Skip to content

Payments | PCI Compliance Requirements for Merchants

In 2018 British Airways leaked 400,000 customer records, costing $26 million in fines. Fines aren’t the only issue when it comes to ensuring your business is PCI compliant.

This article includes:

  1. What is PCI Compliance?

  2. The 12 requirements for PCI DSS Compliance.

  3. Benefits of PCI Compliance.

  4. Potential setbacks of being non-compliant.

  5. Resources.

What is PCI Compliance?

A few other potential repercussions from failure to be PCI Compliant are:

  1. Loss of Customers: How likely do you think a customer will return to your business (hotel, restaurant…etc) after their data has been compromised?

  2. Lawsuits: Failure to comply with PCI standards can result in lawsuits from customers, credit card companies, and even the government.

  3. Audits: Failure to comply with PCI standards can result in an audit from the PCI Security Council, Card Companies, and yes…also the government.

  4. Tarnished Brand Image: Best case, an unhappy customer voicing their displeasure on the internet post-data breach. Worst case, the press may likely pick up the news and make it known to your entire industry that your company can not keep sensitive data safe.

You can see why it is important to have an understanding of PCI Compliance and how to take the proper precautions in order to keep yourself safe from the issues above. Let’s dive in…

Launched September 7, 2006, The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. Visa, MasterCard, American Express, Discover, and JCB created an independent body, The PCI Security Standards Council (PCI SSC), that administers and manages the PCI DSS. Somewhat ironically, the payment brands and acquirers are responsible for enforcing compliance, rather than the PCI SSC.


PCI DSS ensures the secure processing, storing, or transmitting credit card information which is complied by companies

The 12 requirements of PCI DSS Compliance

The PCI SSC lists out specific requirements for what is needed to become and remain compliant, the 12 commandments of PCI Compliance if you will. Abide by these requirements, and you will be much safer from a data breach and less liable to incur catastrophic fines and lawsuits.

1. Install and maintain a firewall configuration to protect cardholder data

Usually the first line of defense against hackers. Firewalls help prevent unauthorized access.

2. Do not use supplied default system passwords and other security parameters

Routers, modems, point of sale (POS) systems, Property Management Systems (PMS), and other third-party products often come with generic passwords and security measures easily accessed by the public or hackers. It is required that these are changed.

3. Protect stored cardholder data

Card data must be encrypted. Regular maintenance and scanning of primary account numbers (PAN) are necessary to ensure no unencrypted data exists.

4. Encrypt transmission of cardholder data across open, public networks

Cardholder data must be encrypted whenever it is sent to any connection for your company. Account numbers should also never be sent to any unknown locations.

5. Use and regularly update anti-virus software or programs

Installing anti-virus software is required for all devices that interact with and/or store PAN. This software must be regularly patched and updated.

6. Develop and maintain secure systems and applications

Update every piece of software in your business. These updates are especially required for all software on devices that interact with or store cardholder data.

7. Restrict access to cardholder data by business need-to-know

Does the hotel receptionist need to see the card data? Cardholder data is required to be strictly “need to know.” All staff, executives, and third parties who do not need access to this data should not have it. The roles that do need sensitive data should be well-documented and regularly updated.

8. Assign a unique ID to each person with computer access

Individuals who do have access to cardholder data should have individual credentials and identification for access.

9. Restrict physical access to cardholder data

Any cardholder data must be physically kept in a secure location. Both data that is physically written or typed and data that is digitally-kept (e.g., on a hard drive) should be locked in a secure room, drawer, or cabinet. Not only should access be limited, but anytime the sensitive data is accessed, it should be kept in a log to remain compliant.

10. Track and monitor all access to network resources and cardholder data

All activity dealing with cardholder data and primary account numbers (PAN) require a log entry. Compliance requires documenting how data flows into your organization and the number of times access is needed.

11. Regularly test security systems and processes

PCI DSS requires regular scans and vulnerability testing across all aspects of the business.

12. Maintain a policy that addresses information security for employees and contractors

Inventory of equipment, software, and employees that have access will need to be documented for compliance as well as the logs of accessing cardholder data. How information flows into your company, where it is stored, and how it is used will also all need to be documented.

Benefits of PCI Compliance.

Complying with PCI Security Standards can seem like an impossible and costly task. The number of standards and issues seems like a lot to keep up with, especially for smaller companies with limited resources. Yet, as compliance is becoming more important it may not be such a mountain to climb with the proper tools and partners in place.

Many businesses get around all of the nuances that come with being PCI Compliant by outsourcing all of their PCI Compliance and payment requirements. Companies such as Kovena, a global payments and compliance company, store all customer information in a tokenized vault and connect to a businesses infrastructure in a PCI Compliant manner…taking all the weight off their shoulders. When looking for a partner to outsource this, make sure to choose a system that seamlessly fits into your operating structure and if possible, provides a fully embedded system to help with organisational efficiencies. By either building a compliant system yourself or outsourcing this, you gain some valuable benefits.

We’ve listed just a few of the benefits to being PCI Compliant below:

  1. Improves your reputation with customers by showing that your systems are secure and they can trust you with their sensitive information. More loyalty, more return customers.

  2. Improves your reputation with acquirers and payment partners.

  3. PCI Compliance likely leads to improving IT infrastructure efficiency, so you’re better prepared to comply with additional regulations, such as HIPAA, SOX, and others.

  4. PCI Compliance is an ongoing process that aids in preventing security breaches and payment card data theft in the present and in the future; PCI compliance means you are contributing to a global payment card data security solution.

Tools and resources available from PCI SSC:

Fortunately, the PCI Security Standards Council (SSC) provides comprehensive standards and resources, which include specification frameworks, tools, measurements, and support resources to help organizations ensure the security of cardholder information, measures to prevent a data breach, and appropriate reaction to security incidents.

  1. Self-Assessment Questionnaires to assist organizations in validating their PCI DSS compliance.

  2. PIN Transaction Security (PTS) requirements for device vendors and manufacturers and a list of approved PIN transaction devices.

  3. Public resources:

    1. Lists of Qualified Security Assessors (QSAs)

    2. Payment Application Qualified Security Assessors (PA-QSAs)

    3. Approved Scanning Vendors (ASVs)

    4. Qualified PIN Assessors (QPAs)

    5. Internal Security Assessor (ISA) education program

We hope this information helps on your mission to become PCI Compliant. If you have any questions or are interested in more details on how Kovena or our partners can assist you in your payments and compliance needs, please feel free to contact us using the form below.

If you’re interested in learning how you can outsource your PCI compliance, contact us now.