For starters, get familiar with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS requirements are broken down into six different categories:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

The next step is to figure out your PCI compliance level. Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. Remember: all merchants that process credit cards—whether small or large—must be PCI compliant.

 

Now here is where PCI compliance for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has their own requirements and deadlines for PCI compliance. To give you a general idea of what you need to do as a merchant, here are Visa’s PCI requirements for merchants:

Level 1 Merchants

Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) Quarterly network scan by Approved Scan Vendor (ASV) Attestation of Compliance Form

Level 2 and 3 Merchants

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly network scan by ASV
• Attestation of Compliance Form

Level 4 merchants

• Annual SAQ recommended
• Quarterly network scan by ASV if applicable
• Compliance validation requirements set by acquirer

Some resources to help you complete these requirements:

• List of approved QSAs
• List of approved ASVs
• Instructions on how to complete the SAQ
• PCI Compliance Deadline List, including links to each payment brands’ PCI compliance sites
• Article on how businesses that should complete the SAQ D can opt for a shortened SAQ

Depending on your compliance level, complete the appropriate requirements (above). Then for each payment card brand you accept, check the site to see what kind of reporting you have to supply each brand.

---