If your business accepts credit card payments, you need PCI DSS compliance. Here’s all you need to know about complying with the Payment Card Industry Data Security Standard.
The Payment Card Industry Data Security Standard is a framework that provides a strategy for protecting the credit card information of users against credit card fraud and security breaches. It is supported by banks, credit card companies, merchants, and any organisation that accepts credit card payments. Read more in our blog: All About PCI Compliance & Reporting.
PCI DSS compliance is mandatory for any organisation that stores, processes, or transmits cardholder data. If you accept or process payment cards, you need to comply with PCI DSS. Non-compliance can attract penalties ranging from $5,000 to $100,000.
PCI DSS compliance needs you to meet the following 12 requirements. They include processes, policies, and security systems that help in protecting cardholder data. These requirements can be further broken down into 300 sub-requirements, but we will only look at the 12 primary requirements.
Here’s a 6-step checklist to help you achieve PCI DSS compliance.
There are 4 PCI DSS compliance levels loosely based on the number of annual transactions processed by the business. The number might vary slightly based on the credit card companies. Below are the compliance levels.
Level 1 - More than 6 million transactions or if the business has faced a security breach
Level 2 - 1 million to 6 million transactions
Level 3 - 20,000 to 1 million online transactions
Level 4 - less than 20,000 online transactions or less than 1 million physical card transactions
The first step is to find out the number of annual transactions at your organisation and compare it with the requirements of the credit card companies your business supports. This will help you determine the PCI level applicable to your business.
Take the help of the IT department to trace the flow of cardholder data through your network and systems. This should include all the storage systems, platforms, and networks where the data is either stored or transmitted through.
The SAQ is useful to understand whether your organisation meets the 12 requirements of PCI DSS compliance. Each requirement is split into smaller steps and the SAQ is an important tool to validate your organisation’s compliance with the PCI requirements for the appropriate level.
The Attestation of Compliance varies for different levels. While the SAQ helps you assess whether you fulfil all requirements, the AOC is proof that you do.
Your system needs to be scanned for vulnerabilities. This can be done by engaging approved scanning vendors or using scanning tools. The SAQ will help you decide better which scanning method to use.
You might have to submit the SAQ, AOC, and vulnerability scan report to banks, credit card companies, etc.
While the above checklist is for making sure you achieve PCI DSS compliance, do remember that compliance is a continuous process. Even after you have established compliance, vulnerability scans need to be conducted regularly. You will also need to monitor your business, infrastructure, and the data stored after each vulnerability scan.
6clicks gets its name from the fact that the platform is extremely easy to use - as easy as 6 clicks. From documentation and questionnaires to assessments and reporting, every step in achieving and maintaining compliance is brought to a single platform at 6clicks. And with automation and integration with vulnerability scanning tools, your 6-step checklist for PCI DSS compliance is simplified with 6clicks.
Want to know how we do it? Get started with 6clicks and see for yourself.