A Beginner's Guide to PCI Compliance

If your business takes payment by credit or debit cards, you're responsible for protecting your customers' sensitive information.

Updated April 20, 2020

Roughly 36% of all data breaches involve payment cards, according to Trustwave's 2019 Global Security Report. The retail industry, and e-commerce in particular, is a prime target for data thieves.

By meeting payment card industry (PCI) compliance rules, you're not just abiding by the law; you're providing vital protection to your most valuable asset: your customers.

Overview: What is PCI compliance?

PCI compliance requires businesses that process, store, or transmit cardholder data to protect that data by meeting global data security standards (DSS). The standards are maintained by the PCI Security Standards Council, a consortium founded by American Express, Discover, JCB International, MasterCard, and Visa.

The Council sets standards for all entities that store, process, or transmit cardholder data, including merchants, banks, payment processors, and hardware and software developers.

The standards apply to debit, credit, and prepaid cards. They don't apply to automated clearing house (ACH) payments drawn directly from bank accounts.

While the requirements are generally uniform, each credit card company articulates its own rules, so you might find subtle differences as you navigate PCI compliance standards.

The PCI Council divides merchants into four risk levels based on the number of payment card transactions they process, whether the transactions are in-person or e-commerce, and whether the business has suffered a breach. The vast majority of small businesses that process payment cards are Level 4.

The levels break down as follows:

  • Merchant Level 1: More than 6 million payment card transactions per year or the subject of a data breach
  • Merchant Level 2: 1 million to 6 million payment card transactions per year
  • Merchant Level 3: 20,000 to 1 million e-commerce transactions per year
  • Merchant Level 4: Up to 1 million payment card transactions or 20,000 e-commerce transactions per year

As you can see, experiencing a data breach will generally bump you directly to Level 1 status, which carries more stringent requirements.

How to become PCI compliant

Meeting PCI compliance requirements can be a challenge, but the security habits they enforce are valuable best practices for any business. Merchant banks and third-party applications handle many aspects of PCI security, so you may find that much of the legwork has been done for you.

It is your responsibility, however, to confirm that third-party systems and applications used in your business are PCI compliant.

In addition to creating a secure environment, your business must assess and report on these efforts. Level 4 businesses generally must conduct quarterly network vulnerability scans, complete an annual PCI DSS self-assessment questionnaire (SAQ), and submit an attestation of compliance (AOC).

Banks, the PC Council, and other authorities may require an AOC to confirm your company's PCI security. All of these activities are designed to ensure adherence to the PCI DSS requirements summarized below.

To meet the scanning requirements, you may contract with an approved scanning vendor (ASV). You may also consult a qualified security assessor (QSA) for assistance with the assessment requirements. These companies are certified by the PCI Council to assess and validate compliance.

The first step in any DSS assessment is to define the scope of the cardholder data environment from customer acquisition through the sales process. This requires identifying the locations and flow of all cardholder data and the people, processes, and technologies that interact with it. This reaches far beyond IT to sales and fulfillment functions in your company.

Step 1: Maintain a secure network

A whopping 57% of data compromises occur on a business's corporate or internal network, according to Trustwave.

Network security must prevent unauthorized access to systems from all internal and external sources, including e-commerce, employee internet use, email, dedicated connections with other businesses, and wireless networks.

Tips for maintaining a secure network

  • Maintain firewalls: Firewalls are your first line of defense against intruders. Ensure that network devices, servers, computers, and applications are protected by firewalls.
  • Test network connections: Implement a formal process for testing and approving all network connections as well as changes to your firewall and router configurations.
  • Isolate systems: While not required, separating the cardholder data environment from the rest of your network is highly recommended. Restrict cardholder data to as few locations as possible.
  • Create secure passwords: Always replace preexisting passwords on hardware or software with strong ones. According to Nord.com, the most common password is 12345, followed by ... you guessed it ... 123456. You can do better.
  • Safeguard your router: Make sure your wireless technology is password-protected and uses encryption.
An infographic of a firewall at work repelling virtual intrusions.

The PCI Council provides many resources to explain credit card compliance regulations.

Step 2: Protect cardholder data

You've already assessed the scope of cardholder data your business handles and where it lives. Now you need to implement data retention and disposal policies to protect it.

