments. This category also encompasses incident management and even employee background checks. Strict policies that mandate how technologies for transmitting or storing sensitive data will be utilized are essential. This should touch on the appropriate use of computer hardware, web browsing, messaging, and email.

Get PCI compliant with SiteLock

As you move forward with your personal PCI compliance checklist, you may notice that several of the most important measures involve security solutions that should be implemented regardless of compliance concerns. From firewalls and encryption to malware protection, many of these essentials can be implemented without causing extra stress on your end. Look to SiteLock for guidance and oversight every step of the way.

Our security plans will help you achieve and maintain PCI compliance, no matter your website platform. We offer all the essentials: scanning, vulnerability patching, web application firewalls, and more. Take a look at our packages to determine which best fits your unique needs — or get in touch today to learn more.