PCI DSS Compliance Checklist

Nowadays, global digitization enhances the community’s dependence on using debit or credit cards as payment options as it brings convenience and a time economy. This point, however, raises concerns about payment transaction security and client data protection. 

But what regulations or standards oblige businesses to protect the cardholders’ sensitive information? That’s the question we are going to answer with a comprehensive analysis of the credit card PCI compliance checklist.

Who Needs to Be PCI DSS Compliant?

Developed by the PCI Security Standards Council, PCI DSS (Payment Card Industry Data Security Standards) is a set of standards for protecting cardholders’ sensitive data during the full cycle of payment procedures. 

But who needs to be PCI-DSS compliant? 

First of all, businesses that work with the following cards have to abide by this security standard as it’s mandated by the card brands:

• Visa

• Mastercard

• American Express

• Discover

• JCB

Next, organizations or service providers involved in payments have to comply with the analyzed security standards as they have to ensure safe data processing and transmission. 

E-Commerce

E-commerce websites represent the trading environment, which handles multiple payment-relevant operations per day. This causes cybersecurity vulnerabilities like Man-in-the-Middle attacks or phishing scams, so PCI-DSS compliance is a must to prevent cardholders’ loss of funds or sensitive information. 

Brick-and-Mortar Retailers 

The ‘traditional’ physical stores are obliged to conform to the PCI-DSS security standard as they accept debit and credit cards as payment methods by applying point-of-sale (POS) systems or mobile devices to complete clients’ purchases. 

Payment Gateways

Payment gateways such as PayPal, Stripe, and Adyen have to be PCI-DSS compliant as these technologies read the client’s debit or credit card information and send them to the merchant acquiring bank for purchase confirmation and payment acquisition. 

Check how to integrate a payment gateway into the application.

Banking Institutions

Although compliance with PCI-DSS is not required by the law for banking institutions, as they have to abide by FFIEC, GLBA. Nevertheless, they have to comply with PCI DSS, as well if proceeding with payment card transactions.

PCI DSS Compliance Levels

When deciding to start an e-commerce business or if you’re already running one, you have to pay attention to the following four PCI-DSS compliance levels, which set different requirements per annual number of transactions.

PCI Level 1

Businesses that handle over 6 million transactions per year fall under the Level 1 category of PCI compliance. This is the strictest level of PCI security analysis, which will require:

• A Qualified Security Assessor (QSA) to perform an annual report.

• The approved vendors must perform the scan of your network quarterly. These vendors are required to scan your computers, servers, and cloud to check on sensitive information and detect potential security vulnerabilities. 

• Conducting penetration tests at least once annually. Manual processes and automated tools will provide you with a more profound report than the vulnerability assessment alone.

• Submission of the Attestation of Compliance (AOC) form that will underline you complied with the PCI DSS standards.

PCI Level 2

Business institutions whose yearly transactions range from 1 million to 6 million reach PCI Level 2 compliance. This level does not require an onsite PCI audit, but instead, if your business reaches this point, you should perform the following:

• Complete the Self-Assessment Questionnaire. The number of questions will vary depending on the scope of the audit. 

• The onsite audit and annual report on compliance will be required under the condition of experienced data breach.

• The approved vendor must conduct a quarterly scan of your network.

• Internal scan

• AOC form completion

• Penetration test (required to be completed at least annually).

PCI Level 3

Businesses that handle 20,000 to 1 million transactions per year abide by Level 3 of PCI DSS compliance. The requirements for this level comprise:

• SAQ completion 

• Quarterly scan of the network for vulnerabilities.

• Completion of the attestation compliance form.

Note: Level 3 does not require businesses to complete the penetration test, but your company still can win if you do.

PCI Level 4

Businesses that process less than 20,000 transactions per year fall into Level 4 of PCI DSS compliance. Their key obligations for PCI audit include: completing SAQ; conducting vulnerability network scans quarterly, and completing AOC. 

What Happens If You Don't Comply With PCI Requirements?

Prior to analyzing the PCI security compliance checklist, it is essential to analyze what outcomes your organization is going to encounter if non-compliant with this security standard.

Fines & Penalties

Payment systems such as Visa, Mastercard., etc., as well as acquiring banks, will encounter fines and penalties that range from $5,000 to $100,000 per month, based on the scope of the issue if the organization fails to comply with the requirements for PCI compliance. The size of the penalty is assigned depending on the business’s Level of Compliance.

Please note that fines and penalties are assigned regardless of whether there was a data breach/loss of sensitive information or not. Failures in performing relevant audit procedures based on PCI level will be considered non-compliant and assigned a fine till the issue is resolved.

