PCI Data Security Standard Checklist

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. (Source: https://www.pcisecuritystandards.org)

What is PCI DSS?

PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.

Goals PCI DSS Requirements
Build and Maintain a
Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Protect all systems against malware and regularly update anti- virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong
Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor
and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security for all personnel

What is PCI Compliance?

The PCI Data Security Standards (PCI DSS) includes general practices, such as restricting cardholder information and the need for creating safe, non-default passwords, as well as more in-depth practices like encryption and the use of a firewall.

The PCI Security Standards Council is a global organization formed by major credit card companies, including Visa, Mastercard, Discover, and American Express.

If you operate an ecommerce site, PCI compliance is mandatory. It is not dictated by the volume of transactions or restricted solely to storage, transmission, and processing; it applies to any business that allows credit card payments.

With PCI, everything is about reducing the attack surface. For an ecommerce site, this specifically involves the Card Data Environment (CDE) – the manner in which you handle credit cards on your site. The requirements as set forth by PCI DSS.

Small merchants are not excluded from these requirements. Unprotected ecommerce websites are prime targets for data thieves. If sensitive customer data or cardholder information is stolen from a website that you’re responsible for, you could incur penalties, large fines, and even lose the ability to accept payment cards.

What Happens If You’re Not PCI Compliant?

If a merchant is found to be non-compliant with the PCI-DSS, there can be a variety of penalties & consequences ranging from fines, loss of time, and reputation damage.

1 PCI Non-Compliance Fines

Non-PCI compliant websites can suffer hefty penalties by payment industry regulators if customers experience fraudulent transactions. The average cost of a data breach for a small business is $86,500, with enterprise organisations paying 4 million dollars.

2 GDPR Regulation

Under GDPR, any business that experiences the breach of EU residents’ personal information has 72 hours to notify supervisory authorities or risk facing heavy fines. This regulation joins a number of US federal and state laws which hold organisations accountable for the security of customer data.

3 Suspension of Credit Cards

Perhaps worse than fines, the ability to accept credit card payments may be revoked. The PCI standards are created by the major credit card companies, and this is their defense against irresponsible merchants. If a data breach occurs for your ecommerce store, the PCI council can revoke the privilege of using their payment cards.

4 Mandatory Forensic Examination

Merchants suspected of a data breach are required by the PCI-DSS to undergo a mandatory forensic examination, which requires hiring professionals and conducting a time-consuming investigation. A small business examination may cost between $20K to $50K.

5 Notification and Credit Monitoring

If a compromise of financial information is suspected, a number of states require the merchant to notify customers and inform them of the breach. Merchants may also need to produce up to a year’s worth of credit monitoring or counselling services to affected customers.

6 Liability for Fraud Charges

Lawsuits may claim liability on merchants for security breaches. It is important to emphasize that protecting your customer’s sensitive information is your responsibility as a business owner. That is why having a secure website is vital.

7 Credit Card Replacement Costs

Card issuers may require merchants to pay the cost of reissuing credit cards, which includes shipping, activation, and communication to the customer. These fees can range from $3 to $10 per card.

8 Reassessment for PCI Compliance

In order for a website to accept credit card transactions again, a complete PCI reassessment by an external Qualified Security Assessor (QSA) must be performed.