Looking for a credit card PCI compliance checklist for ensuring comprehensive and rapid PCI DSS certification, then take note of the following information, provided by pcipolicyportal.com, the unquestioned global leaders in providing the very best PCI DSS security policies and templates & compliance services:
- Determine if you are a merchant or service provider. The very first step in understanding PCI DSS compliance is knowing which “bucket” you fall into – merchant or service provider? It’s a relatively easy answer in that if you’re taking payments directly for goods or services, such as an e-commerce site or traditional store with point-of-sale devices, then you are a merchant. Therefore, any business that is not a merchant automatically falls into the service provider category – it’s that simple. More specifically, the Payment Card Industry Security Standards Council (PCI SSC) defines a merchant as the following: entities “…that accept(s) payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services…” Source: https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_v3.pdf
- Determine which of the PCI DSS levels you fall into. Both merchants and service providers have varying levels that ultimately determine what road must be taken for PCI DSS compliance – either an onsite assessment by a Payment Card Industry Qualified Security Assessor (PCI-QSA) or a Self-Assessment Questionnaire (SAQ), which can be completed internally. The vast majority of merchants and service providers can self-assess, but you’ll need to determine which level you fall under, which ranges from Level 1 to Level 4. Take a look at the following merchant and service provider levels for gaining a greater understanding of where your business stands in terms of reporting for PCI DSS compliance:
- Merchants: http://www.pciassessment.org/pci-dss-framework/merchants
- Service Providers: http://www.pciassessment.org/pci-dss-framework/service-providers
Thus, Level 1 compliance is the most stringent, one that requires an annual onsite assessment, while the higher levels (i.e., 2, 3, and 4) often just require and annual Self-Assessment Questionnaire (SAQ).
- Determine which PCI DSS Self-Assessment Questionnaire (SAQ) to use. Visit pcisecuritystandards.org to gain a greater understanding of the numerous checklists that are available for self-assessing for both merchants and service providers. This is quite honestly one of the more challenging and frustrating aspects of PCI compliance – why – just look at the number of SAQ’s an uninformed user has to mine through, hopefully picking the right one:
- SAQ A
- SAQ A-EP
- SAQ B
- SAQ B-IP
- SAQ C
- SAQ C-VT
- SAQ P2PE-HW
- SAQ D
Frustrating, no doubt, and it often requires some lengthy reading for gaining a stronger understanding of which SAQ to choose. Once you’ve gotten over that hurdle, give yourself a congratulations, because it’s no easy task.
- Review and Understand the Applicable SAQ. Depending on which SAQ chosen, the rigors of compliance can either be relatively straightforward, such as SAQ A, or incredibly time-consuming and comprehensive, such as SAQ D. It’s important to note that all SAQ mandates have something in common – the need for comprehensive policies and procedures for PCI DSS compliance. If you feel that the SAQ is simply too overwhelming and need assistance, then contact a qualified professional for helping in assessing, understanding – and ultimately completing – the applicable questionnaire.
A good starting point is to talk to a PCI-QSA or even a Payment Card Industry Professional (PCIP), as they have the knowledge needed for assisting organizations. Remember that the SAQ’s that come along with version 3.0 of the PCI DSS standards require much more thought and attention in providing a response than any previous editions. Gone are the simple yes and no answers, effectively replaced by the following: Yes, Yes, with compensating controls, no, NA, and Not Tested. That’s quite a list to choose from, so again, get help if needed. Word to the wise – try and not use the “Not Tested” box as an answer because that simply implies little to no consideration was put into the actual test. It can create more problems that you may recognize, so strive for at least checking the “NA” box, if possible.
- Purchase PCI DSS Policies and other Essential Material. Quick question: Guess what the most time-consuming and laborious process is for PCI DSS compliance? Answer: Developing and implementing all mandated information security and operational policies and procedures. Sure, PCI is technical, but let’s not forget about the massive amount of policy documentation needed for certification for both merchants and service providers. Also, security awareness training and risk assessments are also critical initiatives requiring much more than policy statements, rather, actual procedures that need to be undertaken by both merchants and service providers seeking to become PCI DSS compliant. The Global PCI DSS Policies Packets from pcipolicyportal.com provide all the necessary policies and procedures for PCI compliance, along with security awareness training and risk assessment documentation also.