Compensation Costs

If the organization does not follow the PCI checklist and experiences a data breach or loss of the client's sensitive data, it will have to provide the affected customers with compensation costs alongside the fines/penalties discussed above. 

The compensation costs can include free credit card monitoring, insurance against identity theft, and even card replacement (which may cost $3-$5 per customer).

Legal Action

PCI DSS is not a law itself, but in case of noncompliance and breaches of sensitive data, cardholders can file a lawsuit against the payment-relevant service provider. The absence of PCI-DSS compliance will be considered negligence, and even in the case of litigation, regardless of one or multiple lawsuits, the overall legal costs can be a fortune. 

Damaged Reputation & Loss of Revenue

Noncompliance with PCI-DSS enhances the overall risks of data breaches, which, in the case of occurrence, can undermine the trust of your target audience in your business. Even if no loss of sensitive information was registered failure to conduct audit-relevant actions can make your clients doubt your reliability, which will end in the revenue loss.

PCI DSS Compliance Requirements Checklist

Now let’s explore what is PCI compliance checklist. The PCI compliance checklist includes 12 standards grouped into six categories. Let’s discuss them. 

1. Set Up and Maintain Firewall Configuration

The first PCI DSS checklist standard obliges the business organization to establish the proper configuration of the firewall system. The firewall configuration must present a set of standards that allow standardized testing based on changes in hardware or software. 

The configuration rules require biannual checks and should restrict untrusted traffic. The key exception is when the communication protocol has to proceed with the cardholder’s data. 

2. Refrain from Default Passwords and User Names

This PCI DSS standard obliges businesses to alter the default user names and passwords provided by the manufacturers. Firewalls or other hardware or software can apply standard passwords, which increases the risks of cyber attacks, requiring an immediate alteration before implementing into the corporate data system.

3. Ensure the Protection of the Cardholder’s Stored Data

The business organization that performs payment processing must protect the user’s stored data to prevent unauthorized usage. Note that your business must never store the client’s data. The exceptions represent legal or regulatory needs. 

Additionally, this PCI DSS standard requires limiting the data storage retention time by conducting quarterly clearance.

4. Maintain the Encryption of Cardholder’s Data within Open/Public Networks

This PCI DSS standard requires business organizations to maintain advanced cryptography and adhere to strong security protocols. IPSec, SSH, and TLS are some of the recommendations PCI DSS provides businesses with to secure clients’ data during transmission. Adherence to industry standards like IEEE 802.11i is a must for wireless networks.

Data encryption prior to transmission in the public network and then its decryption upon receipt minimizes the risks associated with cyberattacks. 

5. Perform a Regular Update of the Anti-Virus Program

PCI DSS requires an in-depth analysis of systems that handle cardholders’ sensitive data including the assessmentof the anti-virus solutions to prevent vulnerabilities. 

Systems that are not commonly impacted by malware have to be assessed periodically to check whether anti-virus is needed. Anti-virus software has to be actively functioning and disabled temporarily only for a formally authorized specific purpose.

Instead, the business organization has to apply anti-virus to all systems, including workstations, laptops, and mobile devices, both onsite and remote. 

6. Keep the Systems Secure and Updated

Business organizations have to keep their software secure by preventing in-system vulnerabilities. One of the security measures applied to protect software is the installation of security patches. This moment refers to the independent software vendors that provide merchants with software tools. They have to report the business companies on the security patches to alleviate access and execution. 

7. Restrict Access to Cardholder’s Data on a Need-to-Know Basis

This standard refers to the access control measures, which deal with the business company’s provision or denying access to cardholder’s data. The key task is to ensure only authorized access to these sensitive data. 

Need-to-know is a basic concept of PCI DSS, as it requires businesses to know the circumstances under which the agent makes a request to access the cardholder’s data. Even if the agent has permission to access the user’s data in a broad sense, the request may be considered unauthorized and denied if the permission does not relate to the specific request scenario. 

8. Grant a Unique ID Address per Person with Computer Access

This PCI DSS standard refers to control measures and requires assigning a unique identifier per authorized user. When accessing cardholders' data, the activity will be categorized as a known user or unauthorized. To prevent unauthorized access to sensitive data, PCI DSS recommends using RADIUS and TACACS when they apply tokens. 

This matters specifically in cases of remote access, as two distinct passwords are not advisable. The aforementioned technologies increase the user’s recognition as they have a password as one authorization factor and a token as the second. 

9. Set Restrictions on Physical Access to Cardholder Data

This factor from the checklist for PCI compliance refers to the control measures, such as onsite access control that will restrict data movements within the installation, as well as monitoring and logging them.

This control practice matters to restrict physical access for the parties such as vendors, employees, and contractors that are related to the cardholder’s sensitive data. Finally, the business organization has to implement control practices to determine the distribution of information to prevent its exposure after access approval. 

