How does PCI compliance work?
PCI DSS isn’t a certification. Rather, it’s a checklist of processes and practices that must become part of the framework of any company that handles cardholder data. Compliance with PCI DSS is a continuous process that involves three steps:
- Assess. Identify and inventory assets and processes that handle cardholder data, and analyze them for vulnerabilities that could lead to exposure.
- Repair. Remediate vulnerabilities and secure business processes.
- Report. Document the assessment process and remediation performed to fix the vulnerabilities, and share compliance reports with the bank/card companies that you do business with.
The standard contains controls designed to protect credit card data that should be practiced daily in all payment operations. PCI DSS compliance may differ in the details based on the activities performed by each company. However, to remain PCI compliant, all businesses must comply with five core principles:
- Reduce the vulnerable attack surface.
- Make PCI DSS part of daily operations.
- Monitor for suspicious activity.
- Conduct regular environment penetration tests.
- Consult an expert to confirm the company meets the standards in the PCI DSS.
There are four levels of PCI compliance, organized by number of transactions per year. Any company that handles cardholder data fits into one of those levels. A company’s level depends on how the company handles credit card data and the amount of data it processes annually. The PCI SSC provides a self-assessment questionnaire to help companies determine which levels they fit into.