Regardless of what level and type of PCI compliance is being mandated, from a simple Self-Assessment Questionnaire (SAQ) to an actual Level 1 onsite assessment, policies and procedures – and other supporting documentation – are absolutely critical for compliance. Turn to the PCI policy experts today at pcipolicyportal.com and download the very best materials for helping ensure rapid PCI complianc.
- Get Compliant. Talk is cheap, especially when it comes to compliance with the Payment Card Industry Data Security Standards, so now’s the time to dig in, develop all mandated documentation, put in place all required procedures, and get compliant! It won’t happen overnight, but you’ll get there – and once you do – annual certification becomes that much easier. Getting compliant for many businesses means putting in place annual security awareness training for all employees and workforce members, conducting a thorough risk assessment, along with other mandates. Moreover, once the heavy lifting is done in year one, compliance with the PCI mandates should become much more attainable every year thereafter. Simply stated – talking and strategizing about PCI DSS compliance is one thing – rolling up your sleeves and getting it done is another.
- Conduct Scans and Penetration Testing, if needed. Depending on which of the Self-Assessment Questionnaires is chosen, quarterly vulnerability scans – both internal and external – along with an annual penetration test, may be required. While scanning is relatively straightforward – and not too terribly expensive – penetration testing can be complex, time-consuming, and costly. If you’re lucky enough to dodge scanning and/or pen testing – congrats – if not, then dig in and get ready for some time commitments. Remember to ask yourself “where is the cardholder data environment truly residing” because if you are simply a pass-thru to the payment processor/gateway and are not storing cardholder data, penetration testing (if required) can possibly be omitted, provided the processor/gateway has fulfilled this requirement. It’s an option and one to consider, only after a thorough examination.
- Complete the actual SAQ Attestation of Compliance (AoC). By this point the hard work has been done and it’s know time dot the i’s and cross the t’s – administratively speaking – by completing the Attestation of Compliance (AoC) form. Keep in mind that many payment processors actually integrate this into their online reporting for PCI DSS compliance, so completing an actual hard copy may not be necessary. Many businesses actually reach out to a payments industry expert for helping with the Self-Assessment Questionnaires (SAQ), which is generally a good idea as a few hours of consulting time can often help clear up any questions or concerns you may have.
- Stay compliant. Becoming compliant is a challenge, yet staying compliant with the Payment Card Industry Data Security Standards (PCI DSS) can be an incredibly challenging task, but it has to be done, no question about it. It means not stopping and starting compliance once a year – rather – making the PCI DSS standards part of one’s organizational infrastructure. Build it into your organization’s core culture and it’ll stick like glue, no question about it. Remember also that that the Payment Card Industry Data Security Standards (PCI DSS) themselves change, going from one version to the next every two to three years. This in itself can be incredibly difficult and challenging to keep pace with, so reaching out to an actual PCI DSS expert is a good idea.
- Aim for the PCI Moving Target. Life is full of changes – that’s for sure – and compliance with PCI DSS is no different, which means aiming for the ever-moving target. Because systems change and employees come and go, it’s important to look at PCI from a practical perspective, which means doing all you can as a business owner for staying compliant. Just remember that PCI compliance is about policies, procedures, and processes/practices – the big three – continue to strive for putting in place these mandates and you should be fine. PCI is here to stay – no denying that – so get serious today about becoming compliant by visiting pcipolicyportal.com to learn more.
Since 2009, thousands of merchants and service providers have been downloading the industry leading PCI Policies Packets for helping ensure rapid compliance with the Payment Card Industry Data Security Standards (PCI DSS). As the unquestioned global leader in PCI compliance documentation, pcipolicyportal.com offers the best policies, procedures – and more – for ensuring complete compliance from day one with PCI. Learn more today about our industry leading policies, procedures, and other essential services and documentation offered by the PCI DSS experts at pcipolicyportal.com.