Master the complexities of cloud compliance with expert resources and relevant insights.

The 12 Key Requirements for PCI Compliance

Payment security is important for every business. If you process, store, or transmit card information, you need to follow the Payment Card Industry Data Security Standard (PCI DSS). This is a standard created by card companies that protects employees, vendors, patients, customers, and businesses from data theft.

PCI is the bare minimum security standard for all businesses that accept credit or debit card payments or process, transmit, or store card or transaction data. But even then, you need to know what the standards are, how they apply to your business, and how to implement them to stay compliant.

The 12 PCI Compliance Requirements

PCI might feel foreign to you if you’ve never dealt with these or other compliance requirements in the past. Follow these 12 simple PCI requirements to protect your customers, avoid fees, and grow your business.

1. Install and Maintain a Firewall

Firewalls block unauthorized parties from accessing private data. Firewalls restrict network traffic with predetermined rules that you put in place so outsiders can’t access your information. They’re the first line of defense against hackers and attacks on your network, so a robust firewall is a must. PCI recommends that organizations review their firewall settings twice a year to make sure they’re working properly.

2. Use Strong Passwords

Your router, computer, and other devices usually come with a manufacturer-supplied password. PCI says that organizations should never rely on third-party passwords to secure their information. Always change the generic passwords that come with your organization’s devices. Make sure you require employees to create strong passwords and never use the same password across multiple devices.

3. Safeguard Cardholder Data

The third standard is very simple. It requires businesses to protect the cardholder data they store. Organizations usually do this by tokenizing customer data or truncating card information.

 Businesses only have to follow this requirement if they store customer information, though. If you don’t allow customers to keep a payment method on file, you might not have to follow this component of PCI.

4. Encrypt Cardholder Data

This is the most important PCI requirement, but it’s simple to implement. It requires you to protect cardholder data with encryption. PCI requires you to tokenize or encrypt this information on a secure network so spying criminals can’t steal the data. If someone does try to view cardholder information, encryption will turn the information into gibberish so hackers can’t decipher it.

This standard also requires you to transmit data on secure, password-protected networks that you trust. Never transmit card information over public networks, like at coffee shops or hotels.

5. Install and Update Antivirus Software

You probably have antivirus software on your company’s devices, but if you don’t, you should know that it’s a PCI requirement. PCI tells organizations that they need to install high-quality antivirus software and update it regularly. After all, an outdated firewall or antivirus program won’t protect your business against the latest threats. Make sure that every device in your business that accesses cardholder data (and any device that accesses company data) has robust, updated antivirus software.

6. Develop with Security in Mind

Does your business develop systems, apps, or websites? If so, PCI says that you need to develop with security in mind. This means:

  • Patching bugs in a timely way

  • Updating your operating systems and applications

  • Locking down customer data

7. Restrict Access to Cardholder Data

PCI asks organizations to limit who has access to customers’ card information. Make sure you’re only sharing this information with employees on a need-to-know basis. That might mean only your accounting or customer service teams have access to this information. This might sound restrictive, but this requirement prevents the flow of sensitive information to reduce the odds of a breach or accidental leaks.

8. Assign Unique IDs

PCI requires you to assign unique IDs to all team members who have access to cardholder information. You can’t have a shared login for the system. This means every employee needs a unique login to access customer data. With unique IDs, you can quickly identify the source of a breach for accountability purposes.

9. Restrict Physical Access

To be PCI compliant, you’ll need to restrict physical access to cardholder information. For most organizations, this means using security measures like:

  • Card readers

  • Video cameras

  • Access logs

  • Visitor sign-in

  • Locked cabinets

… to restrict access to cardholder information. You’re likely locking your business at the end of the day and password-protecting computers, so this is an easy requirement to follow.

10. Monitor and Log Access

Card companies have the right to audit your systems to see how you use cardholder information. They rely on documentation and logs to see how you’re using cardholder data.

This PCI requirement means you have to monitor who has access to your network and data. Your system needs to log all activity with cardholder data and store it for at least one year for auditing purposes.

11. Test for Vulnerabilities

Security isn’t a one-and-done task. Threats change every day, and you need to identify weaknesses in your system to get ahead of data thieves. PCI requires you to regularly scan for vulnerabilities, so make sure you’re analyzing all devices for outdated software, human error, or malware.

12. Create Documented Policies

The final PCI requirement says that organizations need to create official policies for cardholder data. This means you need to document:

  • Which equipment, software, and people have access to cardholder data

  • How information flows through your organization

  • How to protect that data

  • What to do in the event of a data breach

Under PCI, you’re required to send this document to your team at least once a year. Since most breaches happen from non-IT departments, it’s critical to educate everyone in your organization on the value of compliance.

Most of the 12 PCI compliance standards are simple enough to follow—most organizations are already implementing them as a best practice. But we know that compliance can become more complex as your organization grows. Even with the best intentions, you can experience a devastating data breach. Non-compliance is a huge risk for your business, so staying on top of PCI DSS and other regulatory compliance requirements is crucial.