PCI Compliance Requirement Checklist: Essentials for a Merchant
Going live with a PCI-compliant product or service can become cumbersome for merchants—and sometimes feel like more of a burden than becoming PCI compliant itself!
On top of understanding and adhering to the Payment Card Industry Data Security Standard (PCI DSS) 12 requirements, merchants must demonstrate their compliance annually. This is no small feat, especially as merchants grow and expand into new markets.
This post will serve as a PCI compliance requirement checklist and outline the details that can help merchants achieve compliance. We will share a quick go-live checklist to simplify the entire process.
Interactive PCI Compliance Requirement Checklist
Our team has created an interactive checklist to help merchants learn and adhere to best practices with PCI compliance. The PCI compliance requirement checklist includes configurations, data setup, development requirements, and operational items to consider when building with Basis Theory to ensure PCI compliance is achieved and maintained.
This checklist allows merchants to quickly mark off items that have been completed and receive more information on items that haven’t entirely met compliance requirements yet.
Explaining PCI Compliance
The PCI DSS outlines hundreds of requirements for storing, processing, and transmitting cardholder data. Any entity that accepts card payments from any of the major networks (e.g., Visa, Mastercard, Discover, etc.) must comply with the PCI DSS and assess their compliance annually.
PCI Compliance Levels allow organizations to understand and determine their reporting requirements when processing cards. These Levels vary by card brand but are generally determined by an organization’s current or projected amount of annual card transactions.
Visa's merchant levels, as a frame of reference, are:
- PCI Level 4: Less than 20,000 transactions per year.
- PCI Level 3: Between 20,000 and 1 million transactions per year.
- PCI Level 2: Between 1 million and 6 million transactions annually.
- PCI Level 1: Over 6 million transactions per year.
As the number of transactions rises, so do the requirements for establishing and maintaining compliance. Therefore, merchants that qualify for Level 4 compliance have a smaller compliance scope, while PCI Level 1 has the largest.
Compliance Reporting
Reporting is just a portion of the cost that comes associated with PCI compliance.
Organizations subject to PCI DSS must also annually demonstrate compliance with the regulation. PCI DSS lays out two ways of doing so:
- the Self-Assessment Questionnaires (SAQ); and
- the Report on Compliance (ROC).
Merchants then use their completed SAQ or ROC to produce an Attestation of Compliance (AOC). This document summarizes the assessment results and is then submitted to the Payment Card Industry Security Standards Council (PCI SSC).
Those in Level 1 must additionally have their systems audited, and their AOC confirmed by a third party, generally either a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA).
An overview of reporting by level includes:
|
|
Level 1 |
Level 2 |
Level 3 |
Level 4 |
|
Number of card transactions |
Over 6 million |
6 million - 1 million |
1 million - 20,000 |
20,000 or fewer |
|
Compliance assessment type |
Report on Compliance by a QSA or an ISA |
Self-assessment questionnaire |
Self-assessment questionnaire |
Self-assessment questionnaire |
Objectives PCI DSS
PCI DSS consists of 6 objectives. The 12 top-level PCI DSS requirements in those objectives contain over 300 sub-requirements.
While the objectives help normalize cardholder and sensitive authentication data safety at a high level, the sub-requirements contain important information. The sub-requirements convey PCI’s expectations around securely storing, processing, and transmitting cardholder data and, thus, define what is and isn’t considered industry best-practice, or compliant.
Objective 1: Build and maintain a secure network
- Requirement 1: Install and maintain network security controls
- Requirement 2: Apply secure configurations to all systems
Objective 2: Protect account data
- Requirement 3: Protect stored account data
- Requirement 4: Protect cardholder data with strong cryptography during transmission over open public networks
Objective 3: Maintain a vulnerability management program
- Requirement 5: Protect all systems and networks from malicious software
- Requirement 6: Develop and maintain secure systems and software
Objective 4: Implement strong access control measures
- Requirement 7: Restrict access to system components and cardholder data by business need-to-know
- Requirement 8: Identify users and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
Objective 5: Regularly monitor and test networks
- Requirement 10: Log and monitor all access to system components and cardholder data
- Requirement 11: Test the security of systems and networks regularly
Objective 6: Maintain an information security policy
- Requirement 12: Support information security with organizational policies and programs
The nuances of these requirements can be challenging for merchants and service providers to understand, but are non-negotiable for maintaining PCI compliance.
