banner-image

The PCI Compliance Checklist for InfoSec Pros [XLS Download]

By Nitzan Gursky
image April 23, 2023 image 5 MIN READ

Organizations across the financial and eCommerce industries, among many others, are responsible for millions of daily customer transactions. These transactions require security to comply with financial regulations and to ensure customer safety. But sometimes, things go horribly wrong. 

Consider the recent case of Crypto.com, one of the largest cryptocurrency transaction exchanges with 50 million users. Last year, it reported $35 million in unauthorized withdrawals after an attacker accessed the accounts of almost 500 customers. How can they ensure users’ cardholder data is secure as companies evolve to have increasing endpoints and third-party vendors?  

The Crypto.com attacker successfully hacked these accounts after bypassing two-factor authentication, one of the requirements for PCI compliance—a global payment card security solution. Organizations often scramble to meet PCI compliance and other regulations after an attack, but these scenarios can be prevented with the right preparation.  

This post will take a deeper look at PCI compliance and how it can ensure the security of your cardholders’ data. Most importantly, we’ll provide you with a PCI compliance checklist to understand what your organization can do to meet the PCI compliance guidelines and defend itself from these types of attacks in the future.   

What is PCI DSS compliance, and why should you care? 

With the digital payments market expected to reach $200 billion by 2027, companies must strengthen their security for cardholders. According to data from IBM, customer personally identifiable information, or PII, was still the most common and expensive data breach in 2021. It was the type of data included in 44% of breaches and had an average cost per customer record of $180.

PCI DSS (Payment Card Industry Data Security Standard) requirements were developed to help companies across all industries defend against data breaches, fraud, and identity theft. Formed by the major credit card companies in 2006, the PCI Security Standards Council created a global standard to assist both consumers and companies in delivering better payment card security. Companies that create, store, and transmit Personally Identifiable Information (PII) data from payment cards must meet PCI DSS regulations to participate in international business.

testing

Today, companies struggle to meet PCI compliance requirements, especially testing, developing, and maintaining security systems. In response, the PCI Security Standards Council released version 4.0 of the requirements that will take effect in 2024.

What are the risks and consequences of PCI non-compliance?

Businesses that don’t comply with PCI DSS compliance face short- and long-term consequences. Short-term consequences include fines ranging from $5,000 to $10,000 monthly until it meets the requirements. Banks facilitating payments between the merchant and the issuing bank may increase their fees or permanently stop working with the merchant. Banks can also impose stricter requirements for future transactions.  

damage

Long-term consequences for non-PCI-compliant companies include reputational damage and even the permanent closure of their business. Companies with high-level compliance failures suffer data breaches that cost over 50% more than companies with lower-level compliance failures. As many as 60% of small to medium-sized businesses are forced to claim bankruptcy within six months of a data breach.

What are the benefits of PCI compliance?

In contrast, there are many advantages for organizations that meet PCI requirements: 

goal

What are the goals and requirements of PCI compliance?

The overall goal of PCI compliance is to establish a culture of security among organizations that generate, transmit, and store data of their customers by ensuring that they meet security standards.

The PCI compliance guidelines categorize the standards into six different goals, each of which includes two distinct requirements (all of which are found in the free downloadable checklist):  

1. Build and Maintain a Secure Network

Use firewalls to protect malicious threat actor access to cardholder data. Change vendor-supplied default passwords, implement strong passwords, and update them regularly. 

2. Protect Cardholder Data

Use encryption when storing or transferring cardholder data. Implement other types of data protection, such as masking, hashing, and erasing data as necessary. 

3. Maintain a Vulnerability Management Program

Install anti-viruses and update them regularly to defend against malware. Malware is one of the most common methods attackers use to steal PII data.  

4. Implement Strong Access Control Measures

Access to cardholder data should be restricted and permitted only on a need-to-know basis. Those with access should have unique IDs and passwords and be required to use multi-factor authentication. Limit physical access through the use of key locks and badges. 

5. Regularly Monitor and Test Networks

Implement a logging process to track access to cardholder data so that it can conduct effective security investigations in the event of an attack. Scan security systems and processes for vulnerabilities and ensure they receive penetration testing at regular intervals.  

6. Maintain an Information Security Policy

Properly communicate your company’s security processes and document them for employees, management, and third-party vendors. Everyone should be aware of the responsibility they face regarding cybersecurity matters.

What are the PCI compliance levels?

PCI compliance is divided into four levels according to the number of annual transactions a company generates.

PCI Compliance Level  Annual Transactions  Requirements
Level 1 Over 6 million   Annual on-site security assessment by a Qualified Security Assessor (QSA)
Level 2 Between 1 and 6 million annual transactions  Annual on-site security assessment by a Qualified Security Assessor (QSA)
Level 3 Between 20,000 and 1 million  Annual self-assessment questionnaire (SAQ) and undergo quarterly network vulnerability scans by an Approved Scanning Vendor (ASV).
Level 4 Fewer than 20,000  annual transactions  Annual self-assessment questionnaire (SAQ) and undergo quarterly network vulnerability scans by an Approved Scanning Vendor (ASV).

The more transactions an organization handles, the more stringent the requirements become, making PCI compliance more difficult. The four levels guarantee that all organizations adhere to specific compliance standards while also considering individual risk factors and infrastructure capabilities into consideration.

PCI Compliance is Easier with the Right Training

After the attack, Crypto.com quickly revamped its two-factor authentication system, requiring it for all users. It became one of the first cryptocurrency exchanges to announce full PCI compliance later that year.

But even after dedicating itself to extensive changes to its system and security, it’s still not easy for organizations like Crypto.com to continue maintaining PCI compliance in the future. According to the Verizon 2022 Payment Security Report, even though organizations meeting PCI compliance have increased since 2020, only 43% have been able to maintain full compliance.

Ultimately, meeting the goals of PCI compliance can be achieved by first completing the goals and steps outlined on The PCI Compliance Checklist for InfoSec Pros [XLS Download]; and then maintained through employee cybersecurity awareness training.

CybeReady helps your organization deploy a comprehensive cybersecurity awareness program quickly and offers AuditReady tools to generate PCI compliance reports instantly—so you’ll always be ready for a potential audit.

Get a free demo of CybeReady today and start keeping your organization PCI-compliant and your customers’ transactions more secure.

4a34e52d-562b-4e1e-8b71-5c005a7559a9