The Payment Card Industry Data Security Standard (PCI DSS) is a broad set of guidelines that govern how organizations should handle credit or debit card information.
It doesn’t matter how large your organization is — or whether it’s a for-profit business or charitable foundation. If you store, transmit, or process payment card data of any kind, you must become (and remain) PCI-compliant.
Failure to do so not only increases your exposure to payment fraud, but it also increases the likelihood of paying hefty fines for every month that you’re not compliant.
How to Pass Your Annual PCI Assessment
The Payment Card Industry determines your PCI compliance status through an annual Self-Assessment Questionnaire (SAQ) of your payment environment’s fraud-prevention readiness.
In this article, we’ll look at how to pass your next SAQ quickly and with minimal delays.
Step 1: Determine Your Merchant Level
Although all card-handling organizations must be PCI-compliant, the exact security protocols you need to follow depend on variables such as:
- Annual credit and debit card volume
- How you collect card data from customers
For example, e-commerce merchants typically process card-not-present transactions from anonymous shoppers. As such, online merchants must follow more stringent security measures.
Before doing anything else, you must determine your merchant level. This will inform all future steps throughout the SAQ process.
Step 2: Determine Where Credit Card Data Resides
In order to safeguard payment card data, you have to know exactly where this information resides within your organization’s workflows and infrastructure.
For example, a typical online merchant might deliberately or inadvertently store card data within:
- An e-commerce shopping cart
- A customer loyalty program
- Online bookkeeping software
These represent obvious starting points as you begin looking for vulnerabilities (in later steps).
Equally important, determine where payment card information exists — even though it shouldn’t necessarily be there.
For example, maybe you have a defunct shopping cart plugin that you no longer use. If it’s storing credit card information, it’s best to delete that plugin.
The same goes for file cabinets, spreadsheets, online databases, or anywhere else sensitive information may reside. If you don’t need these files, remove them. Doing so minimizes your overall risk, allowing you to reduce the total scope of your PCI assessment.
Step 3: Identify Potential Vulnerabilities
The next step involves looking at your payment environment through the eyes of a would-be attacker. Are there potential vulnerabilities and holes that need to be plugged?
This analysis should include the usual culprits:
- Network firewalls
- Antivirus protection
- Malware safeguards
However, you should also extend your sweep to employees, vendors, suppliers and third-party plugins (e.g., e-commerce shopping carts).
Each of these represents a potential entry point for criminals.
Step 4: Implement the Appropriate Security Procedures
At this point, you know where payment card data is in your system. You also understand how criminals could potentially gain access to that information.
The next step involves fixing any potential vulnerabilities. This usually includes:
- Installing the appropriate patches, updates, and IT safeguards
- Restricting card data access on a need-to-know basis — across all internal and external personnel
- Training “essential” employees how to properly handle payment card data
- Migrating your payment environment to a PCI-compliant processor (if you haven’t already)
When you’ve done these, you’re ready for the final step — bringing in a Qualified Security Assessor (QSA) to determine and verify your PCI compliance.
Step 5: Bring in a QSA Specialist
QSAs are independent security specialists who are tested and registered by the Payment Card Industry to assess the data security health of your organization.
You’re not officially PCI-compliant until you receive a certified stamp of approval from a QSA.
The QSA you use should be able to help you:
- Identify trouble spots you may have overlooked
- Address any lingering concerns or questions
- Implement missing vulnerability patches
Probably most important, your QSA will generate a Report of Compliance (ROC) that ultimately gets passed on to the Payment Card Industry.
That “Report” is what certifies you as PCI-compliant — until next year’s Assessment.
Need Additional Information?
Annual PCI assessments may seem overwhelming — especially if you’re a small business owner.
But this requirement is designed to protect you from fraud and reduce the likelihood of paying punitive fines. The more prep you invest upfront, the smoother your PCI assessment will go.