All-in-one Risk Management Platform

The Complete Guide to PCI Compliance

PCI DDS, or Payment Card Industry Data Security Standards, is a set of standards that any merchant or organization who handles credit card information must have in place in order to ensure that this information is kept secure. Read more about PCI DSS, who it applies to, and what it requires of the organizations.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

The Complete Guide To PCI Compliance 

According to CPA Practise Advisor, worldwide digital payments are expected to hit $6.6 trillion in 2021, an all-time high for the industry.  

With so many people making payments digitally using cards and devices, it’s important to ensure that your businesses provide customers with a safe, secure, and digital way to pay. However, when handling digital payments and customer data, it’s essential to be compliant with PCI DDS regulations. 

PCI DDS or Payment Card Industry Data Security Standards is a term many people have heard of, but it's not an easy one to understand. It can be a complex topic and it can be difficult to know what the requirements are, and what your business needs to do to remain compliant. 

In this article, we’ll provide a clear description of DDS and give some actionable steps your business can take to get and remain compliant. 

Let’s start by learning exactly what PCI DDS is and what it means for businesses. 

What is PCI DSS? 

PCI DDS is a set of security standards created by the PCI Security Standards Council. The standards aim to reduce the threat of data breaches and digital fraud by making all businesses compliant when it comes to security. Any merchant or organization that handles credit card payment data is required to have protocols in place in order to securely store and protect it from cybersecurity threats.

PCI DDS was founded by the PCI SSC which was made up of major credit card companies like Visa, Mastercard, and American Express, as they realized that credit card companies and businesses in other verticals were all united by an interest to prevent cybersecurity threats and credit card fraud. Companies were keen to protect their consumer data, and credit card companies were also keen to limit liability for losses as a result of data breaches

By creating the PCI standards, they ensured that all companies were working towards the same goal, and keeping to the same security standards. The first version of PCI DDS was introduced in 2004 and the standards have been continually updated to keep up with current trends in the card payment industry. The most recent version of PCI DDS is 3.2.1 and centers around 12 core requirements. Here’s a list of the requirements:

  1. Build a secure network to protect cardholder data, which includes installing and maintaining firewall configurations.
  2. Use secure system passwords and parameters. Do not use vendor-supplied defaults. 
  3. Protect and secure stored cardholder data.
  4. Encrypt cardholder data transmission on open or public networks.
  5. Use and update anti-virus and malware software to protect all systems.
  6. Develop secure systems and applications for managing cardholder data.
  7. Use a need-to-know policy to restrict access to cardholder data.
  8. Require identity authentication to access system components.
  9. Create restriction processes for physical access to cardholder data.
  10. Track and monitor any access to cardholder data.
  11. Test security systems and processes regularly.
  12. Maintain a security policy that informs all personnel about security protocol.

Who Does PCI Apply To?

The answer to this one is simple - if your businesses processes, stores, or transmits card data, you MUST be PCI DDS compliant. Keep reading to learn more about the different compliance requirements and standards to find out how you can get compliant.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

PCI Compliance Requirements and Standards

In order to comply with PCI data security standards, there are three main tasks that are required. These are: 

  1. Ensuring that consumer data and card details and collected and transmitted securely
  2. Storing data securely based on the 12 security domains of the PCI standard. This includes methods like encryption and ongoing monitoring.
  3. Annually validating your security processes using an approved auditing method. 

Here are some steps you should take in order to get compliant.

1. Know Your Level

In order to ensure that businesses of every size are staying on top of their compliance responsibilities, the PCI DDS separates businesses into 4 levels. It’s important to know these levels in order to put the right security processes in place. The levels are determined mainly by the number of transactions a business handles. Here’s a breakdown of the 4 levels. 

     Level 1: Organizations that process 6 million+ transactions a year. If an organization processes less than this but has had a data breach, it will also be classified as      level 1. Similarly, credit card companies can classify merchants as level 1 based on their own discretion.

     Level 2: Organizations that process 1 million to 6 million transactions across all channels.

     Level 3: Organizations that process between 20,000 and 1 million e-commerce transactions each year.

     Level 4: Organizations that process less than 20,000 e-commerce transactions each year or any organization that processes up to 1 million regular transactions every      year.

