Facebook pixel
Acumen Connections » Guide to the 12 PCI DSS Requirements

A Guide to the 12 PCI DSS Requirements

Acumen Connections helps our merchants meet PCI DSS requirements with no headaches. Let us get your organization PCI compliant today.

An Acumen and SecurityMetrics Collaboration
An Acumen and SecurityMetrics Collaboration

95%

The percentage of cyber-security breaches resulting from human error

43

The average number of days it takes a hacker to breach a vulnerability

What is PCI compliance?

All industries have a framework to protect their consumers. The Payment Card Industry (PCI) is no different. The PCI Data Security Standard (PCI DSS) is a set of guidelines for merchants to keep customer card information secure.

PCI DSS compliance is a requirement for all businesses accepting credit, debit, and digital payments. To be PCI DSS compliant means that your organization has done its due diligence to be up to date with payment card safety information. This not only protects your customers from things like identity theft. It also shields your business from expensive repercussions.

PCI DSS Shield and Sword in front of a storefront

PCI DSS benefits

You may be asking why you should take the time to meet the PCI DSS requirements. Let’s look at a few of the benefits that make it worth being PCI compliant.

Red Shield Icon

Owning a security mindset

Green arrows point up icon

Being more competitive in the market

Yellow thumbs up icon

Increasing sales and customer satisfaction

Blue ribbon icon

Safeguarding your brand reputation

Black inaccessible lock icon

Reducing your risk of fines and data breaches

Red hand using credit card icon

Being able to accept credit card payments

Many business don’t realize the investment for security is worth the benefits and so much more. Following PCI DSS standards will have a rewarding impact on your business.

Orange warning sign with black exclamation mark
Orange warning sign with black exclamation mark
Red arrows pointing right

Risks of PCI non-compliance

Red arrows pointing left

On the other hand, there are many dangers when your data security remains outdated. If you choose to remain non-compliant with the PCI DSS requirements, you’re putting your business at risk of:

Red flag icon

Security breaches

Red flag icon

Severe revenue loss

Red flag icon

Legal action and hefty fines

Red flag icon

Monthly PCI non-compliance fee

Red flag icon

Damaged reputation & above all

Red flag icon

Being prohibited from accepting credit card payments

Orange Lighbulb icon

Did you know: 80% of consumers prefer card payments over cash?

A security breach, caused by even a simple mistake, can be expensive to fix and result in a lawsuit. More, if you don’t have PCI DSS compliance, you may be banned from accepting credit card payments.

Don’t let these consequences happen! To avoid compromising your business, confirm your compliance today.

Dark Blue fraud shield icon

PCI compliance can help protect you from hard and soft fraud

Confirm PCI Compliance >

Security breaches that changed the complexity of PCI DSS compliance

Security breaches that changed the complexity of PCI DSS Technology has transformed how we make payments in recent decades—and so has fraud. No business is immune. Cyber-attacks happen to small businesses. Major security breaches in the history of electronic payments show why PCI compliance is critical and continuously evolving

TJX

Charged $9.7 million

For 18 months in 2005-2006, hackers got away with the information of 94 million TJX accounts. The hackers first broke in through a WiFi connection at a retail store. When the banks eventually sued TJX over this breach, the courts ruled that TJX had been non-compliant with 9 of the 12 PCI DSS requirements. These violations included failure to configure wireless networks and improperly storing data. TJX paid $9.7 million.

Heartland Payment Systems (HPS)

Charged $145 million and banned from accepting credit & debit cards

In 2009, cybercriminals stole 100 million credit card numbers from HPS. Experts say the criminals used one of the “least sophisticated” kinds of malware attacks that was easily preventable. HPS owed $145 million in compensation and was banned from processing payments for 14 months.

Target

Charged $220.5 million

Target has a reputation for having everything you need—and don’t need. It also is known for having one of the biggest data breaches in history. In 2013, hackers stole the credit card numbers of 40 million Target customers. It was found that although Target had a malware detection tool in place, they missed critical software warnings for 3 weeks. Target owed $18.5 million in settlements and $202 million in legal fees.

Charged $9.7 million

For 18 months in 2005-2006, hackers got away with the information of 94 million TJX accounts. The hackers first broke in through a WiFi connection at a retail store. When the banks eventually sued TJX over this breach, the courts ruled that TJX had been non-compliant with 9 of the 12 PCI DSS requirements. These violations included failure to configure wireless networks and improperly storing data. TJX paid $9.7 million.

