The Payment Card Industry Data Security Standard (PCI DSS) is an industry-mandated set of requirements created by major credit card brands in order to protect customer cardholder data.
Data breaches can damage a company’s reputation. PCI compliance ensures that you're taking the strongest precautions to protect your customers' vital payment data and protecting your business from a breach. Use our handy checklist to help you navigate the road to PCI DSS compliance.
Vanta makes it easy to prove your PCI DSS compliance. To help clarify your path towards compliance, we created this PCI DSS checklist. If you’d like to avoid this long and tedious process, our PCI DSS compliance solution can help.
While not a legal requirement, PCI compliance is considered a necessity for anyone who processes, stores, or transmits payment information.
Large enterprise companies will often require PCI compliance before considering a vendor RFP or signing a contract.
A merchant directly accepts customer payments for goods and services.
A service provider may not directly accept payments, but comes into contact with payment data.
Merchants are classified as Levels 1 through 4.
Service providers are classified in two levels.
Level 1 Merchants and Level 1 Service Providers must take on the PCI assessment cost of an onsite audit performed by an external Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) to deliver a Report on Compliance (ROC).
Level 2, 3, or 4 Merchants and Level 2 Service Providers complete a Self-Assessment Questionnaire (SAQ) via a qualified internal resource or team, purchase a vulnerability scan, and sign an Attestation of Compliance (AOC) form.
Two types of costs you could incur include costs to implement the PCI DSS standards,and costs to certify or document your compliance.
Costs vary from one business to another based on the size of your organization, the sizeof your network, your organization’s current security readiness, the number oftransactions you process annually, and other factors.
Build and maintain a secure network and systems
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an Information Security Policy
Transform manual data collection and observation processes into automated and continuous system monitoring.