What Are The 12 Steps of PCI Compliance?

And Why Must Merchants Comply?

The major card brands, Visa Inc, MasterCard, American Express, and JCB Int’s main concern is ensuring the safety of their cardholders' sensitive payment information. After all, if the payment information held on the card isn't safe, cardholders won’t use them. So each of them created a unique set of security standards for merchants accepting their card brand. But, this disparity in standards soon became an issue for merchants accepting several card brands, as most merchants do.

Complying with multiple security programs was difficult for merchants, leading to rampant non-compliance. It became clear there needed to be a unified set of security standards for merchants to follow. So, in 2006, the major card brands came together and founded the PCI Security Standards Council (PCI SSC). They created the PCI SSC with a mission to “enhance global payment account data security… and support the needs of the global payments industry”.  

The Security Standards Council is now a global council charged with developing standards of security for safe payments worldwide. The Council is in charge of creating an environment that promotes and supports security throughout the global payment transaction realm. And to continue to evolve those standards to meet the current fraud risk environment as well as help drive adoption of those standards.

In order to do this, they invite and encourage industry stakeholders to join the council. To make it easy, they’ve created multiple ways for participating organizations to do so. A few of the membership levels include Strategic and Strategic Regional Members, Affiliate Members, and Participating Organizations.

Creating multiple levels of involvement keeps the forum open to collaboration from all sectors of the payments industry. This allows members to contribute to security standard maintenance and development as security technology evolves.

Why are merchants required to comply?

PCI wants to create a “united, global response to fighting payment card data compromise.” The goal is to protect the entire payment card ecosystem from fraud and cybercrime. It would be impossible to do that without enlisting the help of all entities operating within that environment. That includes all merchants accepting card payments. But it also includes the banks and service providers that process the card payment transactions. And it includes any third-party vendors and apps involved with handling payment card data.

The card brands have made it a requirement for anyone handling card payment information to protect that data. The requirement states that “everyone storing, processing, or transmitting cardholder data” must follow the PCI’s specific set of Data Security Standards.

The goal of the standards is to help merchants better understand and implement the technical and operational policies they need to follow to secure and protect sensitive card data.
In order for them to accomplish this feat, they created a set of 12 requirements to help merchants understand how to keep sensitive card data protected.

Businesses that accept credit cards are the first line of defense against fraud attacks. They’re on the front lines. And each individual business is responsible for their workflows and systems.

If there were no set standards, that could look very different from one business to another. Some will employ P2PE, tokenization, and scan for vulnerabilities. Others might think a simple firewall and anti-virus software is enough.

Larger corporations often have IT departments that develop and maintain security protocols. But small businesses rarely have the funds or manpower for a dedicated security team.

Small businesses often believe they're not a target for fraud due to their size. But it’s their lack of focus on security that makes them a prime target for fraud. And fraudsters like to exploit that situation regularly.

Fortunately, small merchants have a full set of resources and tools waiting for them on the PCI security standards website. The council has created Security Essentials Resources for Small Merchants to help them “simplify their security and reduce their risk.” Small merchants can even use a Data Security Essentials Evaluation Tool to perform a preliminary evaluation of their systems to see where they stand in meeting security basics.

Businesses of all sizes must be continually compliant, and they must validate that compliance annually. But it is not the responsibility of the PCI SSC to enforce PCI compliance.
That responsibility is left to the banks and acquirers processing the transactions.
While this should not be a business’s main motivation for complying with security standards, merchants can be fined and penalized for remaining out of compliance.

Making sure you’re meeting all PCI DSS requirements is the best way to ensure cardholder data is being handled safely and securely. Performing your compliance duties is also the best way to expose any weaknesses in your security measures that need to be tended to.
When implemented and updated properly, these measures help to protect the entire payment ecosystem from breach and theft of sensitive data.

Determine your Merchant Security Level.

The SSC divides merchants into 4 compliance levels. Level 1 is the highest security level, with Level 4 being the lowest. Your merchant level will determine your level of data security requirements. And it will also determine the steps you must follow to validate your compliance.

First, merchants must figure out which compliance level their business falls under. Then make sure your business is compliant with each requirement and follow the steps to validate compliance annually. Merchant levels are defined by the total volume of Visa transactions in a 12-month period.

Level 1 Merchant - processes greater than 6 million transactions.
Annual requirements:

• Must have an assessment done with a Qualified Security Assessor (QSA)
• QSA will then file a Report on Compliance (ROC) with the PCI SCC to prove compliance.
• Must Submit an Attestation of Compliance (AOC) Form.

Level 2 Merchant -processes from 1 to 6 million transactions within a 12-month period.
Annual Requirements:

• Complete a Self Assessment Questionnaire (SAQ)
• Submit an Attestation of Compliance (AOC)

Level 3 Merchant- processes eCommerce transactions from 20,000 - 1 million Visa card transactions over a 12-month period.
Annual Requirements:

• Complete a Self Assessment Questionnaire (SAQ)
• Submit an Attestation of Compliance (AOC)

Level 4 Merchant- processes less than 1 million Visa transactions or eCommerce Visa transactions of less than 20,000.
Annual Requirements:

• Complete a Self-Assessment Questionnaire (“SAQ”) or alternative validation exercise as defined by Acquire.
• Follow Data Security Requirements for Small Merchants

What are the 12 steps of PCI Data Security Standards?

PCI Data Security Standards (PCI-DSS) cover 6 basic security categories involved in the payment processing environment. Within those 6 categories are 12 Basic Requirements that help merchants establish and maintain a secure environment for processing cardholder data. The 6 categories are referred to as “milestones” that merchants will reach once they’ve met the 12 requirements within each milestone.

Here are the PCI-DSS 6 milestones with their corresponding 12 requirements:

While these security measures may seem over the head of many merchants, many come standard with your merchant account. Others are the sort of “common sense” practices that most people already implement.

Firewalls are an essential part of anyone’s computer security, businesses and home users alike. Using unique and personal strong passwords is something that we already do on a regular basis. Most people are aware the systems and network devices come with usernames and passwords set to a factory default. The requirement simply states that merchants can’t keep these defaults, and must set up unique strong passwords and keep them secure. Which is something most people would do, anyway.

Merchants should install anti-virus and anti-malware programs and make sure they are kept up to date. So, as you can see, many requirements involve things we do regularly to protect ourselves from fraud. And most of these things protect against payment fraud in the same way.

But merchants do not have to rely solely on their own resources to adhere to PCI compliance.

Fortunately, service providers and financial institutions are also required to adhere to rigorous Data Security Standards. And, when you open a merchant account, you’ll be provided with a 100% secure gateway that adheres to all PCI security standards. All the entities involved in handling payment information adhere to security practices, processes, and technologies. Because of this, many of your PCI security requirements are already met with your payment processing solution. This greatly helps to reduce your responsibilities to meet the requirements. And it makes completing your annual PCI Self Assessment Questionnaire easier, too.

At MonerePay, we take security very seriously. And we understand that, for our merchants, protecting themselves and their customers is a top priority.

Being able to accept payments safely and securely provides the lifeblood for your business. Our gateway is not only a 100% PCI compliant gateway, it is PCI Level 1-certified. A tokenized customer vault not only increases security, it also helps reduce liability. And opting for hosted payment pages goes one step further to assist in reducing PCI security requirement compliance.
And we round it all out with robust fraud protection to help reduce the effort from continued monitoring.

We curated our services with the merchant’s success top of mind. If you're ready to take your businesses to the next level, while keeping your and your hard-earned customers' safety a top priority, call today.