Get Started

Main Menu

Utility Menu

Call Today

(866) 495-0423
Main Line
(866) 739-8324
US Support
(855) 812-5191
Canada Support

5 Thing to Do Before Completing Your PCI Assessment

Clipboard with 5 check marksThe Payment Card Industry Data Security Standard (PCI DSS) is a broad set of guidelines that govern how organizations should handle credit or debit card information. 

It doesn’t matter how large your organization is — or whether it’s a for-profit business or charitable foundation. If you store, transmit, or process payment card data of any kind, you must become (and remain) PCI-compliant

Failure to do so not only increases your exposure to payment fraud, but it also increases the likelihood of paying hefty fines for every month that you’re not compliant. 

How to Pass Your Annual PCI Assessment 

The Payment Card Industry determines your PCI compliance status through an annual Self-Assessment Questionnaire (SAQ) of your payment environment’s fraud-prevention readiness. 

In this article, we’ll look at how to pass your next SAQ quickly and with minimal delays. 

See New PCI Changes for 2019 and Beyond

Step 1: Determine Your Merchant Level

Although all card-handling organizations must be PCI-compliant, the exact security protocols you need to follow depend on variables such as: 

  • Annual credit and debit card volume 
  • How you collect card data from customers 

For example, e-commerce merchants typically process card-not-present transactions from anonymous shoppers. As such, online merchants must follow more stringent security measures. 

Before doing anything else, you must determine your merchant level. This will inform all future steps throughout the SAQ process. 

Step 2: Determine Where Credit Card Data Resides

In order to safeguard payment card data, you have to know exactly where this information resides within your organization’s workflows and infrastructure. 

For example, a typical online merchant might deliberately or inadvertently store card data within: 

  • An e-commerce shopping cart 
  • A customer loyalty program 
  • Online bookkeeping software 

These represent obvious starting points as you begin looking for vulnerabilities (in later steps). 

Equally important, determine where payment card information exists — even though it shouldn’t necessarily be there. 

For example, maybe you have a defunct shopping cart plugin that you no longer use. If it’s storing credit card information, it’s best to delete that plugin. 

The same goes for file cabinets, spreadsheets, online databases, or anywhere else sensitive information may reside. If you don’t need these files, remove them. Doing so minimizes your overall risk, allowing you to reduce the total scope of your PCI assessment. 

Step 3: Identify Potential Vulnerabilities

The next step involves looking at your payment environment through the eyes of a would-be attacker. Are there potential vulnerabilities and holes that need to be plugged? 

This analysis should include the usual culprits: 

  • Network firewalls 
  • Antivirus protection 
  • Malware safeguards 

However, you should also extend your sweep to employees, vendors, suppliers and third-party plugins (e.g., e-commerce shopping carts). 

Each of these represents a potential entry point for criminals. 

Step 4: Implement the Appropriate Security Procedures

At this point, you know where payment card data is in your system. You also understand how criminals could potentially gain access to that information. 

The next step involves fixing any potential vulnerabilities. This usually includes: 

  • Installing the appropriate patches, updates, and IT safeguards 
  • Restricting card data access on a need-to-know basis — across all internal and external personnel 
  • Training “essential” employees how to properly handle payment card data 

When you’ve done these, you’re ready for the final step — bringing in a Qualified Security Assessor (QSA) to determine and verify your PCI compliance. 

Step 5: Bring in a QSA Specialist

QSAs are independent security specialists who are tested and registered by the Payment Card Industry to assess the data security health of your organization. 

You’re not officially PCI-compliant until you receive a certified stamp of approval from a QSA. 

The QSA you use should be able to help you: 

  • Identify trouble spots you may have overlooked 
  • Address any lingering concerns or questions 
  • Implement missing vulnerability patches 

Probably most important, your QSA will generate a Report of Compliance (ROC) that ultimately gets passed on to the Payment Card Industry. 

That “Report” is what certifies you as PCI-compliant — until next year’s Assessment. 

Need Additional Information?

Annual PCI assessments may seem overwhelming — especially if you’re a small business owner. 

But this requirement is designed to protect you from fraud and reduce the likelihood of paying punitive fines. The more prep you invest upfront, the smoother your PCI assessment will go.

What is PCI Compliance Infographic

Topics: PCI Compliance and Fraud Prevention, Small Business Tips, Getting Started with Payments

Welcome to the BluePay Blog!

Whether you're a small business, an enterprise corporation, a financial institution, or a software partner, we have created a series of blog posts to help you and your customers, learn more about the complex nature of payments. Take a look to learn how payments can help to simplify your business operation, and may even help to grow your revenue.

Recent Posts