Thursday September 20, 2018
PCI Discussion Forum
PDF Print E-mail
PCI Compliance Guide

  • Compliance Process- For a merchant to become compliant they must meet all PCI DSS requirements. Because PCI compliance is a continuous process, there is no required or set plan. According to the PCI SSC the process includes three main steps of assess, remediate, and report.
    • Assess- identifying cardholder data, analyzing businesses process and payment applications, and searching for systems vulnerabilities.
    • Remediate- address systems vulnerabilities and discard cardholder data.
    • Report- submit required compliance and validation materials.
      Compliance Guide
  • A company can have two designations: PCI compliance and PCI validation.

  • PCI Compliance- The continuous process of adhering to PCI standards. The PCI SSC recommends a six step prioritized approach for compliance including:
    1. Remove sensitive cardholder data and reduce the system's retention of cardholder data.
    2. Secure external, internal, and wireless networks.
    3. Secure payment card applications in processes and servers.
    4. Secure and monitor access to your systems.
    5. Secure stored cardholder data.
    6. Finalize all additional compliance efforts.

  • PCI Validation- Becoming certified to the PCI SSC and credit card institutions that a merchant has been checked by self-assessment, a QSA, or an ASV. Occurs in a singular point in time with an outside audit, self audit, or system scans. The PCI SSC recommends a four step approach for validation including:
    1. Complete a self assessment questionnaire here.
    2. Complete a systems scan by an approved ASV.
    3. Complete an attestation of compliance.
    4. Submit the self assessment, scan results, and attestation to your appropriate card institution.
Tools and Calculators

Gap Assessment Tool
Take this assessment to gain greater insight into the challenges you are facing

Business Resources