PCI Compliance Checklist—Keeping Your Customers Safe
Updated · Mar 04, 2023
With many businesses moving online, security around payment processing has slowly improved, but not without significant effort.
If you’re going to be selling online, and accepting credit cards, you need to make sure you’re Payment Card Industry (PCI) Compliant.
Join us as we run through a checklist of everything you need.
PCI Compliance Checklist
The checklist is generally made up of twelve items in total, but we’ve condensed it a tiny bit, uniting a couple of points that cover various aspects of the same thing. They cover everything from online security to restricting physical access to card users' data.
- Use firewall
- Use secure passwords
- Deploy protection
- Protect stored data
- Encrypt stored data
- Restrict access on all levels to stored data
- Restrict, track, and monitor user access
- Develop and test security systems and processes
- Develop and maintain security policy
The first requirement is as basic as can be and a good idea for personal use too. You must ensure that you have a solid firewall controlling access to your site. It should reject any suspicious activity patterns originating from untrustworthy hosts and networks.
Make sure to review the configuration every few months, and be ready to assist if any legitimate connections are being blocked.
2. Change Default Passwords
A common oversight when it comes to digital security is passwords.
Many people stick with some default combinations, which are easy to remember because they’re common. The flip side is that they’re also easy to crack.
24% of Americans have passwords like “password” or “123456.”
Ideally, passwords should be unique and complex. You should also change them every few months. For the easiest solution, simply get a good password manager.
3. Use Up to Date Antivirus & Malware Protections
According to PCI compliance regulations, you need to have up-to-date antivirus programs running at all times.
Even if your systems are protected against manual intrusion, viruses can find their way through various exploits. All it takes is an inattentive worker clicking on the wrong link. And as your site grows, it may become the target for intrusion.
4. Protect Cardholder Stored Data
This requirement refers to securely storing cardholder data.
It’s fairly broad, and some of the other requirements feed into it. Generally, data should be stored in a secure cloud or onsite in a secure place.
Moreover, any systems or applications implemented or developed in-house need to be secure.
5. Encrypt All Transmission of Cardholder Data
Somewhat related to the previous PCI requirement, data must be encrypted when being transmitted. This means that the forms on which users place their data must be secure, straight through to where it’s stored.
Ideally, the data shouldn’t be readable by humans, but some information such as card expiration dates and billing addresses may need to be.
On that note…
6. Restrict Access to Cardholder Data
Access to cardholder data should be heavily restricted. In essence, employees should only have access if they absolutely need it.
An efficient way to monitor access is by assigning a unique ID to each employee, even those that cannot read cardholder data.
As a limited number of employees will have access, their accounts must be secure, which leads to the next point.
This PCI regulation covers physical systems too.
For example, if you have servers on-site, only authorized employees should have keycards to access the rooms/cabinets that hold them.
These three points - limited access, unique employee IDs, and restricted physical access - are usually presented separately, but they all tie into the same thing: give access to only those who need it and monitor all activity.
7. Track and Monitor User Access
Of course, it’s essential to monitor your systems constantly.
While only a few trusted employees may have access, PCI compliance requirements dictate that access must be tracked and monitored. This is good for general oversight but will also assist in investigations should something happen.
Tracking and monitoring access to cardholder data specifically is also a requirement. A log system that records the times at which the system is accessed should be in place.
8. Develop & Test Security Systems and Processes
None of this can be adequately done without testing every system and process. In order to be PCI compliant, you need to test your systems and processes for vulnerabilities regularly.
When you find them, you need to patch them promptly.
As a side note, PCI regulations aside, in the event of a breach, you need to notify users as soon as possible so they can take the necessary action to protect themselves.
9. Develop & Maintain an Information Security Policy
Finally, you must maintain a policy focused on information security.
This will act as a best practices guide for yourself and your company, organize the responsibilities of employees, and act as a reference should you need to undergo an audit.
A Simple Path to Secure Payment Processing
The prospect of maintaining systems, testing them, and undergoing a PCI audit is daunting, so there is a more straightforward path to handling payments for small to medium businesses.
Rather than handling payments yourself, consider using a payment gateway. These software solutions are maintained by vendors who will ensure their systems are PCI compliant, and so you will be too by using them.
You will, however, have to fill out a self-assessment form, but it’s far less intensive than a full audit.
Procuring PCI compliance requires time and, more often than not, a more advanced hosting solution that can provide the necessary security and setup. For smaller operations, going straight to a payment gateway might be more financially sound.
This PCI compliance checklist is important to understand, whether you’ll be handling card data or simply as a reference, so you can pick the best partner to do it for you.
It’s possible to dive into many things in ecommerce and learn as you go, but this certainly isn’t one of them.
You need to be sure from the start that your users’ card information is safe and secure.
We have on this page
Garan is a writer interested in how tech reshapes the environment, and how the environment reshapes tech. You'll usually find him inoculating against future shock and arguing with bots.