Charged $145 million and banned from accepting credit & debit cards

In 2009, cybercriminals stole 100 million credit card numbers from HPS. Experts say the criminals used one of the “least sophisticated” kinds of malware attacks that was easily preventable. HPS owed $145 million in compensation and was banned from processing payments for 14 months.

Charged $220.5 million

Target has a reputation for having everything you need—and don’t need. It also is known for having one of the biggest data breaches in history. In 2013, hackers stole the credit card numbers of 40 million Target customers. It was found that although Target had a malware detection tool in place, they missed critical software warnings for 3 weeks. Target owed $18.5 million in settlements and $202 million in legal fees.

Acumen Connections Logo
Acumen Connections Logo

partners with security metrics logo to help our merchants acheive PCI compliance

Need help? Contact Us >

Compliance shouldn’t be a hassle—so we’re here to help. Follow these steps to ensure you have all the information needed and are ready to achieve compliance with flying colors.

Before you start, gather the information you will need:

• Method of processing data

• IP address of your business

• Terminal type

• Security Metrics login credentials

Orange Lighbulb icon

Use WhatIsMyIPAddress for free to get your IP address


Acumen Connections Symbol Logo

The steps to PCI DSS certification with Acumen Connectionsyellow line

The number one in a giant gold circle

Log in to Security Metrics and complete a questionnaire about your business.

This will determine your SAQ type.


The number 3 in a giant red circle

Run an automated security scan if needed.

Runs in background for about 2 hours.

The number 2 in a giant green circle

Complete your Self-Assessment Questionnaire (SAQ).

First time may take an hour or more.


The number 4 in a giant blue circle

Receive your attestation of compliance.

If there are vulnerabilities to address, you’ll receive step-by-step instructions on how to resolve.

PCI Self-Assessment Questionnaire (SAQ) types

Yellow Cart with the world inside Avatar

Self-Assessment Questionnaire A

Purely e-commerce businesses. Processing is typically managed through a third party. Low risk.

Green card reader while someone is using it Avatar

Self-Assessment Questionnaire B

Businesses that take and store card information. May use a stand-alone terminal that does not connect to the internet. Low-mid risk.

 Red cash register Avatar

Self-Assessment Questionnaire C

Businesses that take and store card information in person and over the internet. Mid-high risk.

Blue cloud server boxes infront of cloud Avatar

Self-Assessment Questionnaire D

Businesses that do electronic storage of card data. Frequently reserved for large merchants or processors. High risk.

The 12 PCI DSS requirements: a PCI compliance checklist

It can be confusing to keep track of all the PCI requirements. That’s where we come in. Take a look at our checklist to help you understand how to comply with the latest version of PCI DSS, version 4.0.

PCI DSS Requirement 1:

Install and maintain network security controls

  • Choose a business security software with a variety of features.
  • Block certain websites from being accessed by your employees.
  • Set parameters on your site to block malicious traffic.

PCI DSS Requirement 2:

Apply secure configurations to all system components

  • Change default passwords on all routers, modems, and point of sale devices.
  • Choose secure passwords or passphrases. The more complex, the more secure.
  • Consider using a password manager account to keep track of your passwords.

PCI DSS Requirement 3:

Protect stored account data

  • Think to yourself, “What customer data is going through my computer and where does it go?”
  • Identify who all has access to this data throughout the week.
  • Use a security software business suite service to manage this.

PCI DSS Requirement 4:

Protect cardholder data with strong cryptography during transmission over open, public networks

  • Use best practices for your security software.
  • Don’t allow access to websites without security certificates – check for the “https” in the URL.
  • Work with your website provider to install secure settings so users land on the secure version of your website. Your URL should have “https” at the start of it.

PCI DSS Requirement 5:

Protect all systems and networks from malicious software

  • Make sure you have anti-virus and anti-malware software protecting all your computers.
  • Install your choice of popular antivirus software that offers business security.
  • Do monthly checks to confirm that software is up to date. If not, update them.

PCI DSS Requirement 6:

Develop and maintain secure systems and software

  • Regularly update your firewall.
  • Don’t skip patches. Sometimes security systems send out updates when the fix a bug. If you receive a notification that one of your system has an update or patch, look into it to update it.

PCI DSS Requirement 7:

Restrict access to system components and cardholder data by business need to know

  • Limit which employees can access cardholder information to only those who need to know it.
  • Give employees their own unique passwords. If there is an issue, you can determine which employee logged in to access the information around that time.
  • Ensure cardholder data is only stored in places that require a password to access.

PCI DSS Requirement 8:

Identify users and authenticate access to system components

  • When employees leave, disable their accounts so no one else can use them.
  • Many services these days have an option for multi-factor authentication (where you're texted a code when logging in). When that option is available, enable that feature for an extra layer of protection.