2. Map Data Flows 

In order to stay on top of your card data management and ensure that it is being collected and stored correctly, it’s important to know exactly where it is coming from, and how it flows through your various systems. To do this, you’ll need to create a comprehensive map of your systems and applications so that you have a clear picture of how sensitive data is managed. To do this, you’ll need to work together with your IT and security teams (if you have one) or outsource these tasks to an expert as it can get quite complex. Here are the steps you’ll need to take to create a detailed map. 

     Step One - Identify customer-facing areas of your business

The first thing you’ll need to do is identify every customer-facing area of your business where a payment transaction can be completed. This includes physical stores, and e-commerce as well as payments taken by phone. 

     Step Two - Record how data is handled at each transaction point

Once you’ve created a list of each customer-facing transaction point, you should then detail how the data is handled at each point. Are the payments taken via a POS system? Which digital payment terminal do you use for eCommerce transactions? Does your staff record data manually that is transmitted verbally over the phone. Having an accurate record of these details will make it easier to identify security weak spots in your workflows, and it will help you to identify breaches more easily if they happen. 

     Step Three - Record which systems your data passes through and where it is stored

For consumers, making a card payment is as simple as inputting their card details and hitting pay, or even tapping their card on a POS terminal. However, behind the scenes, lots of different systems and applications work together to ensure their payments are processed properly.

To remain PCI DDS compliant, you should keep a record of every network, system, and data center that data passes through, and details of cloud-based systems where data is stored. This will mean that you can secure every single step in the payment process to prevent cybersecurity breaches.

3. Check Security Flows

After you’ve completed your data flow map, you can then start working with your security teams to put rigid protocols in place to keep your customer data safe. You can then use the 12 security requirements of PCI DDS to guide you to create a compliant security system. The good news is that many of the principles of PCI DDS will help you to get compliant with other data protection standards including HIPAA and GDPR.

4. Monitor Compliance 

Once you’ve completed the steps above, you should have a solid system in place to stay PCI DSS compliant. However, your responsibilities don’t end there. It’s important to treat PCI DSS compliance as an ongoing task, and you should always be monitoring your dataflows and making sure that they are still working for your business.

As your data touchpoints change, and your business grows, you’ll find that you need to make changes to your security flows, and it’s important to put a plan in place to stay up-to-date with every department within your businesses that deals with customer’s data and card payments. 

To stay on top of your compliance monitoring, there are a series of auditing tasks that you can complete. We’ll talk about these in more detail in the next section.

Be Prepared for Audits

There are 4 different ways that you can prove you are PCI compliant and you may be audited using any one of these methods. Here are the details of each PCI audit process:

QSA

QSA stands for Qualified Security Assessor. QSA’s are certified PCI auditors and complete annual audits on organizations. During these audits, you’ll have to provide all proof of your ongoing compliance processes.

ISA

ISA stands for Internal Security Assessor. This person works within an organization and holds a PCI certification in order to continuously audit the organization to ensure ongoing compliance. They must be certified to complete PCI self-assessments.

ROC 

ROC stands for Report on Compliance. This refers to a form issued by the PCI regulation body that must be completed. ROC audits are only an option for level 1 organizations. 

SAQ

SAQ stands for Self-Assessment Questionnaire. These questionnaires are mandatory for all businesses that fall under PCI regulation. They help companies audit themselves and determine how they are doing when it comes to PCI compliance. What questionnaire a business is required to complete will be determined by how they process transactions.

How to Become PCI Compliant 

Using the steps above, any business can become PCI compliant, and stay PCI compliant with ongoing PCI maintenance.

Accountable is the founder of The Trust Platform, a platform that helps companies of all sizes integrate compliance, privacy, and trust into every part of their organizations. The platform provides tools and resources to help support our customers and help their businesses to become compliant and remain compliant as they grow. Want to learn more? Check out Accountable today.

Like what you see?  Learn more below

PCI DDS, or Payment Card Industry Data Security Standards, is a set of standards that any merchant or organization who handles credit card information must have in place in order to ensure that this information is kept secure. Read more about PCI DSS, who it applies to, and what it requires of the organizations.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
CCPA vs CPRA vs GDPR
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
HIPAA vs. GLBA
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
GDPR vs. HIPAA
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)