How to Become PCI Compliant (and Maintain PCI DSS Compliance)

PCI DSS compliance—or PCI compliance for short—refers to a set of payment security standards that merchants must follow when accepting card payments, transmitting sensitive information, and storing cardholder data.

To be PCI compliant, businesses must implement and follow the globally recognized protection requirements set forth by the Payment Card Industry Data Security Standards Council.

While PCI compliance isn’t a law or legal requirement, every business that accepts card payments must be PCI compliant to avoid fees and ensure they’re protecting cardholder data—as failing to comply with PCI standards can add extra costs to your monthly processing statements and potentially lead to other penalties if there’s a data breach based on your negligence. 

Whether it’s your first time accepting card payments and you need to become PCI compliant, or you’re currently accepting credit cards and need to maintain PCI compliance, this guide will teach you how to do it. 

How to Become PCI Compliant in 3 Steps

At first glance, becoming PCI compliant may seem like a daunting task. But the entire process can actually be broken down into just three simple steps. 

Step 1 — Meet the 12 Requirements Set Forth by the PCI DSS

The first thing you need to do is make sure you’re following all 12 PCI compliance requirements and guidelines outlined by the PCI DSS (Payment Card Industry Data Security Standards) Council. Those requirements are:

• Install a firewall configuration to protect cardholder data
• Do not use any vendor-supplied defaults for passwords and system security parameters
• Protect all cardholder data in storage
• Encrypt cardholder data when it’s transmitted across open public networks
• Protect all payment systems from malware with antivirus software 
• Develop and maintain secure systems and applications
• Restrict access to cardholder data on a “need to know” basis
• Identify and authenticate access to payment systems and network components
• Restrict physical access to cardholder data
• Track and monitor access to network resources and cardholder data
• Test security systems and processes on a regular basis
• Maintain an information security policy that applies to all personnel

We have a detailed guide on the 12 PCI DSS requirements that includes a list of action steps for each requirement that you can follow for additional guidance. 

As you look at these requirements with a closer eye, you’ll quickly see that you’re already close to 80% there. If you’re using a reputable merchant services provider, then your network, software, and hardware should already be secure. Things like encryption and secure storage of cardholder data should be handled by them as well. So don’t be overwhelmed by this list.

Step 2 — Complete a Self Assessment Form

Once you’ve implemented the 12 requirements, you need to fill out a PCI Compliance Self Assessment Questionnaire (SAQ). The questionnaire in itself can essentially act as a PCI compliance checklist, so feel free to use it as a reference while you’re working on the first step.

The form is fairly straightforward. You’ll start by filling out some general information about your business before answering a series of different yes or no questions related to your payment security and processes. 

Then the self-assessment asks you to check off a response for each of the sub-components within the 12 requirements. 

• In Place
• In Compliance with CCW (Compensating Control Worksheet)
• Not Applicable
• Not Tested
• Not in Place

There are several different versions of the self-assessment questionnaire—each one with slightly varying questions and responses based on the business type. Here’s an example from the version Self Assessment Questionnaire D for Merchants:

To find the latest version of the Self Assessment Questionnaire and find the right form for your business, refer to the PCI Security Standards Document Library. You can change the filter to SAQ to find the appropriate form.

We’ll cover the different SAQ versions in greater detail shortly. But if you’re unsure about which form you need to fill out, just reach out to your merchant account provider. 

Step 3 — Submit Your Documentation

Once the questionnaire has been filled out in its entirety, you must submit it to your merchant account provider or acquiring bank. In some cases, payment brands may also request a copy of your self-assessment forms to accept their cards. 

Confirm that your processor has received your self assessment along with any other requested documents that support your answers.

Then verify that they have everything required to consider your business PCI compliant. Otherwise, you still may find PCI non-compliance fees on your statements each month.

This is something that we see on a regular basis when we’re monitoring monthly statements for our clients. Some processors continue charging PCI compliance fees even after the merchant has submitted a self assessment. 

