PCI DSS Compliance Blog: How to Become PCI Compliant

« PCI Compliance: A Moment In Time | Main | PA-DSS Implementation »

11/03/2009

How to Become PCI Compliant

By now you have heard about PCI compliance and are vaguely familiar with how it may apply to your business. So now what?

We’ve created this two-part article to clearly outline the steps merchants and independent software vendors must complete in order to become PCI compliant (PCI DSS and PA-DSS compliant, respectively).  We hope it guides you through this process clearly.  

This week, we’ll focus on how merchants become PCI compliant:

Merchants

For starters, get familiar with the compliance standard that applies to you: the Payment Card Industry Data Security Standard (PCI DSS).  The PCI DSS requirements are broken down into six different categories:

Build and Maintain a Secure NetworkNetwork-security-element-im

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control MeasuresSecure-log-in-element-image

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

The next step is to figure out your PCI compliance level.  Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Remember: all merchants that process credit cards—whether small or large—must be PCI compliant. 

Now here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements for PCI compliance.  We’ve written a comprehensive article on the different PCI compliance deadlines for each payment card brand, along with their different PCI compliance requirements.  To give you a general idea of what you need to do as a merchant, here are Visa’s PCI requirements for merchants:

Level 1 Merchants

- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form

Level 2 and 3 Merchants

- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by ASV
- Attestation of Compliance Form

Level 4 merchants

 - Annual SAQ recommended
- Quarterly network scan by ASV if applicable
- Compliance validation requirements set by acquirer

Some resources to help you complete these requirements:

•    List of approved QSAs
•    List of approved ASVs
•    Instructions on how to complete the SAQ
•    PCI Compliance Deadline List, including links to each payment brands’ PCI compliance sites
•    Article on how businesses that should complete the SAQ D can opt for a shortened SAQ

Depending on your compliance level, complete the appropriate requirements (above).  Then for each payment card brand you accept, check the site to see what kind of reporting you have to supply each brand. 

Next week we will post an article on how ISVs become PA-DSS compliant.  Sign up for our email updates in the top right corner or to the RSS feed to be sure you don't miss it!

Related Posts and Pages:

PCI Compliance Reflects a Moment in Time

PCI Compliance for Franchisors

Are you a PCI Compliance Guru?

PCI Compliance Deadline List

Remote Credit Card Storage Facilitates PCI Compliance

PCI Compliance Costs

PCI DSS Compliance for Merchants

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a010534b0dc03970c0120a650199c970b

Listed below are links to weblogs that reference How to Become PCI Compliant:

Comments

The comments to this entry are closed.

Search Blog


Your email address:

Bookmark and Share




Resources

About PCI DSS Compliance Blog

Email Us

PCI Compliance Resources

Industry News on Twitter


Visit Element on