While frustrating to many, it’s hard to argue the role PCI compliance has played in creating...
Your PCI Compliance Go-Live Checklist
Going live with a PCI-compliant product or service can become cumbersome for merchants. On top of understanding and adhering to the Payment Card Industry Data Security Standard (PCI DSS) 12 requirements, merchants must demonstrate their compliance annually.
This is no small feat for most merchants, especially as they grow and expand into new markets.
This post will outline the details that can help merchants achieve compliance, and share a quick go-live checklist to simplify the entire process.
What is PCI Compliance?
The PCI DSS outlines hundreds of requirements for storing, processing, and transmitting cardholder data. Any entity that accepts card payments from any of the major networks (e.g., Visa, Mastercard, Discover, etc.) must comply with the PCI DSS and assess their compliance annually.
PCI Levels
PCI Levels allow organizations to understand and determine their reporting requirements when processing cards. These Levels vary by card brand but are generally determined by an organization’s current or projected amount of annual card transactions.
Visa's merchant levels, as a frame of reference, are:
- PCI Level 4: Less than 20,000 transactions per year.
- PCI Level 3: Between 20,000 and 1 million transactions per year.
- PCI Level 2: Between 1 million and 6 million transactions annually.
- PCI Level 1: Over 6 million transactions per year.
As the number of transactions rises, so do the requirements for establishing and maintaining compliance. Therefore, merchants that qualify for Level 4 compliance have a smaller compliance scope, while PCI Level 1 has the largest.
Compliance Reporting
Organizations subject to PCI DSS must also annually demonstrate compliance with the regulation. PCI DSS lays out two ways of doing so:
- the Self-Assessment Questionnaires (SAQ); and
- the Report on Compliance (ROC).
Merchants then use their completed SAQ or ROC to produce an Attestation of Compliance (AOC). This document summarizes the assessment results and is then submitted to the Payment Card Industry Security Standards Council (PCI SSC). Those in Level 1 must additionally have their systems audited, and their AOC confirmed by a third party, generally either a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).
An overview of reporting by level includes:
|
|
Level 1 |
Level 2 |
Level 3 |
Level 4 |
|---|---|---|---|---|
|
Number of card transactions |
Over 6 million |
6 million - 1 million |
1 million - 20,000 |
20,000 or fewer |
|
Compliance assessment type |
Report on Compliance by a QSA or an ISA |
Self-assessment questionnaire |
Self-assessment questionnaire |
Self-assessment questionnaire |
The Objectives and Requirements of PCI DSS
PCI DSS consists of 6 objectives. The 12 top-level PCI DSS requirements in those objectives contain over 300 sub-requirements.
While the objectives help normalize cardholder and sensitive authentication data safety at a high level, the sub-requirements contain important information. The sub-requirements convey PCI’s expectations around securely storing, processing, and transmitting cardholder data and, thus, define what is and isn’t considered industry best-practice, or compliant.
Check out our quick dive into 12 PCI DSS requirements to learn more about each.
Objective 1: Build and maintain a secure network
- Requirement 1: Install and maintain network security controls
- Requirement 2: Apply secure configurations to all systems
Objective 2: Protect account data
- Requirement 3: Protect stored account data
- Requirement 4: Protect cardholder data with strong cryptography during transmission over open public networks
Objective 3: Maintain a vulnerability management program
- Requirement 5: Protect all systems and networks from malicious software
- Requirement 6: Develop and maintain secure systems and software
Objective 4: Implement strong access control measures
- Requirement 7: Restrict access to system components and cardholder data by business need-to-know
- Requirement 8: Identify users and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
Objective 5: Regularly monitor and test networks
- Requirement 10: Log and monitor all access to system components and cardholder data
- Requirement 11: Test the security of systems and networks regularly
Objective 6: Maintain an information security policy
- Requirement 12: Support information security with organizational policies and programs
The nuances of these requirements can be challenging for merchants and service providers to understand, but are non-negotiable for maintaining PCI compliance.
Easy Go-Live Checklist to Maintain PCI Compliance
Our team has created an interactive guide to help merchants learn and adhere to best practices before going live with a Basis Theory integration.
These items include configurations, data setup, development requirements, and operational items to consider when building with Basis Theory to ensure you achieve and maintain PCI compliance.
This checklist allows merchants to quickly mark off items that have been completed and receive more information on items that haven’t entirely met compliance requirements yet.
Access the production checklist here and start building your PCI-compliant solution today.