How to Maintain PCI Compliance

Most merchants need to re-submit a Self Assessment Questionnaire every year to maintain PCI compliance. 

PCI compliance is an ongoing initiative. Even after you’ve completed the 12 requirements and submitted your documents, you still need to conduct regular testing and security audits in accordance with the PCI DSS guidelines. 

For example, securing your network with firewalls and your hardware with antivirus is part of becoming PCI compliant. But you’ll need to update both regularly with the latest security patches to maintain PCI compliance. 

In accordance with PCI DSS requirement 11, you’ll also need to run internal and external vulnerability scans at least quarterly and after any significant changes are made to your network.  

Training your staff and ensuring they understand their responsibilities for keeping cardholder data secure is something you’ll need to do initially. But this is also something you’ll need to continue doing on an ongoing basis as you’re hiring new employees who may have access to networks or systems that process or store cardholder data. So you’ll need to train them as well.

PCI Compliance Levels

Each of the major card networks has its own program and rules to measure PCI compliance by different thresholds. Merchants at higher levels are subject to more rigorous compliance guidelines and security standards than those at a lower level.

While there are slight variations to each, here’s a general guideline for each level:

• Level 1: Merchants processing over six million annual card transactions.
• Level 2: Merchants processing between one and six million annual card transactions.
• Level 3: Merchants processing 20,000 to one million annual card transactions.
• Level 4: Merchants processing less than 20,000 annual card transactions.

Other factors and certain events could trigger a change in a merchant’s compliance level. For example, a merchant that had a data breach may need their level elevated to remain compliant. 

Is PCI Compliance Required by Law?

PCI compliance is a security standard, not a law—which means there aren’t any legal mandates at the state or federal levels that require businesses to be PCI compliant. So it’s not something that’s enforced by court systems.

PCI compliance requirements are set forth by the Payment Card Industry Data Security Standards Council, but governance and enforcement of PCI compliance falls on the processors.

Generally speaking, nobody is policing or auditing PCI compliance either. With the exception of PCI Level 1 businesses that require a quarterly scan by an approved third party, the majority of PCI compliance comes down to the merchant’s self assessment. 

Finding the Right PCI Compliance Self Assessment Questionnaire For Your Business

As previously mentioned, there are several variations of the self assessment questionnaire (SAQ) for different business types. Here’s a cheat sheet to find the version that’s right for you:

• SAQ A: If your business outsources all card processing data to third parties, including ecommerce, phone, and mail transactions.
• SAQ A-EP: If you’re an ecommerce merchant that outsources payment processing but not website administration.
• SAQ B: If you’re an ecommerce merchant that doesn’t receive or store cardholder data but you control the method that redirects that data to a third-party processor.
• SAQ B-IP: If you don’t store cardholder data electronically but use IP-connected interaction devices (this applies to card-present and card-not-present transactions).
• SAQ C-VT: If you process cardholder data through a virtual terminal instead of a computer system.
• SAQ C: If you use a payment application that’s connected to the internet.
• SAQ D: All other merchants that don’t fall into SAQs A, B, or C.
• SAQ P2PE: If you’re a merchant that uses point-to-point encryption (not applicable to ecommerce businesses).

Ultimately, your payment processor can help verify which form is right for you. But this should be a suitable guide for most merchants with a clear model for processing payments. 

Final Thoughts on Becoming PCI Compliant

Every merchant that accepts credit cards should become PCI compliant. 

Not only does this help protect your business from potential data breaches that could impact your company and customers, but it also helps you get rid of junk fees from your processing statement every month.

Processors love to add a PCI compliance or PCI non-compliance fee to statements. In some cases, they’ll even charge this fee to merchants who are PCI compliant as a way to just inflate the bill. 

So if you’ve completed a self-assessment questionnaire and you’re still seeing this charge on your monthly statements, reach out to our team here at MCC. We’ll audit your statements to find other hidden fees and then work directly with your processor to get them removed.