We know what you’re thinking. The word ‘compliance’ fills most people with dread, evoking images of endless paperwork and more jargon than you can shake a stick at. This alone is enough to strike fear in the hearts of any ecommerce business.
So, to save you from this fate (and minimize risk to your business), we’re bringing you this 12-step PCI DSS compliance checklist. If you’re new to PCI compliance, you’re probably asking yourself:
What is PCI compliance?
Why is PCI compliance important for my business?
What happens if my business isn’t compliant?
How do I become PCI compliant?
How much does PCI compliance cost?
We’ll answer these questions and more to give you the full low-down on how to be PCI-DSS compliant.
PCI-DSS is short for Payment Card Industry Data Security Standard. It’s a global set of general practices that the PCI Security Standards Council devised. They set out the requirements to keep cardholder data secure and out of the hands of cybercriminals.
PCI-DSS was created to bring consistency across the major credit card companies’ security programs. In December 2004, version 1.0 was released. Since then, subsequent versions of PCI DSS have been released. Right now, the industry is working on version v3.2.1.
In a nutshell, PCI states the technical and operational security requirements needed to protect payment data. Let’s take a closer look.
While the financial services industry is currently working on version 3.2.1, this version will be retired on March 31, 2024. Version 4.0 has already been released. So it’s a good idea to get familiar with the new requirements and plan and implement the changes needed.
The latest version of PCI-DSS includes some important changes to security systems and processes. These aim to promote security as a continuous process and build greater flexibility for different approaches.
The PCI-DSS standards apply to companies responsible for storing, processing, and transmitting cardholder data and/or sensitive authentication data.
Ecommerce businesses that carry out any of these activities must follow the PCI-DSS requirements. Compliance helps protect organizations and their consumers from data breaches and payment card fraud.
Now, let’s look at the PCI-DSS requirements from an assessment perspective. For merchants, there are four different compliance levels. You must pick the appropriate level based on the volume of transactions your organization processes yearly.
Level 1 – 6 million+ transactions per year
Level 2 – 1 to 6 million transactions per year
Level 3 – 20,000 to 1 million transactions per year
Level 4 – Less than 20,000 transactions per year
Each payment card brand maintains its own separate compliance enforcement programs. PCI-DSS compliance validation includes testing procedures for each PCI-DSS requirement and reporting. This usually is either a PCI-DSS Report on Compliance (ROC) or a PCI-DSS Self-Assessment Questionnaire (SAQ).
The risks of not complying with PCI-DSS are serious. A data breach has immediate and potentially long-lasting consequences for your business. It can affect its financial health, cash flow, and reputation.
If your business doesn’t comply with PCI-DSS, you could face:
Fines and penalties issued by payment providers
Suspension of your credit card usage privileges
Liability for fraud charges
Legal action from customers affected
Costs to address the security breach
Reputational damage leading to loss of revenue
This paints a pretty grim picture. But it’s important to remember that the primary goal of PCI compliance is to protect your customers’ payment details. By making this your primary goal will help your brand gain credibility and nurture trust in your payment journey.
There are six key goals for PCI-DSS compliance, which are:
Build and maintain a secure network and systems
Protect cardholder data
Maintain a vulnerability management program
Implement strong access-control measures
Regularly monitor and test networks
Maintain an information security policy
Within these six areas, there are 12 PCI-DSS requirements. Consider this your PCI-DSS compliance checklist:
Install and maintain network security controls
Apply secure configurations to all system components
Protect stored account data
Protect cardholder data with strong cryptography during transmission over open, public networks
Protect all systems and networks from malicious software
Develop and maintain secure systems and software
Restrict access to system components and cardholder data
Identify users and authenticate access to system components
Restrict physical access to cardholder data
Log and monitor all access to network resources
Carry out penetration testing of systems and networks regularly
Create an information security policy
You can use this as a helpful checklist to ensure your business covers each requirement. Remember that this is not a ‘one-and-done’ project. Regularly test security systems to ensure compliance and minimize the risk of a data breach.
It’s also worth noting that these are the minimum standards that must be met. So there’s much, much more you could do.
If you’re thinking, why would I want to do more? Then consider this: 51% of consumers in a 2023 Primer survey worried about how safe online transactions are.
Concerns about payment security impact purchase rates. That’s because consumers won’t complete a transaction if they don’t trust you with their payment details. This will increase your cart abandonment rate, affecting your business’s long-term success.
IBM released that the global average cost of a data breach in 2023 is $4.45 million. This alarming figure helps most people focus on making PCI compliance a priority for their business (if they haven’t already).
But in all seriousness, PCI compliance requires a decent budget to align your company’s operational and security procedures to the standards set.
So we come to the big question. How much will it cost? The cost of being PCI-DSS compliant varies considerably based on a few factors. These factors include:
Your business type
The size of your organization
Your existing security culture
Your organization’s environment
Whether you have dedicated PCI personnel
Whether your acquirer covers the cost
With so many variables, it’s hard to say how much PCI compliance costs.
If you’re starting from scratch with your PCI compliance journey, it’s likely to cost you more than a company that’s already made some headway. But given the serious consequences of non-compliance, you don’t have a choice.
While we’ve told you throughout this article how to become PCI compliant. But there’s a shortcut: work with a partner like Primer that solves PCI compliance for your business.
Our Universal Checkout securely captures payment method data and communicates with our PCI-L1 tokenization service. In short, we transform sensitive customer data into a secure uniform string called a payment method token.
Using secure payment method tokens paired with a customer ID, Primer’s Vault enables:
Recurring merchant-initiated payments
A seamless one-click experience for your customers with Universal Checkout
Learn more about saving payment methods using Primer’s Vault to get a better handle on how this feature delivers a better customer payment journey.
The benefits of working with a PCI compliance expert can far outweigh the cost. Together, we help merchants navigate complex payment problems and facilitate a smoother PCI compliance journey.
Want to learn more about how Primer can help your business? Get in touch with our payment experts.