10. Analyze All Access to Network Resources Relevant to Cardholder Data

This standard from the PCI compliance list requires businesses to conduct regular checking, monitoring, and testing of their network. This measure is essential to prevent vulnerabilities relevant to physical and wireless networks that might simplify cyberattacks. 

The following aspects are required:

• Linkage all network traffic to a certain user 

• Automated audit trials

• Time synchronization

11. Perform Regular Testing of Security Systems and Processes

Businesses should comply with this requirement whenever the new code is introduced within the corporate data system. This step matters to analyze and detect the potential in-system vulnerabilities provoked by the alterations. 

Additionally, companies are obliged to conduct quarterly testing for wireless access points applied to get unauthorized access. Among other measures, the standard requires the following:

• Scans on internal/external vulnerabilities (each quarter and after the implementation of changes). 

• Intrusion detection

• File monitoring (to check whether there were any modifications in user content in an unauthorized manner). 

12. Implement an Information Security Policy

The final PCI-DSS requirement is implementing and maintaining a policy on information security for workers and relevant parties. Businesses must review and challenge the policies at least yearly to analyze potential drawbacks for further revision and updates. 

Common PCI Compliance Mistakes & How to Avoid Them

After analyzing the PCI DSS requirements checklist, it is important to analyze some of the compliance challenges and their solutions. 

Reliance on Non-Expiring Passwords

The non-expiring or weak passwords can increase the threat of cyber attacks, as by providing unauthorized people with a simple entry point, you put at stake the cardholder’s sensitive data.

Solution

Enforce strict policies and regulations on routine password alterations as they will not only protect cardholders’ private info but reinforce the confidentiality of your business. 

The Incorrect Scope Definition

Another issue arises when the business institution fails to detect the elements of its data infrastructure that handle cardholder data. To be specific, processing, storing, or transmitting credit card information defines the cardholder data environment, which is a segment of a broader corporate data infrastructure. 

Failure emerges if the organization fails to detect the elements of the broader infrastructure that affects cardholder’s data environment putting at stake the client’s security. 

Solution

Perform a comprehensive analysis of the whole spectrum of elements within this broad corporate data infrastructure to detect the components that deal with processing, storing, and transmitting credit card data and can directly or indirectly affect its safety. This measure will help you ensure a decent level of adherence to the PCI security compliance checklist.

Failing to Change Default Credentials

When running business operations relevant to processing, storing, and transmitting user's credit card data, the organization can utilize firewalls, routers, and point-of-sale devices, which comprise passwords and user names provided by the manufacturer.

The PCI noncompliance occurs when the organization fails to alter the default information, as the attackers usually apply automated tools to scan the corporate system. If unchanged, the hacker can utilize the default password and user name and access the cardholder’s information, leading to the loss of sensitive information.

Solution

Update all default information on all devices before deployment. Implement rigid password policies based on PCI DSS password guidelines, such as including 12 mixed characters (capitalized letters, numbers). Additionally, you can consider implementing multi-factor authentication to add an extra security layer to remote access. 

Failing to Implement Regular Security Audits

This mistake will occur if you fail to conduct timely PCI-DSS audits depending on the Level assigned to your business. Timely audits matter to obtain a comprehensive analysis of the overall data infrastructure to detect any potential vulnerabilities to prevent data breach occurrence. 

Solution

Implement schedules with a structured audit plan for the internal analysis and external assessment, depending on your Level of PCI-DSS compliance. Additionally, you can conduct a preliminary PCI-DSS assessment to determine potential gaps before the official PCI-DSS audits. 

Agilie, Your Fintech Partner

Agilie is an IT outsourcing company that develops secure and tech-savvy digital solutions in the areas of fintech, real estate, healthcare, logistics, etc. Using practice-proven technologies, we deliver reliability in building custom mobile banking applications, payment solutions, blockchain software, and fintech products based on the SDLC project development process. 

Eager to engineer cutting-edge and sophisticated software in the categories listed above? Here’s how Agilie can help you:

• Render MVP development.

• Elaborate on UX/UI design. 

• Ensure comprehensive mobile app development.

• Provide custom-built web solutions. 

• Perform in-depth QA testing.

Conclusion

The article analyzed the PCI compliance requirements checklist your business is obliged to follow to ensure the security of cardholders’ sensitive information. Please consider that noncompliance with PCI-DSS might significantly damage your reputation and deplete your financial resources based on the scope and time of damage within your Level category. Hence, don’t forget to conduct timely audits, continuously check your system’s vulnerabilities, and reinforce the security measures. 

Looking for a reliable partner? We’re on your side! Contact us to cooperate.