In an age where it seems user data is constantly compromised, protecting customer information has never been more critical. Because of this need for better data protection methods, security compliance standards were created to help strengthen and standardize security. One such standard is the Payment Card Industry Data Security Standard (PCI DSS).
Created in 2004 by Visa, MasterCard, Discover, and American Express, PCI DSS compliance measures outline best practices for protecting user data during credit and debit card payment transactions. Every and any business that makes or receives payment transactions —regardless of the number, type, or frequency of transactions — must follow PCI DSS compliance, though the type and number of transactions your business makes does determine the level and type of compliance you must meet to be considered PCI DSS compliant.
So with so much information (and misinformation) available, how do you know if you’re truly compliant? Do you need to hire a PCI-certified company? And what does this process look like? As an expert in this field, Sentek Cyber has you covered with the ultimate checklist for PCI DSS compliance. Follow the guidelines below to find out how to become — and remain — compliant.
Understand Your Compliance Level by Credit Card Brand
According to the Payment Card Industry Security Standards Council (PCI SSC), PCI DSS compliance is enforced by the individual credit card brands (e.g., Visa, Mastercard, and others). These brands have their own specific merchant compliance guidelines, broken down into levels based on the number of transactions you have processed over the previous twelve-month period.
For example, Visa compliance levels are broken down into the following four merchant levels:
- Merchant Level 1: merchants that process over 6 million transactions per year.
- Merchant Level 2: merchants that process 1 to 6 million transactions per year.
- Merchant Level 3: merchants that process 20,000 to 1 million e-commerce transactions per year.
- Merchant Level 4: merchants that process fewer than 20,000 e-commerce transactions per year.
Keep in mind that each brand has its own compliance levels, and knowing your compliance level per brand will help you seek out the right compliance requirements for your business. For instance, American Express doesn’t have a compliance Merchant Level 4.
Complete the Right Self-Assessment Questionnaire
Your next step toward becoming PCI DSS compliant is to complete a self-assessment questionnaire (SAQ) guidebook to determine the steps for compliance. There are actually 9 SAQ versions, and each corresponds to different validation types. Your validation type is determined by the payment system you use, in addition to how much customer payment info you store.
View the chart of SAQ validation types to get a better understanding of what SAQs you may be responsible for. Upon selecting the guidebook that corresponds to your validation type, complete the questionnaire to identify areas where you need to address compliance issues for your business.
Pass a Vulnerability Scan Test
After identifying and addressing any outstanding compliance issues, schedule a vulnerability scan test with a PCI SSC Approved Scanning Vendor (ASV). These companies aid with compliance requirements by using vulnerability scans to detect weaknesses in your infrastructure.
ASVs are pre-approved by the PCI Council and will conduct a scan test to makes sure that your network is free of vulnerabilities that could put your customers’ payment information at risk.
Remember that not everyone is required to conduct a scanning test for PCI DSS compliance. This step only applies to the following SAQ validation categories:
- SAQ A-EP
- SAQ B-IP
- SAQ C
- SAQ D-Merchant
- SAQ D-Service Provider
It’s recommended that you conduct your first couple of scans well ahead of your due date in case your ASV finds vulnerabilities. This way, you can address the issues and schedule a new scan to meet compliance in time.
Submit Your Formal Attestation of Compliance
Regardless of your validation category, you must complete a formal attestation of compliance (AOC). This document details that you took the time to ensure compliance appropriate for your corresponding validation level.
Once this form is submitted, a qualified security assessor will review your forms and business to confirm everything meets compliance standards.
Submit Your Paperwork
Upon compliance confirmation, you’ll need to file your paperwork with your credit card brand vendors. Paperwork typically includes your SAQ, AOC, and ASV scan results (if requested). It’s possible that different vendors may require additional compliance checks, so speak with representatives at each vendor to ensure you’re filing everything they require for compliance.
Remaining PCI DSS Compliant
PCI DSS compliance isn’t a one-time deal. Businesses are required to conduct ongoing tests and reviews to remain compliant with their credit card vendors. In fact, if an initial vulnerability scan check was required of your business, you need to have one performed quarterly.
In the end, PCI DSS compliance is helping everyone better protect customer data. Ensuring and maintaining compliance is worth the time and effort, both for your customers and your business’ reputation.
Sentek Cyber is a trusted firm with a wealth of experience spanning multiple industries. We are proud to specialize in PCI DSS Compliance and would love to find out more about your company and your specific needs. Contact us today to start a conversation.