PCI Compliance Requirement Checklist: Does Your Business Hold Up?

When customers purchase, they trust the company to protect their credit card information from prying eyes. How a company processes payments and protects customer information helps build customer loyalty and avoid costly government fines and penalties. 

Using a PCI-compliant system allows you to operate your business without the worry of extra fees or legal problems, but how do you know if you’re PCI compliant? Here is your guide to PCI compliance requirements and a PCI compliance requirements checklist. 

What Does It Mean to Be PCI Compliant?

Payment card industry (PCI) compliance is a series of regulations and rules mandated by credit card companies that ensure a transaction’s security. Rather than each credit card company having its own security standards, all PCI compliance regulations are developed and managed by the PCI Security Standards Council. 

PCI compliance is a core component of any credit card network agreement. Companies or individuals who want to work with processing credit card payments must be PCI compliant, or they will be charged a monthly penalty fee in addition to the merchant assuming more risk. 

What Are the 12 Key PCI Compliance Requirements?

While there is a process to approach PCI compliance, compliance is generally boiled down to 12 key requirements as part of the PCI Data Security Standard (PCI DSS). These requirements create a PCI compliance checklist that can help your business become PCI compliant. 

1. Install, use, and maintain firewalls to protect cardholder data. 
2. Implement and use proper password protection with basic precautions like regularly changing passwords for system passwords and other security parameters. 
3. Protect cardholder data with data encryption and regular scans to ensure no unencrypted data exists. 
4. Encrypt all transmitted cardholder data across open, public networks. Even data sent to known or secure locations should be encrypted. 
5. Install, use, and maintain antivirus for all devices that interact with primary account numbers.
6. Properly update software, including firewalls, antiviruses, and any other piece of software. 
7. Restrict digital access to cardholder information. This information should be “need-to-know.” 
8. Track and monitor all access to cardholder data and network resources with unique individual IDs for each user. 
9. Restrict physical access to cardholder information. Physical information should be kept in a secure physical location and access locked. 
10. Create and maintain access logs. Any activity involving cardholder information or primary account numbers must be strictly recorded and documented. 
11. Frequently scan and test for vulnerabilities to ensure you are following compliance standards throughout your system.
12. Clearly document all of your policies that address information security. 

A company’s merchant payment processor (like Preferred Payments) and the payment gateway will fill requirements like encryption, restricting digital access to cardholder information, and access logs to make it easier for a merchant to become PCI compliant. 

What Are the Different Compliance Levels and How Are They Determined? 

There are four levels of PCI compliance, and with each level, there are different standards and requirements that have to be met. The number of transactions you process annually will directly affect which level of PCI compliance your company should aim to achieve. 

Additionally, a merchant can change levels if they have suffered a breach that has resulted in compromised account data.

Level 4

Level 4 compliance is for merchants that process fewer than 20,000 transactions annually. There is no exception for being compliant. Even the smallest company that only has a handful of transactions is required to be level 4 compliant. 

Level 4 organizations must conduct an annual self-assessment questionnaire (SAQ) and a quarterly scan by an Approved Scanning Vendor (ASV). They then have to complete an attestation of compliance form and check for any additional requirements related to the results of their SAQ.

Level 3

Level 3 compliance is for any merchant who processes 20,000 to 1,000,000 transactions a year. 

Level 3 organizations must conduct an annual self-assessment questionnaire (SAQ) and a quarterly scan by an Approved Scanning Vendor (ASV). They are also required to complete an attestation of compliance form. Depending on the results from the SAQ, there might be additional requirements, including a penetration test or internal scan.

Level 2

Level 2 compliance is for merchants who process 1,000,000 to 6,000,000 transactions a year. 

Level 2 organizations must get an onsite assessment by a PCI SSC Quality Security Assessor (QSA) and do quarterly network scans by an Approved Scanning Vendor (ASV). If a Level 2 organization has a certified Internal Security Assessor (ISA), they must produce an annual self-assessment questionnaire (SAQ). Depending on the SAQ results, there can be additional requirements like a penetration test or internal scan.

Level 1

Level 1 compliance is for merchants who process over 6,000,000 transactions in a year. Some card companies, like Visa, can choose to break this standard and require any merchant to meet the Level 1 requirements to minimize risk. 

Level 1 organizations must perform an annual external audit by a Qualified Security Assessor (QSA) and a quarterly network scan by an Approved Scanning Vendor (ASV) to remain compliant. They are also required to complete a penetration test, internal scan, and complete an attestation of compliance form. 

What Happens if You Are Not PCI Compliant? 

If you are not PCI compliant, you are putting yourself at risk for a wide range of penalties and fines. For example, if you are not PCI compliant and there is a data breach where card information has been endangered, you can be fined for each cardholder’s information that was endangered and have the potential for legal action to be taken against your company. 

In extreme circumstances, if a merchant is habitually non-compliant, it may lead to the termination of the relationship between your company and its payment processor. This makes it impossible for you to process any transaction on a card, which will create revenue loss as well as significant damage to your reputation. 

The Federal Trade Commission (FTC) regulates PCI DSS compliance and can decide to perform frequent audits. From those external audits, the FTC can choose to impose further penalizations and fees. 

What Does My Business Need to Do to Be PCI Compliant? 

Start with a self-assessment questionnaire (SAQ) from the PCI Security Standards Council. An SAQ is a requirement for level 2, 3, and 4 certifications and can help you quickly identify your compliance weaknesses. Each questionnaire is a mix of yes-or-no and fill-in-the-blank questions. 

Any section of your SAQ that you cannot fill out or answer “no” should indicate what your business needs to do to become PCI compliant.

Preferred Payments Can Help

Being PCI compliant doesn’t have to be complicated. Preferred Payments can help you by providing an innovative payment system that focuses on compliance and accountability.