blog hero2x

PCI Compliance Checklist: The Essential Steps to Achieving Information Security


Jun 25, 2015


Rules exist in the business world for a reason. They keep things in order. And when it comes to your business finances and data, the right rules can keep your business safe from hackers, thieves and the rest of the not-so-honest among us. 

Payment Card Industry (PCI) guidelines are one of those sets of business rules designed to protect your assets. While some of these guidelines may be challenging for those with a non-technical background, full PCI compliance is integral to the security of your business. If you're new to PCI, here's a simple checklist to get you started on the road to safer business transactions.

PCI Data Security Standards (PCI DDS) and what they mean for business

PCI DSS—also known as Payment Card Industry Data Security Standards—is an ongoing process designed to keep business data secure when a store, service provider or website accepts credit card payments from customers. A PCI DSS typically adheres to 12 basic rules, related to how data is stored, accessed, transferred or discarded. The most six basic of these rules require companies to:

  • Use effective security software solutions. A simple antivirus software package won’t hold up; implement a layered hardware and software solution that includes secure firewalls.
  • Choose strong passwords on EVERYTHING—this includes routers and webcams, too.
  • Create strict policies on who can access sensitive data.
  • Encrypt all stored data.
  • Implement information security awareness and risk management procedures. If a disaster occurs—and this happens from time to time—make sure there is a way to recover the data affected so that it isn’t lost for good.
  • Monitor and test frequently to track access to cardholder data.

Additionally, credit card companies may require an on-site visit to your business to validate PCI compliance, and to conduct a network scan by an approved scanning vendor.

Data Breaches and Penalties

Rules are different than laws. If you don’t comply with PCI DDS, you most likely won’t get put in jail, but you might face a stiff PCI compliance fine. But what’s even worse than that, is that non compliance may lead to a severe security breach for your company. The truth is, most companies with low or nonexistent PCI compliance levels probably won’t be in business for very long. After all, it’s difficult for a business to survive without the trust from customers. And those companies that do face data and security breaches will have a long, uphill road to climb to make things right with their customers and their public image.

Remember a few years back, when Target’s customer’s credit cards were compromised? Or just last year when Sally Beauty Supply had a breach on its network? Data breaches have skyrocketed over the last 10 years, and in 2012 alone, resulted in nearly $12 billion worth of damages.

The best way to protect your business—and your customers—from credit card breaches is with proper PCI compliance training, which educates all employees on the dangers of non-compliance to ensure that breaches can and arepreventable. But if your company falls short every once in a while and doesn’t comply with a PCI standard, there are punishments in place to remedy the situation—hopefully before a significant data breach occurs.

PCI Compliance Fees and Fines

Mistakes happen. Guidelines get overlooked. Standards sometimes get pushed to the side. We’re all busy, after all! But when these happen, consequences are imminent. PCI compliance fines are around to keep companies in check—and as a safeguard against data breaches. These fines range from $5,000- $100,000 per month, in addition to any fees needed to get a company back on track.

Another consequence of non-compliance is the termination or increased transaction fees imposed by a bank. And for small businesses that rely on low transaction fees, this has the potential to close operations down for good.

A recent study conducted by Verizon discovered that while most businesses are PCI compliant in their first year of operation, those levels start to drop as time goes on. According to the study, only 11.1 percent of businesses remained compliant between each formal assessment—mainly as a result of the ongoing PCI DSS compliance process.

PCI Education is Crucial to Maintaining Compliance

As mentioned above, one of the best ways to stay PCI compliant—and to avoid dangerous security breaches and costly fines—is to conduct a company-widePCI security awareness training. Informed employees tend to make better—and safer—decisions that not only protect sensitive data, but lower the risk of a security breach and increase the company’s revenue.

Your PCI Compliance Checklist

To help you ensure your company adheres to these guidelines, we’ve compiled a PCI compliance checklist to keep you on point—and away from costly penalties and fines.

Regularly test security systems and compliance processes
In 2013, only four out of ten companies met this requirement. But on the bright side, it jumped nearly threefold from the compliance levels recorded the previous year. It’s easy for merchants to turn to outside vendors for assistance in meeting security requirements, but when it comes down to it, your company is responsible for your company. If you choose to outsource your liability, you have to be willing to accept the risks that come along with that decision.

Don’t use default passwords or security parameters
Simple, right? So simple, that you’d expect more than 51 percent of companies to be fully compliant with this requirement, but unfortunately, that’s not the case.  One of the biggest issues here is that old systems that have been around for years historically weren’t made to include advanced security measures. And as we can imagine, revamping those systems to meet 2015 security standards can be costly and cumbersome. Do it anyway!

Monitor the access to network resources and cardholder information
As we mentioned, mistakes happen. You can be 100% compliant and still face a data breach—though you’re not nearly as likely to if your company meets PCI DSS standards. But one easy way to protect your information and your customer’s data is to track and monitor all of the access given to that sensitive information.

Additionally, it’s important to make sure that anyone who has access to your system has their own, separate and auditable account. That way, if there is a breach, it will be easier to determine which account(s) were compromised. All accounts should feature strong, unique passwords and two-factor authentication to add another layer of security. In the previously mentioned Verizon study nearly three fourths of all security breaches were reported as the results of weak or stolen credentials.

PCI compliance training and PCI education
We can’t emphasize this step enough: an aware employee is more likely to be a compliant employee. And a compliant employee can save your business and your customers a lot of money and a lot of headaches. Invest in training courses, and make sure all employees—from the C-Suite to the cashiers—are aware of the guidelines and any changes that are made in the future. As we’ve noted, PCI DSS is a constant; so it’s imperative to your success and security to stay abreast of these standards at all times. When they adapt, you adapt!

Set up a firewall
Perhaps one of the most basic security measures, over 30 percent of companies are still lacking constant firewall protection. A firewall works when it’s set up—and fully functional—at all times. Not just after a breach or when your company is being audited. Verizon reported that only 12.5 percent of data breaches occurred at companies that had a fully compliant firewall in place. Talk to your tech guru to get a firewall set up ASAP.

Write it down
Your company most likely has a lot of moving parts. All companies do. That’s why it’s extra important to keep written documentation of all system activities, who has access to what when and a complete audit trail to demonstrate to an auditor that you company and your employees are PCI compliant. Regularly reviewing this information could also serve as a way to prevent security breaches before they happen, and can also help in maintaining an ongoing PCI DSS regimen.

Limit access control 
Access to sensitive data (like credit card numbers, social security numbers, etc.) should be limited to ONLY those employees who need it. Companies need to establish control over the creation and removal of access, while also providing daily reports and real-time alerts of any modifications. One area to pay close attention to while auditing access is any change made by an admin account that gives higher levels of access to themselves or others.

Monitor all changes
We can’t emphasize it enough: the more frequently you change things up, the less likely your system is to become impaired or hacked by an outside party. But make sure you track all moves when you’re reconfiguring and changing access controls. Switching up your auditing methods helps to provide a complete audit trail with detailed access information. This makes it easier to spot areas that aren’t secure, and also lets you take proactive precautions where PCI is concerned.

PCI compliance isn’t necessarily fun, but it is necessary if you want to conduct business without breaches. Give your employees the most complete PCI education possible and you’ll be able to rest easy knowing that your company, your clients and all payment card data stays safe and sound.  

Workplace Answers &
Click 4 Compliance Join Forces

We’ve created the world’s most comprehensive and engaging online compliance training library for companies around the globe.

Learn more View courses

We're sorry this resource is no longer available, we've redirected you to our Resource center.