Achieving PCI Compliance

Step-by-step process to achieve and maintain PCI compliance

    • Identify and document the cardholder data environment (CDE) to understand which systems, people, and processes must be assessed under PCI DSS.

     

    • Evaluate existing cardholder data handling systems and processes to identify gaps against PCI DSS requirements. Conduct a gap analysis to pinpoint where improvements are needed.
    • For entities requiring external validation, engage a QSA to conduct an on-site assessment, or conduct a Self-Assessment Questionnaire (SAQ) if self-assessment suffices.
    • Address identified gaps by implementing necessary controls and processes to meet PCI DSS requirements. This includes establishing strong access controls and robust encryption methods, as well as enhancing regular monitoring systems.
    • Maintain comprehensive documentation of security policies, procedures, and controls in place. Create detailed network diagrams, configuration standards, and logs of access and security events.
    • Perform regular penetration testing and internal security reviews to ensure systems remain secure and vulnerabilities are addressed promptly.
    • Complete and submit the necessary compliance documentation, such as the Report on Compliance (ROC) or the SAQ, along with the Attestation of Compliance (AOC).
    • Implement ongoing monitoring for system security using intrusion detection systems, antivirus software, and regular vulnerability scans to continuously protect cardholder data.
    • Conduct annual reviews and reassessments to validate compliance and update documentation as needed to reflect any changes in the cardholder data environment or security practices.
    • Embed PCI DSS controls into regular business activities, ensuring security policies are followed consistently and adjusted as necessary for new risks or operational changes.

(SAQs), implementing required security controls and completing the validation process

Here is an extended step-by-step process for achieving and maintaining PCI compliance, focusing on completing
Self-Assessment Questionnaires (SAQs), implementing required security controls, and completing the validation process:

    • Determine the appropriate SAQ:
      Select the correct Self-Assessment Questionnaire (SAQ) based on your organization's payment processing environment. Evaluate eligibility criteria to ensure the right SAQ version is chosen (e.g., SAQ A, B, C-VT, D).
    • Scope confirmation:
      Properly define the scope of the PCI DSS assessment by identifying all system components and data environments that store, process, or transmit cardholder data.
    • Conduct internal assessments:
      Review your environment against PCI DSS requirements. Evaluate current practices, document all procedures, and identify non-compliant areas.
    • Implement necessary security controls:
      Security controls to implement include:
      • Network security controls and application of secure configurations.
      • Protecting cardholder data using encryption, strong access controls, and mechanisms for logging and monitoring.
      • Ensuring anti-malware protection is active and kept current.
    • Address non-compliant areas:
      • Implement corrective measures to address any deficiencies identified during the assessment.
      • Re-assess non-compliant elements to ensure compliance is achieved before final submission.
    • Ongoing maintenance:
      • Integrate PCI DSS controls into regular business processes, ensuring continuous security posture.
      • Conduct regular reviews and updates to security controls, configurations, and procedures in accordance with PCI DSS.
    • Complete the SAQ documentation:
      • Fill out all sections of the SAQ, including the assessment information, details of assessment findings, and any non-compliant areas if applicable.
      • Prepare the Attestation of Compliance (AOC), confirming compliance with PCI DSS or detailing a remediation plan.
    • Testing and validation:
      • Conduct required testing such as penetration tests and vulnerability scans to validate the effectiveness of controls.
      • Use methods such as examining documents, observing practices, and interviewing personnel to verify compliance.
    • Submit reports to relevant parties
      • Submit the completed SAQ/AOC and any additional documentation needed, such as scanning reports, to your acquirer or payment brand.
    • Conduct annual reviews to ensure that all PCI DSS requirements continue to be met. Update all documentation to reflect any changes in the environment or business operations.

This comprehensive process ensures that not only is PCI compliance achieved but also effectively maintained, protecting cardholder data and aligning with PCI DSS standards. For detailed guidance tailored to your specific scenario, refer to PCI DSS documentation and consult qualified PCI compliance professionals if needed.

PCI DSS self-assessment questionnaires (SAQs)

SAQs are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment.

SAQ ​

Description​

A​

Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.​

A-EP​

E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing or transmission of cardholder data on merchant’s systems or premises. Applicable only to e-commerce channels.​

B​

Merchants using only: Imprint machines with no electronic cardholder data storage and/or standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.​

B-IP ​

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e-commerce channels.​

C-VT​

Merchants who manually enter a single transaction at a time via a keyboard into an internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.​

C ​

Merchants with payment application systems connected to the internet, no electronic cardholder data storage. Not applicable to e-commerce channels.​

P2PE​

Merchants using only hardware payment terminals included in and managed via a validated PCI SSC-listed Point-to-Point Encryption (P2PE) solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.​

D​

SAQ D for merchants: All merchants not included in descriptions for the above SAQ types. ​

SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ.​

SPoC​

Merchants using a commercial off the shelf mobile device (for example, phone or tablet) with a secure card reader that is part of a SPoC Solution included on PCI SSC’s list of validated Software-based PIN Entry on COTS (SPoC) Solutions. ​

Practical tips, best practices, and resources to help merchants navigate the compliance journey

    • Ensure that security measures are consistently applied and monitored.
    • Keep abreast of updates to PCI DSS standards and make necessary adjustments to security practices.
    • Regularly train employees to maintain awareness of security protocols and data protection practices.

    This structured approach ensures PCI DSS compliance is sustained over time, supporting the secure handling of payment card information.

    • PCI Security Standards Council: Offers a Document Library containing a vast array of guidance documents, including:
      • PCI DSS quick reference guide
      • Self-Assessment Questionnaire instructions and guidelines
      • Attestations of Compliance (AOCs)

    By following these tips and leveraging available resources, merchants can effectively navigate their compliance journey, ensuring they meet all PCI DSS requirements and protect sensitive cardholder data.

By following these tips and leveraging available resources, merchants can effectively navigate their compliance journey, ensuring they meet all PCI DSS requirements and protect sensitive cardholder data.

Important: Merchants are responsible for maintaining their own PCI DSS compliance. Worldline's compliance status does not make merchants automatically compliant with PCI DSS requirements.

Contact us

Our PCI Compliance experts will fill you in on what you may want to know.

Support employee wearing headphones to support a client through a call
* Mandatory fields
Marketing Optin

By submitting this form, I confirm that I have read and understand the terms of use from Worldline, and that Worldline will process my personal data as stated in the privacy policy.