We know what you’re thinking. The word ‘compliance’ fills most people with dread, evoking images of endless paperwork and more jargon than you can shake a stick at. This alone is enough to strike fear in the hearts of any ecommerce business.
So, to save you from this fate (and minimize risk to your business), we’re bringing you this 12-step PCI DSS compliance checklist. If you’re new to PCI compliance, you’re probably asking yourself:
- What is PCI compliance?
- Why is PCI compliance important for my business?
- What happens if my business isn’t compliant?
- How do I become PCI compliant?
- How much does PCI compliance cost?
We’ll answer these questions and more to give you the full low-down on how to be PCI-DSS compliant.
What is PCI compliance?
PCI-DSS is short for Payment Card Industry Data Security Standard. It’s a global set of general practices that the PCI Security Standards Council devised. They set out the requirements to keep cardholder data secure and out of the hands of cybercriminals.
PCI-DSS was created to bring consistency across the major credit card companies’ security programs. In December 2004, version 1.0 was released. Since then, subsequent versions of PCI DSS have been released. Right now, the industry is working on version v3.2.1.
In a nutshell, PCI states the technical and operational security requirements needed to protect payment data. Let’s take a closer look.
A note on PCI-DSS Version 4
While the financial services industry is currently working on version 3.2.1, this version will be retired on March 31, 2024. Version 4.0 has already been released. So it’s a good idea to get familiar with the new requirements and plan and implement the changes needed.
The latest version of PCI-DSS includes some important changes to security systems and processes. These aim to promote security as a continuous process and build greater flexibility for different approaches.
How does PCI-DSS affect my business?
The PCI-DSS standards apply to companies responsible for storing, processing, and transmitting cardholder data and/or sensitive authentication data.
Ecommerce businesses that carry out any of these activities must follow the PCI-DSS requirements. Compliance helps protect organizations and their consumers from data breaches and payment card fraud.
Reporting levels of PCI
Now, let’s look at the PCI-DSS requirements from an assessment perspective. For merchants, there are four different compliance levels. You must pick the appropriate level based on the volume of transactions your organization processes yearly.
- Level 1 – 6 million+ transactions per year
- Level 2 – 1 to 6 million transactions per year
- Level 3 – 20,000 to 1 million transactions per year
- Level 4 – Less than 20,000 transactions per year
PCI-DSS compliance validation
Each payment card brand maintains its own separate compliance enforcement programs. PCI-DSS compliance validation includes testing procedures for each PCI-DSS requirement and reporting. This usually is either a PCI-DSS Report on Compliance (ROC) or a PCI-DSS Self-Assessment Questionnaire (SAQ).
What is the risk of not complying with PCI?
The risks of not complying with PCI-DSS are serious. A data breach has immediate and potentially long-lasting consequences for your business. It can affect its financial health, cash flow, and reputation.
If your business doesn’t comply with PCI-DSS, you could face:
- Fines and penalties issued by payment providers
- Suspension of your credit card usage privileges
- Liability for fraud charges
- Legal action from customers affected
- Costs to address the security breach
- Reputational damage leading to loss of revenue
This paints a pretty grim picture. But it’s important to remember that the primary goal of PCI compliance is to protect your customers’ payment details. By making this your primary goal will help your brand gain credibility and nurture trust in your payment journey.
How to be PCI compliant: a 12-step checklist
There are six key goals for PCI-DSS compliance, which are:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access-control measures
- Regularly monitor and test networks
- Maintain an information security policy
Within these six areas, there are 12 PCI-DSS requirements. Consider this your PCI-DSS compliance checklist:
- Install and maintain network security controls
- Apply secure configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components and cardholder data
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to network resources
- Carry out penetration testing of systems and networks regularly
- Create an information security policy
You can use this as a helpful checklist to ensure your business covers each requirement. Remember that this is not a ‘one-and-done’ project. Regularly test security systems to ensure compliance and minimize the risk of a data breach.
It’s also worth noting that these are the minimum standards that must be met. So there’s much, much more you could do.
If you’re thinking, why would I want to do more? Then consider this: 51% of consumers in a 2023 Primer survey worried about how safe online transactions are.
Concerns about payment security impact purchase rates. That’s because consumers won’t complete a transaction if they don’t trust you with their payment details. This will increase your cart abandonment rate, affecting your business’s long-term success.
How much does PCI compliance cost?
IBM released that the global average cost of a data breach in 2023 is $4.45 million. This alarming figure helps most people focus on making PCI compliance a priority for their business (if they haven’t already).
But in all seriousness, PCI compliance requires a decent budget to align your company’s operational and security procedures to the standards set.
So we come to the big question. How much will it cost? The cost of being PCI-DSS compliant varies considerably based on a few factors. These factors include:
- Your business type
- The size of your organization
- Your existing security culture
- Your organization’s environment
- Whether you have dedicated PCI personnel
- Whether your acquirer covers the cost
With so many variables, it’s hard to say how much PCI compliance costs.
If you’re starting from scratch with your PCI compliance journey, it’s likely to cost you more than a company that’s already made some headway. But given the serious consequences of non-compliance, you don’t have a choice.
How to be PCI compliant with Primer
While we’ve told you throughout this article how to become PCI compliant. But there’s a shortcut: work with a partner like Primer that solves PCI compliance for your business.
Our Universal Checkout securely captures payment method data and communicates with our PCI-L1 tokenization service. In short, we transform sensitive customer data into a secure uniform string called a payment method token.
Using secure payment method tokens paired with a customer ID, Primer’s Vault enables:
- Recurring merchant-initiated payments
- A seamless one-click experience for your customers with Universal Checkout
Learn more about saving payment methods using Primer’s Vault to get a better handle on how this feature delivers a better customer payment journey.
Final thoughts
The benefits of working with a PCI compliance expert can far outweigh the cost. Together, we help merchants navigate complex payment problems and facilitate a smoother PCI compliance journey.
Want to learn more about how Primer can help your business? Get in touch with our payment experts.