Per PCI regulations, the primary account number, cardholder name, service code, and expiration date may be stored only on secure networks and applications as required to complete transactions.

Sensitive authentication data including full track data (data from the card's magnetic stripe or chip), card verification codes, and PINs may not be stored at all after authorization, even if encrypted.

Tips for protecting cardholder data:

  • Store data appropriately: Do not store any cardholder data in computers or on paper. Protect any permissible data stored in a cloud environment or application with appropriate security. Create protocols to delete data promptly when it is no longer needed.
  • Encrypt transmission: Use strong cryptography and security protocols to protect data during transmission across open networks.
  • Secure points of sale (POS): Use only approved PIN entry devices at POS. Check POS hardware and systems regularly for malware or skimming devices.
  • Use valid software: Use only validated payment software in your POS system or shopping cart.

Step 3: Manage vulnerabilities

Now that you have a secure system and data protection measures in place, you can turn your focus to potential vulnerabilities in your defenses. Hackers and phishers never rest, and your security efforts need to be just as active to deter them.

Tips for managing vulnerabilities:

  • Use virus protection: Equip all hardware and software susceptible to malware with virus protection and keep them up to date. Install security patches promptly.
  • Maintain secure systems and applications: Complete periodic security audits and vulnerability scans to detect malware intrusions. Document your reviews, any vulnerabilities you detect, and resulting remediation plans for your records.

Step 4: Implement access controls

People are part of the cardholder data environment. Every employee with access to cardholder data is a potential vulnerability. To protect sensitive data, allocate access strictly on a need-to-know basis.

Tips for implementing access controls:

  • Restrict access: Define access needs and privileges for every position in your business. A sales manager, for example, might have access to highly strategic data for pricing and sales forecasting without having access to cardholder data. A front-line customer service representative, on the other hand, might have access to sensitive data that the sales manager doesn't — and shouldn't. Assign user credentials to provide the fewest privileges necessary to do the job.
  • Identify and authenticate assets: Assign a unique user identification (ID) to every employee with computer access so that actions can be traced to their source. Use strong passwords or other authentication credentials and protect credentials with encryption.
  • Restrict physical access: Lock up computers, laptops, and media when not in use. Use facility entry controls to limit access to systems handling sensitive data. Consider video surveillance for further protection.
  • Guard the exits: Immediately revoke access for any terminated users. Remove or disable inactive accounts after 90 days.

Step 5: Monitor and test networks

Security is never a set-it-and-forget-it affair. It's important to schedule regular testing to ensure that your security measures are working and no breaches have occurred.

Tips for monitoring and testing networks:

  • Track and monitor access: Create audit trails to track data access back to individual users. Keep a log of all changes to user credentials and privileges.
  • Test security systems and processes: Conduct quarterly testing for the presence of wireless access points through methods such as wireless network scans, physical inspections, or network access control. Respond to any instances of unauthorized access and maintain a log of your activities.
  • Perform periodic checks: Perform internal and external network vulnerability scans and penetration testing quarterly and following any significant change in the network.
Screenshot of the opening page of the PCI Council's Data Security Essentials Evaluation Tool.

The PCI Council provides an

online tool to help small merchants run a quick data security check-up.

Step 6: Maintain an information security policy

Everyone in your business should understand the importance of protecting data and the policies and procedures you have in place to do so. It may feel like a lot of work, but it's important to document every security protocol and track your activities to create a reliable security environment for your company.

Tips for maintaining an information security policy

  • Put it in writing: Create a written PCI security policy and share it with every employee.
  • Follow up with training: Provide data security training to all employees during onboarding. Follow up with periodic refreshers, especially when training employees in areas such as customer service who handle sensitive data so that you're instilling a culture of information security.
  • Track compliance: Don't relegate your policy to a file drawer. Review your policy as part of a formal risk assessment process every year. Conduct additional assessments following changes affecting security.
  • Choose a PCI point person: Having a designated PCI point person and a monthly PCI compliance checklist is a good way to ensure that compliance doesn't fall through the cracks.

Safe data, sound business

Consumers are highly protective of their data, with good reason. Norton reports that some 4.1 billion records were exposed in the first half of 2019 alone, and every data theft represents needless anxiety and expense.

Being PCI compliant is an important trust factor that can help you build customer confidence, close more sales, and keep that most valuable of company assets — the customers you have — coming back for more.