What Does it Take to Become PCI Compliant?
PCI compliance, short for Payment Card Industry Data Security Standard (PCI DSS), is a proprietary series of standards and best practices for payment security. It’s an important standard to adhere to if your company accepts credit card payments; otherwise, if your company’s data is breached, your customers could be vulnerable and your company could be held liable.
According to Century Business Solutions, 80 percent of businesses failed their initial PCI compliance assessment. PCI compliance is the new standard for security, so it’s imperative that you make an effort to belong to that remaining 20 percent.
Who Is PCI Compliance For?
PCI compliance is something any business that accepts credit card payments should consider—regardless of the size or volume of those transactions. PCI compliance is not legally mandated, so you won’t face criminal charges if you aren’t compliant, but if you suffer a data breach while not in full compliance, you could incur steep fines from the PCI Security Standards Council (PCI SSC). Adhering to standards protects both your customers and your business, so it’s worth having.
There are different categories of businesses, as described by the PCI SSC, and each one requires different standards. For example, class A merchants are ”card-not-present” merchants that completely outsource all data to third-party service providers. Basically, it’s a category for online vendors who never touch or view customer credit cards or related data.
How to Become PCI Compliant
When you’re ready to become PCI compliant, these are the five steps you’ll need to take:
1. Analyze your compliance level.
Your first job is to analyze where you currently stand. There are different security standards for different businesses, based on how you handle customer transactions, how you handle data, what credit card companies and banks you work with, and how much volume you handle. Different companies have different standards here—for example, here are MasterCard’s, and Visa’s, which describe four and five levels of businesses, respectively. Analyze where you fall, and how your business is described in PCI’s general standards so you’re ready for the next steps.
2. Fill out the self-assessment questionnaire.
The self-assessment questionnaire (SAQ) is a relatively painless guidebook you can use to assess your current compliance level. There are actually nine different versions of the SAQ guidebook, but don’t let that intimidate you. These versions are available for different business types, so you’ll only need to the book that applies to your business. When you have it, the guidebook will walk you through about a dozen different requirements, and for each, you’ll answer “yes,” “no,” or “N/A.” This will help you identify the missing pieces of your company’s payment security.
3. Make any necessary changes.
At this point, you may realize your business falls short of at least one criterion. If this is the case, take this time to make any necessary security improvements to your business. When you’re done, you can take the SAQ again.
4. Find a provider that uses data tokenization.
Data tokenization secures customers’ sensitive credit card information in a secure, web-based portal, rather than your local servers. Not only does this keep your customer data safer, it also reduces your liability in the event of a data breach.
5. Complete a formal attestation of compliance.
Once you’ve made any changes necessary and have updated your SAQ, you can fill out a formal attestation of compliance (AOC). This is a formality that claims your business is fully compliant with all relevant PCI standards—and again, there are nine different types based on the nature and size of your business. Once you’re done with that, you can have a qualified security assessor review your work and create a report on your compliance to validate your own findings.
6. File the paperwork.
When everything is completed, you’ll be able to file the paperwork with your credit card companies and/or banks. You’ll need to submit your SAQ, your AOC, and any other paperwork these organizations may request. For example, some organizations may request an external vulnerability scan.
Even though the process for becoming PCI compliant is somewhat straightforward, there are many technical standards that can be confusing if you’re not an expert in payment processing. If you’re concerned about your ability to become PCI compliant on your own, it’s a good idea to seek help from an outside authority that does have expertise in PCI compliance—in fact, the PCI has a list of qualified security assessors for you to choose from.