PCI Requirements

A PCI Compliance Checklist

If your business accepts credit cards and other types of payments cards, you may have heard about something called PCI compliance. Payment card industry compliance (PCI compliance) is the meeting of guidelines developed by the PCI Security Standards Council, an open worldwide body formed to focus on payment card data protection during and following transactions. This article will explain the basics of getting started with becoming PCI compliant.

The PCI council builds and distributes payment standards while helping organizations learn how to meet them. It publishes resources, including self-assessment questionnaires, certification procedures, and training parameters.[i]

PCI-DSS

The founding members of the body are Visa Inc., MasterCard, Discover Financial Services, American Express, and JCB International. All these companies have integrated the PCI Data Security Standards (PCI-DSS) within their own security programs.

PCI-DSS compliance validation is managed by each different payment company (Visa, MasterCard, and the other founding members). Each of them also trusts the authority of Approved Scanning Vendors and Qualified Security Assessors that have met the expectations of the PCI council.

The security standards council is not involved with compliance enforcement. That role is carried out by the payment card firms or acquiring financial institutions.

PCI data security guidelines

Payment security is critical for any merchant, bank, or organization that handles cardholder information. The PCI-DSS requirements are designed to keep data safe and away from unauthorized parties. They establish how an entity can approach payment transactions from operational and technical perspectives. They also provide a structure with which manufacturers and developers can build security into their technology.[ii]

PIN Transaction Security

The PCI PIN Transaction Security (PCI PTS) guidelines are meant to protect devices that process or contain consumer PIN data and other transaction information. Companies that manufacture devices used in payments should meet this standard when they create, build, and ship their products.

Payment Application Data Security Standard

This rule, the Payment Application Data Security Standard (PA-DSS), applies to application developers or anyone else who creates programs involved in payment card information storage, processing, or transmission. This standard applies, for instance, to the sale, distribution, and licensure of transaction-related software.

Point-to-Point Encryption

This part of the standards is focused on validating tasks completed by vendors that provide point-to-point (P2P) encryption. When a P2P encryption product meets these compliance specifications, merchants can know that cybercriminals won’t be able to read any information they might intercept.

Simple step-by-step security framework

The PCI Data Security Standard, developed using the expertise of security personnel from entities across the planet, should not be oversimplified. Below, we will explore more thoroughly how to establish PCI compliance, but this checklist is a good start:

• Purchase and install point-of-sale (POS) PIN entry devices that are validated to have met the requirements of the PCI council.
• Only use transaction applications, at POS and online, that are validated.
• Stop storing payments details either digitally or as hard copies.
• Set up firewalls.
• Use passwords and encryption for your Wi-Fi router.
• Make sure all passwords are complex and that none are defaults.
• Scan PCs and PIN devices for malicious applications.
• Train your personnel on data standards.
• Align your organization with all PCI-DSS guidelines.

How to meet PCI compliance standards

If you want to protect your payment data, monitor to ensure that you are meeting all the PCI DSS controls. It’s key that your efforts at compliance are continual, rather than checking for it only once per year. An annual assessment that you meet the standards is insufficient: the controls in place at entities that previously completed assessments often don’t meet compliance at the time of a breach. Compliance is, instead, a year-round endeavor – as indicated by the three-step model created by the council.[iii]

Scoping

To put the PCI Data Security Standard into action at your organization, you must perform scoping. Scoping is a process through which you create an inventory of every element that is inside or linked to your transaction data system. It must take place once per year, in advance of your assessment.

For comprehensive scoping, organizations that want to achieve compliance should be aware of everywhere payment data exists, as well as how it is transmitted.

Assessing

Data security companies that are approved by the PCI council are called qualified security assessors.

An assessor completes the following tasks and expectations for validation of compliance:

• Confirms technical details provided by services or merchants
• Determines whether the entity is compliant based on their own understanding of the standards
• Offers expert advice and support
• Is physically present during the assessment as is necessary
• Meets the requirements of the assessment practices outlined by the PCI council
• Verifies the assessment’s scope
• Assesses compensating controls
• Creates compliance reports

Reporting

Reporting is an essential element of PCI compliance. It is the official manner through which a merchant or other organization notifies the payment card companies and acquiring banks of their efforts at compliance.

It may also be necessary to submit a quarterly report detailing the findings of a network scan. Payment card firms will sometimes want you to complete and submit other paperwork as well. Examples include the self-assessment questionnaire (when evaluating your own system) and report on compliance (when having a third party assess your system).

Self-assessment questionnaire

The self-assessment questionnaire (SAQ) is typically used by entities that do not need to send in a report on compliance. It is a robust method to validate your own security stance.

The SAQ is very straightforward, made up of a list of yes-or-no questions intended to evaluate compliance with each PCI DSS element. Whenever one of the parameters is not met, the entity may have to set a date for remediation and related tasks.

Various types of questionnaire exist for use by the full spectrum of entities that need to meet compliance.

You can easily find the self-assessment questionnaire that best describes how you accept payment cards. If you are not sure which questionnaire applies to you, contact your acquiring bank or payment card brand for assistance. They are all detailed in the Self-Assessment Questionnaire PDF available through the PCI Council’s website.

[i] https://www.pcisecuritystandards.org/about_us/

[ii] https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

[iii] https://www.pcisecuritystandards.org/pci_security/how