The Payment Card Industry Data Security Standard (PCI DSS) is an industry-mandated set of requirements created by major credit card brands in order to protect customer cardholder data.
Data breaches can damage a company’s reputation. PCI compliance ensures that you're taking the strongest precautions to protect your customers' vital payment data and protecting your business from a breach.
Use our handy checklist to help you navigate the road to PCI DSS compliance.
Vanta makes it easy to prove your PCI DSS compliance.
While not a legal requirement, PCI compliance is considered a necessity for anyone who processes, stores, or transmits payment information.
Large enterprise companies will often require PCI compliance before considering avendor RFP or signing a contract.
A merchant directly accepts customer payments for goods and services.
A service provider may not directly accept payments, but comes into contact with payment data.
Merchants are classified as Levels 1 through 4.
Level 1 Merchants process more than 6 million transactions annually.
Level 2-4 Merchants process transactions below this threshold.
Service providers are classified in two levels.
Level 1 service providers process over 300,000 transactions per year.
Level 2 service providers process fewer than 300,000 transactions per year.
Level 1 Merchants and Level 1 Service Providers must take on the PCI assessment cost of an onsite audit performed by an external Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) to deliver a Report on Compliance (ROC).
Level 2, 3, or 4 Merchants and Level 2 Service Providers complete a Self-Assessment Questionnaire (SAQ) via a qualified internal resource or team, purchase a vulnerability scan, and sign an Attestation of Compliance (AOC) form.
Two types of costs you could incur include costs to implement the PCI DSS standards,and costs to certify or document your compliance.
Costs vary from one business to another based on the size of your organization, the sizeof your network, your organization’s current security readiness, the number oftransactions you process annually, and other factors.
Level 1 Merchants and Level 1 Service Providers must pay for an onsite audit.
Level 2, 3, or 4 Merchants and Level 2 Service Providers will have minimal costs.
Build and maintain a secure network and systems
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program
5. Protect all systems against malware and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors.