Everything You Need to Know About PCI DSS Compliance

Share/Bookmark

Instead of explaining everything about PCI compliance here on my site, I've decided to give you a brief rundown of the basics, then I'll point you to some resources that get even more in-depth on the subject.

The most important thing to remember from all of this is that PCI compliance standards are constantly changing. What's required today, might be unnecessary tomorrow, and vice-versa. Additionally, your compliance obligations will vary depending on what type of business you are.

If you're a small eCommerce site that uses a payment gateway like Authorize.Net, your responsibilities will be much less than if you're a large brick-and-mortar merchant that stores your customer's credit card numbers. The key is to figure out which requirements pertain to your business type, then ensure that you follow those guidelines to become compliant.

With that said, let's cover the basics...

The PCI Security Standards Council (PCI SSC)

You've probably heard about these guys already. They're the one's that set the rules and tell us how to comply with them. They have the most up to date information about PCI compliance, so visit their site to learn more. Remember, their policies are changing regularly, so be sure to stay updated. Obviously, the most important page for you is going to be their "Merchants" page.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. These are standards set by the PCI SSC that merchant's are required to follow, in order to remain compliant.

Where to Start

Chances are that you don't have the time to become a PCI expert, so if I was you, I'd watch this PCI rock video, read this Quick Reference Guide, and call it a day. The video will introduce you to the whole PCI DSS stuff, and the guide will give you enough info to make a decision on what to do next.

This PCI for Dummies ebook by Qualys is also worth a read.

What's Your Merchant Risk Level?

As I mentioned above, PCI requirements vary based on what your risk level is as a business. Click here to find out what risk level your business is.

Following the 12-Step Program

The most important part of the PCI DSS compliance program are the 12-requirements as outlined in the Quick Reference Guide. Understand these, and you'll be well on your way to understanding PCI compliance.

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.

Self-Assessment Questionnaire (SAQ)

As you'll learn in the Quick Reference Guide, the Self-Assessment Questionnaire (SAQ) is a quick and easy way for merchants (business owners) to find out which of the above requirements they need to comply with.

Everybody needs to take the SAQ, so you might as well take it now. Don't forget to read the instructions first.

Using the Right Equipment

Turns out that you need to be using the right type of terminal/equipment if you plan on being compliant. Use this search engine to find out if your equipment is certified. If not, you probably have to upgrade.

Generally, when you sign up for a new merchant account, your provider will give you up-to-date and compliant equipment.

Small Merchants

If you're a small merchant that doesn't store anyone's credit card information, consider yourself lucky! Besides a couple of minor tasks, your responsibilities will be minimal. Check out this link to learn more.

Conclusion

Not much more to say here. Read the above, follow the links, read the documents I've referenced, and you'll be just fine. Don't freak out over the complexity of it all. It doesn't need to be too difficult.

Let me know if you have questions.