How to Become PCI Compliant

Updated: April 22, 2010

For starters, you should get familiar with the PCI compliance standard that applies to you: the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS requirements are broken down into six different categories with different requirements:

1. Build and Maintain a Secure NetworkNetwork

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

2. Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

3. Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

4. Implement Strong Access Control MeasuresSecure-log-in-element-image

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

6. Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

The next step is to figure out your PCI compliance level. Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Remember: all merchants that process credit cards—whether small or large—must be PCI compliant.

Now here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements for PCI compliance. You need to know the different PCI compliance deadlines and requirements for each payment card brand. To give you a general idea of what you need to do as a merchant, here are Visa's PCI requirements for merchants:

Level 1 Merchants
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form

Level 2 and 3 Merchants
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by ASV
- Attestation of Compliance Form

Level 4 merchants
- Annual SAQ recommended
- Quarterly network scan by ASV if applicable
- Compliance validation requirements set by acquirer

Related Categories

Featured Research

SolarWinds MSP; Digimite Technology

more
Five Cyberthreats that Slip Past Traditional Antivirus

more
The Art of Organizing and Simplifying IT Support

Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
2020 Wheelhouse Buyer’s Guide to APIs

more
2020 Security Software Buyer’s Guide

more