Last updated: November 27, 2023

Tips on PCI DSS Compliance

What does PCI Mean To Your Business?

Payment Card Industry Data Security Standard (PCI DSS) defines a set of standards, rules and procedures designed to protect consumer data in credit/debit transactions and to reduce the expensive data breaches. The leading five Card Brands, Visa, MasterCard, Amex, Discover, and JCB established PCI Security Standards Council (PCI SSC) as a governing/administration entity and it is responsible for all PCI rules and standards.

Digesting and understanding the PCI DSS compliance can be overwhelming or confusing for some businesses. We created this document in order to help you understand the PCI DSS Compliance requirements, comply with the rules, and ultimately safeguard your business.

Boulevard is a PCI DSS approved Level 1 Service Provider. As a service provider, we manage payment processing and take the necessary steps to address certain PCI DSS requirements through our own efforts and by providing guidance to our customers. However, partnering with a PCI DSS compliant provider does not still make you, as a business, compliant with PCI regulations. As a merchant who accepts credit/debit cards you are still responsible for ensuring that your business is compliant with all current PCI requirements imposed by PCI SSC and the Card Brands. 

As mentioned above, PCI DSS is intended for all entities accepting/processing card transactions, including merchants, regardless of their size or payment volume. Compared to larger merchants, smaller merchants typically have simpler environments with limited amounts of cardholder data and fewer systems that need protecting and hence reduced overall PCI compliance effort. There are four levels of PCI compliance levels as discussed in the next section and each level has unique requirements for a business to validate. Your business’ total annual transaction volume determines your compliance level. 

If your business is not compliant with PCI standards, you could be at the risk of fines and penalties related to data breaches, card replacement costs, forensic audits, and investigations into your business. Additionally, it could affect brand image and can have other consequences as well.

PCI DSS Requirements

PCI DSS standards cover technical and operational system components included in or connected to cardholder data. The following is the list of current requirements as of October 1, 2020, when this document was written:

  1. Install and maintain a firewall configuration to protect cardholder data

  2. Do not use vendor-supplied defaults for system passwords and other security parameters

  3. Protect stored cardholder data

  4. Encrypt transmission of cardholder data across open, public networks

  5. Use and regularly update anti-virus software or programs

  6. Develop and maintain secure systems and applications

  7. Restrict access to cardholder data by business need-to-know

  8. Assign a unique ID to each person with computer access

  9. Restrict physical access to cardholder data

  10. Track and monitor all access to network resources and cardholder data

  11. Regularly test security systems and processes

  12. Maintain a policy that addresses information security for employees and contractors

The above checklist is updated by PCI Security Council from time to time. Visit PCI Security Standards Council website to get the most up to date checklist for PCI DSS.

PCI Compliance Levels and Reporting Requirements

Your PCI compliance reporting requirements depend on the volume of card transactions that you process. Below outlines these reporting requirements based on the applicable level.

Level: 1
Applicability:

Any Merchant processing more than 6M transactions per year OR Any merchant that has had a data breach or attack that resulted in card data compromise OR Any merchant identified as Level 1 Card Brands

PCI Reporting Requirements:

Annually:

  • Report of Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) and signed by Officer of the company

Quarterly:

  • Network scan by Approved Scan Vendor (ASV)

Level: 2
Applicability:

Merchants processing 1M - 6M transactions

PCI Reporting Requirements:

Annually:

  • Report of Compliance (ROC) completed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) and signed by Officer of the company

Quarterly:

  • Network scan by Approved Scan Vendor (ASV)

Level: 3
Applicability:

Merchants processing 20K - 1M eCommerce transactions

PCI Reporting Requirements:

Annually:

  • Self-Assessment Questionnaire (SAQ) completed by merchant or by a Qualified Security Assessor (QSA). See more at Completing SAQ

Quarterly:

  • Network scan by Approved Scan Vendor (ASV)

Level: 4
Applicability:

All other merchants

PCI Reporting Requirements:

Annually:

  • Self-Assessment Questionnaire (SAQ) completed by merchant or by a Qualified Security Assessor (QSA). See more at Completing SAQ

Quarterly:

  • Network scan by Approved Scan Vendor (ASV)

A complete list of Approved Scan Vendors (ASVs) can be found here

Cost of PCI Compliance

The cost of being PCI compliant depends on the size of your business so vary from business to business. See PCI Security Standards Council website for more information.