PCI compliance checklist: Protect your customers’ credit card data

In 2021, the value of digital payment transactions globally is set to reach $6,685,102M and by 2025, it’s projected to reach $10,520,219m. With so many payments happening online, companies need to do all they can to protect their customers’ details and payment card data.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage companies globally to improve their security practices when handling, processing, and storing cardholder data. As the global volume of digital payments increases, so do the risks of a severe data breach. While PCI DSS compliance lets your company avoid penalty fines and legal action, most importantly, it helps you keep your customers' data safe.

Note: CallRail is not offering legal counsel, but we strive to help our customers with all PCI-compliant call tracking queries. The advice in this post is not a substitute for the advice or services of an attorney. If you have any specific PCI DSS compliance questions for your business, we recommend you contact the appropriate parties.

What is PCI compliance?

The PCI DSS (or PCI) is a set of guidelines on how businesses can protect their customers' payment card information. PCI compliance means that your company meets the requirements set out in the PCI DSS.

There are four levels of PCI compliance. Different cardholder brands have their own requirements. If you take payments from several card providers, you should check which level you fall into with each of them.

In the U.S., “Visa and Mastercard are the most frequently offered payment methods,” so we’ve included their PCI compliance levels as a starting point:

  • PCI compliance level 1: All merchants that process over 6 million transactions annually or that Visa/Mastercard identifies as meeting level 1 requirements. Additionally, if your company has experienced a security breach that puts account or cardholder data at risk, you’ll be moved to level 1.
  • PCI compliance level 2: All merchants that process between 1 million and 6 million transactions annually.
  • PCI compliance level 3: E-commerce merchants that process between 20,000 to 1 million transactions per year.
  • PCI compliance level 4: E-commerce merchants processing fewer than 20,000 Visa/Mastercard transactions annually or other merchants processing fewer than 1 million Visa/Mastercard transactions annually.

Does PCI DSS apply to my company?

The PCI DSS requirements state that “PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.” So if your company accepts card payments — online or over the phone — then PCI DSS applies to you.

“PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.”

But companies have different PCI requirements depending on how they handle payments, the number of payments they handle or process, and their type of business. To understand what PCI compliance level you need to achieve your obligations, you should look at the self-assessment questionnaires from the PCI Security Standards Council (PCI SSC) or seek expert advice.

If your company takes credit card payments, your customers need to trust that you will keep their details safe. Achieving PCI compliance shows your customers that you take their data security and privacy seriously, doing all you can to safeguard their payment details and other personal information.

Your PCI compliance checklist

There are 12 requirements that companies need to meet to achieve PCI compliance. You can use this PCI DSS compliance checklist to understand the different requirements specified in the data security standard to help your company protect your customers’ payment card data.

PCI Compliance Checklist

1. Implement and maintain a firewall

Firewalls control incoming and outgoing traffic to your network. They are often the first line of defense against hacks and attempted data breaches. You'll need to properly configure your firewall and routers to protect cardholder data against unauthorized access.

2. Don’t use default security settings

The default settings for servers and applications don't meet PCI standards. This includes passwords, usernames, and default security settings because these are often well known by hacker communities and may be shared online. You should upgrade your settings for all new and existing devices and hardware instead of using the default settings.

3. Protect cardholder data while it’s stored on your network

The PCI SSC advises companies to minimize their risk by "not storing cardholder data unless absolutely necessary." If you do store cardholder data on your network, it must be encrypted using proper algorithms and security keys, and you need to know how long it will be stored.

This requirement also specifies how to display cardholder details. You shouldn’t display the full payment card details, but you can show the first six or last four digits.

4. Encrypt payment data to protect it while it’s in transit

Hackers often attempt to intercept or divert data while it's in transit, so you must encrypt sensitive information — such as cardholder data — during transmission, and during storage. To comply with this requirement, you need to encrypt cardholder data before transmission to reduce the risk of data being compromised during transit.

5. Protect your systems against malware and viruses

There are so many ways malware (including viruses) can enter your company network, such as employee emails or using the internet. You should have antivirus software installed across your network, including servers, workstations, laptops, and mobile devices used by anyone in your company.

Your antivirus software should be updated to the latest version, and you should perform regular scans. Malware trends change rapidly, so if your antivirus software is out of date, you may not be protected against the latest malware threats.

6. Develop and maintain secure systems and applications

Hackers exploit security vulnerabilities to gain access to your systems. You can maintain secure systems and protect your customers’ data by installing vendor-provided security patches. For critical security patches, PCI DSS requires you to install these within one month of release.

7. Restrict access to cardholder data

Not everyone in your company needs access to customer data; PCI DSS requirements specify that you should only have access to credit card data on a "need-to-know" basis. "Need-to-know" is when you are granted access to the least amount of data needed to perform your job.

You should have documented policies to set out who in your company has access to cardholder data based on job roles, level of seniority, and why they need access to that data.

8. Assign unique login details to every user

Every person in your company should have their own username and password to access your systems. This minimizes the risk of other parties gaining access to your systems via a shared user account. It also means that employees are accountable for their own actions. In the event of an internal data breach, malicious activity can be traced back to the specific user whose account has been compromised.

To achieve PCI compliance, you should follow password best practices — using complex passwords containing both letters and numbers and more than seven characters. It also specifies using multi-factor authentication when possible.

9. Limit people who have physical access to cardholder data

You should restrict the number of people who have access to servers, workstations, and paper files where you store or transmit cardholder data to minimize the risk of a data breach.

The PCI DSS requirements specify that you should use video cameras and entry controls at physical locations like data centers and file storage. Doing so allows you to monitor and control who has access to these locations.

10. Track and monitor access to networks and cardholder data

PCI DSS requires all network systems to be protected and monitored. This is because it's near-impossible to identify the cause of a data breach without accurate, up-to-date activity logs. You should keep network activity logs and review them daily to identify any potential security breaches or suspicious activity. The PCI DSS provides guidance on what types of activity to log and how long to store activity logs for.

11. Regularly test your security systems and processes

PCI DSS specifies regular testing for system components, processes, and software to ensure your security controls and processes are up to date. It specifies particular types of testing that should take place regularly:

  • Test wireless access points quarterly to identify all authorized and unauthorized wireless access points.
  • Run internal and external network vulnerability scans at least quarterly.
  • Perform network penetration testing annually.

12. Create and maintain an information security policy

The final PCI requirement focuses on creating, implementing, and maintaining a strong security policy for your organization that helps all employees understand the sensitive nature of cardholder data and their responsibility to protect it. Your information security policy should ensure that everyone in the company — whether employees, management, or~~ ~~third parties (contractors or consultants) — understands their role in keeping your customer data protected.

Achieve PCI compliance to build trust with your customers

The Measure Privacy Report found that 41% of respondents had been negatively impacted by a data privacy breach at some point, with 7% affected in the last month. For your customers, a data breach costs them time, anxiety, and, in worst cases, a lot of money when their credit card data is compromised and misused.

Achieving PCI compliance reassures your customers that your company can be trusted with their financial data. Use this PCI compliance checklist to get your company ready for your PCI DSS assessment or self-assessment questionnaire.

Learn how CallRail helps you maintain PCI compliance.