We’ve been getting a lot of questions about PCI compliance lately. Questions like: Am I PCI DSS Compliant? What do I need to be compliant? How does this impact my business? We created this post to help you understand your PCI DSS Compliance requirements, comply with the rules, and ultimately safeguard your business and clients.
First Off, What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a set of standards, rules, and procedures designed to protect consumer data in credit and debit transactions and reduce expensive data breaches. Essentially, it’s a set of rules to maintain payment security.
The leading five Card Brands, Visa, MasterCard, Amex, Discover, and JBC, get really upset if you have credit card numbers scribbled on post-it notes, buried in your text messages, or anywhere they can be found by unintended parties. To help maintain payment security, they established the PCI Security Standards Council (PCI SSC) as a governing and administration entity, and it is responsible for all PCI rules and standards.
So, How Does PCI DSS Impact My Business?
Boulevard is a PCI DSS-approved Level 1 Service Provider. We manage payment processing for you and take the necessary steps to address certain PCI DSS requirements through our own efforts and by providing guidance to our customers.
However, partnering with a PCI DSS compliant provider does not automatically make you, as a business, compliant with PCI regulations. As a merchant who accepts credit/debit cards, you are still responsible for ensuring that your business is compliant with all current PCI requirements.
But What If I run a Solo or Small Operation?
Compared to larger merchants, smaller merchants typically have simpler environments with limited amounts of cardholder data and fewer systems that need protecting. This reduces your overall PCI compliance efforts, but you still need to comply.
What Steps Do I Need to Take to Become a PCI DSS Compliant Business?
Step 1: Follow PCI DSS Standards Requirements
PCI DSS standards cover technical and operational system components included in or connected to cardholder data. Here is a list of current requirements as of May 31, 2021, when this document was written:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for employees and contractors.
This checklist is updated by PCI Security Council from time to time. Be sure to visit PCI Security Standards Council website to get the most up-to-date checklist for PCI DSS.
Step 2: Satisfy PCI Reporting Requirements
There are four levels of PCI compliance. Each level has unique reporting requirements based on your business’s total annual transaction volume and number of card transactions. You can find your reporting requirements below: