How to Become PCI Compliant
If you are a business looking to do PCI compliant hosting but not sure where to begin, this detailed guide is enough to get you started. Traditional ways of transferring money are changing as the world is progressing with every passing minute.
Old methods of using cash, whether for everyday purchases or businesses are now being abandoned. Now, more and more people are preferring the use of credit cards over hard cash.
However, with every new advancement comes its fair share of pros and cons.
Although credit cards have eased the storage as well as transaction of money, there is still a huge risk of fraud. Especially in the current times as cyberattacks and unethical hacking is on the rise. This is a huge cause of concern for businesses functioning on the basis of credit cards.
Any consumer must be able to trust the business they are supporting, with the credit card information being exchanged for a particular service. Fortunately, PCI compliant hosting is a way for businesses to protect the credit card information of clients. For starters, PCI DSS is short for Payment Card Industry Data Security Standard.
PCI compliant hosting is a requirement set by credit card companies to ensure that all credit card transactions by businesses are made safely. It is a set of guidelines for merchants to guarantee the security of credit card holders in the payment industry. The criteria for PCI compliant hosting involve satisfying the PCI compliant security standards council. It must be certified that all standards set by the credit card companies to protect credit card holders’ transactions are being met by the businesses being run.
PCI-compliant hosting although not obligatory by law, is mandatory through court precedent. If you have a business and are looking to do PCI compliant hosting, here is a step-by-step guide to get you started. To begin with, you should get familiar with the PCI compliance standard, set forth by the PCI security council, that applies to you. In order to ensure that a business is PCI compliant hosting, PCI compliant DSS has set forth 12 key requirements, including 78 base requirements, and 400 test procedures.
Tell us what you're looking for and we'll offer you personalized software recommendations.
Requirements for PCI compliant hosting
The PCI compliant hosting requirements are broken down into six different categories with different requirements:
- Build and Maintain a Secure PCI compliant Network
Below are the 12 core requirements for PCI compliant hosting.
Requirement 1: Foremost of all, Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data to be PCI compliant
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
- Implement Strong Access Control Measures to stay PCI compliant
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
- Regularly Monitor and Test Networks to Continue to Stay PCI Compliant
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
- Maintain an Information Security Policy to Stay PCI Compliant
Requirement 12: Maintain a policy that addresses information security.
The next step is to figure out your PCI-compliant hosting level. Merchants fall under four categories of PCI compliant hosting, depending on the number of transactions they process each year, and whether those transactions are performed from a brick-and-mortar location or over the Internet. Remember: all merchants that process credit cards—whether small or large—must be PCI compliant.
Now here is where PCI compliant hosting for merchants can get a bit tricky: each payment card brand (Visa, MasterCard, etc.) has its own requirements for PCI compliant hosting. You need to know the different PCI compliant hosting deadlines and requirements for each payment card brand. To give you a general idea of what you need to do as a merchant, here are Visa's PCI requirements for merchants:
Level 1 Merchants for PCI compliant hosting:
These include the merchants that have over 6 million transactions, according to the Visa PCI DSS compliance guide. Companies at merchant level 1 are the largest with the most transactions. Merchants looking to do PCI compliant hosting at this level need to submit the following;
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
- Quarterly network scan by Approved Scan Vendor (ASV)
- Attestation of Compliance Form.
Level 2 and 3 Merchants for PCI compliant hosting:
Organizations that have more than 1 million transactions but less than 6 million are included in level 2 and level 3 merchants. PCI Merchant Level 2 consists of medium to large companies and has many transactions. Similarly; PCI Merchant Level 3, also includes medium-sized companies with moderate transactions.
Merchants at this level are required to submit two forms to be able to do PCI compliant hosting;
- First is the ‘Annual Self-Assessment Questionnaire (SAQ)’ that the merchant must fill internally.
- Secondly an Attestation of Compliance (AOC), in which the contents of the SAQ are verified by a QSA. Lastly, a quarterly network scan by ASV is to be submitted.
If organizations at merchant level 2 can log over 6 million transactions in their financial year, they can be updated from SAQ to ROC, achieving level 1 status.
Level 4 merchant for PCI compliant hosting:
PCI level 4 merchants include companies that are the smallest and have the lowest annual transactions. Merchants at this level are advised to submit;
- Annual SAQ is recommended, however, there is no need to verify from third parties.
- Quarterly network scan by ASV if applicable
- Compliance validation requirements are set by the acquirer.
This is a gist of the essentials necessary to be a part of a PCI compliant host. Check what level you fit in, and tick mark the requirements from the above to become a PCI compliant hosting business.