Everything you need to know about PCI DSS compliance

PayPal Editorial Staff

PayPal Editorial Staff

January 30, 2023

Bird's eye view shot of two men in business suits walking on pavement and their shadows

One of the biggest challenges facing small businesses is responsible, secure handling of customer data and payment transactions.

Proper handling is a business requirement, and if efforts fall short, you run the risk of exposing private information should your payment systems be breached by online criminals.

To help businesses reduce risks around data protection and security, the payments industry established the Payment Card Industry Security Standards Council (also known as PCI SSC or the PCI Council) and the Payment Card Industry Data Security Standard (PCI DSS).

Here's what you need to know about PCI DSS compliance.

What is PCI compliance?

PCI DSS compliance is the process of adhering to certain security standards to protect customer information and mitigate the risk of fraud and data breaches. These PCI compliance standards help businesses safely handle credit card transactions and keep financial information secure.

PCI compliance requirements

Merchants must adhere to 12 PCI DSS requirements to meet PCI security standards, including:

  1. Install and maintain a firewall configuration to protect cardholder data

    Establish firewalls and router standards, which set rules for allowing and denying access to your systems. Firewall configurations should be reviewed bi-annually to ensure there are no faulty access rules, which can open your credit card data to vulnerabilities.

  2. Do not use vendor-supplied defaults for system passwords and other security parameters

    Change default passwords on your systems to increase security. Also, maintain a secure inventory of all systems, passwords, and configuration procedures. These procedures need to be followed every time a new system is introduced to the IT infrastructure.

  3. Protect stored cardholder data

    This is the most important requirement: All cardholder data must be stored and encrypted using industry-accepted algorithms. Also, follow PCI standards for encrypting primary account numbers, such as by displaying only the first six or last four digits.

  4. Encrypt transmission of cardholder data across open or public networks

    Secure card data when it is transmitted over an open or public network, such as the Internet, Bluetooth, or Global System for Mobile communication (GSM). Also, you must know where you are sending the card data and where you are receiving it from.

    Encrypting cardholder data by using a secure version of transmission protocols such as Transport Layer Security (TLS) and Secure Socket Shell (SSH), which can help prevent data from being compromised.

    Learn more about how to manage cyber fraud.

  5. Protect all systems against malware and regularly update anti-virus software

    All equipment — including the workstations, laptops, and mobile devices employees use to access the system both locally and remotely — must have anti-virus software.

  6. Develop and maintain secure systems and applications

    Regularly update systems to identify and patch any security vulnerabilities in a timely manner. This applies to all systems in the card data environment, including:

    • Operating systems
    • Firewalls, routers, switches
    • Application software
    • Databases
    • POS terminals
  7. Restrict digital access to cardholder data

    Cardholder information can only be shared on a "need-to-know" basis. Create a list of authorized and unauthorized users, including employees and stakeholders and update their access permissions accordingly.

  8. Create unique IDs and passwords for access

    Set up a unique ID and password for each authorized user. This helps hold the people with access accountable and makes it easier to respond if an issue does arise like a data breach.

  9. Restrict physical access to cardholder data

    As part of PCI data security standards, physical cardholder data must also be stored in a secure location, such as a locked room or storage area with restricted access.

  10. Set up and maintain access logs

    Each time cardholder data is accessed, the event should be logged. Access logs should also be audited consistently to spot any anomalies or threats to data security.

  11. Conduct security and vulnerability tests

    Frequently perform security tests and vulnerability scans to find any weaknesses in your processes and systems.

  12. Document policies and procedures

    Maintain updated documentation of all policies, procedures, access logs, systems, and software involved in these PCI DSS compliance requirements. A PCI audit or assessment, for example, will check for documentation such as employee manuals, policies and procedures, vendor agreements, and data security response plans.

Understanding PCI compliance levels

There are four different PCI compliance levels, each with its own requirements. Your PCI merchant level will largely depend on the volume of credit card transactions your business processes each year.

The four PCI DSS merchant levels include:

Compliance level 1

PCI level 1 applies to organizations that process more than 6 million Visa or Mastercard transactions or more than 2.5 million American Express transactions in a 12-month period. This level also includes merchants who have experienced a data breach.

Level 1 merchants must complete an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), a quarterly network scan by an Approved Scan Vendor (ASV), and an attestation of compliance (AOC) form for onsite assessments.

Compliance level 2

PCI level 2 applies to organizations that process 1-6 million transactions card each year.

PCI DSS level 2 requirements include: completing an annual self-assessment questionnaire (SAQ), a quarterly network scan by an ASV, and an AOC form.

Compliance level 3

PCI level 3 applies to merchants that process 20,000-1 million online transactions and organizations that process less than 1 million total transactions each year.

PCI level 3 requirements are the same as those for level 2: completing an annual SAQ, a quarterly network scan by an ASV, and an AOC form.

Compliance level 4

PCI level 4 applies to organizations that process fewer than 20,000 online transactions or up to 1 million total transactions each year.

PCI compliance level 4 requirements are the same as those for levels 2 and 3: completing an annual SAQ, a quarterly network scan by an ASV, and an AOC form.

Benefits of PCI compliance

PCI compliance offers many benefits to businesses that process credit card transactions. The biggest advantages of PCI compliance include:

  • Securing cardholder data and building customer trust
  • Protecting your business from theft, data breaches, and fraud
  • Streamlining data storage and handling processes
  • Avoid hefty fines for PCI compliance violations

Ready to start making your small business more secure today? Use these six tips to increase security.

How PayPal helps business achieve and maintain PCI compliance

Partnering with PayPal can help businesses maintain PCI compliance and enhance data security. In fact, if you use PayPal to process card payments, your customers' sensitive data never reaches your company's servers — helping reduce your PCI DSS compliance requirements.

Was this content helpful?

Sign Up for the PayPal Bootcamp

In partnership with three expert business owners, the PayPal Bootcamp includes practical checklists and a short video loaded with tips to help take your business to the next level.

Loading...

We’ll use cookies to improve and customize your experience if you continue to browse. Is it OK if we also use cookies to show you personalized ads? Learn more and manage your cookies