PCI DSS Requirement 9:

Restrict physical access to cardholder data

  • Don't leave cardholder information laying about, like on a sticky note.
  • Keep track of where your credit card readers are. Report missing devices immediately.
  • Train your employees on how to handle customer information safely.

PCI DSS Requirement 10:

Log and monitor all access to system components and cardholder data

  • Work with your administrative side to set up a way to log all activity on your system.
  • Ensure that you are able to see who logged in and at what time.
  • Have an alert system set up for suspicious activity.

PCI DSS Requirement 11:

Test security of systems and networks regularly

  • Consider hiring a person to perform a penetration test, i.e., try to hack into your system.
  • Run a quarterly security scan. Acknowledge the results of your security scan and address any vulnerabilities.
  • Acknowledge the results of your security scan and address any vulnerabilities.

Acumen Connection customers are automatically partnered with Security Metrics, which can take care security scans and penetration tests for you.

PCI DSS Requirement 12:

Protect cardholder data with strong cryptography during transmission over open, public networks

  • Create an inventory list of your software and equipment.
  • Figure out which employees have access to what information.
  • Have a written-out procedure for what to do if you get hacked.

The 12 PCI DSS requirements: a PCI compliance checklist

It can be confusing to keep track of all the PCI requirements. That’s where we come in. Take a look at our checklist to help you understand how to comply with the latest version of PCI DSS, version 4.0.

PCI DSS requirement 1:

Install and maintain network security controls

Choose a business security software with a variety of features.

Block certain websites from being accessed by your employees.

Set parameters on your site to block malicious traffic.

PCI DSS requirement 2:

Apply secure configurations to all system components

Change default passwords on all routers, moderms, and point of sale devices.

Choose secure passwords or passphrases. The more complex, the more secure.

Consider using a password manager account to keep track of your passwords.

PCI DSS requirement 3:

Protect stored account data

Think to yourself, “What customer data is going through my computer and where does it go?”

Identify who all has access to this data throughout the week.

Use a security software business suite service to manage this.

PCI DSS requirement 4:

Protect cardholder data with strong cryptography during transmission over open, public networks

Use best practices for your security software.

Don’t allow access to websites without security certificates – check for the “https” in the URL.

Work with your website provider to install secure settings so users land on the secure version of your website. Your URL should have “https” at the start of it.

PCI DSS requirement 5:

Protect all systems and networks from malicious software

Make sure you have anti-virus and anti-malware software protecting all your computers.

Install your choice of popular antivirus software that offers business security.

Do monthly checks to confirm that software is up to date. If not, update them.

PCI DSS requirement 6:

Develop and maintain secure systems and software

Regularly update your firewall.

Don’t skip patches. Sometimes security systems send out updates when the fix a bug. If you receive a notification that one of your system has an update or patch, look into it to update it.

PCI DSS requirement 7:

Restrict access to system components and cardholder data by business need to know

Limit which employees can access cardholder information to only those who need to know it.

Give employees their own unique passwords. If there is an issue, you can determine which employee logged in to access the information around that time.

Ensure cardholder data is only stored in places that require a password to access.

PCI DSS requirement 8:

Identify users and authenticate access to system components

When employees leave, disable their accounts so no one else can use them.

Many services these days have an option for multi-factor authentication (where you're texted a code when logging in). When that option is available, enable that feature for an extra layer of protection.

PCI DSS requirement 9:

Identify users and authenticate access to system components

Don't leave cardholder information laying about, like on a sticky note.

Keep track of where your credit card readers are. Report missing devices immediately.

Train your employees on how to handle customer information safely.

PCI DSS requirement 10:

Log and monitor all access to system components and cardholder data

Work with your administrative side to set up a way to log all activity on your system.

Ensure that you are able to see who logged in and at what time.

Have an alert system set up for suspicious activity.

PCI DSS requirement 11:

Test security of systems and networks regularly

Consider hiring a person to perform a penetration test, i.e., try to hack into your system.

Run a quarterly security scan. Acknowledge the results of your security scan and address any vulnerabilities.

Acknowledge the results of your security scan and address any vulnerabilities.

Acumen Connection customers are automatically partnered with Security Metrics, which can take care security scans and penetration tests for you.

PCI DSS requirement 12:

Support information security with organizational policies and programs

Create an inventory list of your software and equipment.

Figure out which employees have access to what information.

Have a written-out procedure for what to do if you get hacked.

Answering your PCI compliance questions

Acumen Symbol logo

Building Business Connections

Connecting you with the best resources to better your business.