The PCI DSS is a set of requirements explaining how to protect you and your customers when taking card payments. These are industry-spanning requirements, so all suppliers taking payments should take the PCI DSS seriously.
When taking card payments, customers trust your ability to protect their financial data. With the PCI DSS, established by major card brands, your business can demonstrate adherence to stringent security measures. These protocols are designed to safeguard transactional data, deter identity fraud and prevent costly security breaches, enhancing your reputation as a trustworthy business.
Our PCI DSS certification service confirms your compliance with the requirements and positions you to manage ongoing security challenges effectively.
Elevate your data protection standards with PCI DSS certification from SGS
We enable you to:
- Achieve and maintain compliance with the 12 key PCI DSS requirements
- Significantly reduce the risk of security incidents
- Foster trust among customers, partners and vendors
- Enhance operational efficiency, saving both time and money
- Avoid noncompliance fines
- Gain a competitive edge in the marketplace
- Access international markets with recognized data security standards
- Pursue continual improvement for long-term business sustainability
Unrivaled PCI DSS expertise and support
As the world leader in inspection, certification and testing, we offer in-depth data security expertise for your business operations. Our comprehensive PCI DSS certification process is tailored to your organization’s needs, regardless of its size or sector. We guide you through every step – from initial gap analysis to continuous compliance maintenance. Our global presence and experience ensure that your data security measures meet international standards, helping you navigate and adapt to the evolving landscape of cyber threats.
FAQs
Visa, MasterCard, Discover Financial Services, JCB International and American Express created the PCI DSS in 2004.
There are 6 broad areas containing 12 requirements for handling cardholder data and continuously protecting a network:
- Secure network
- I. A firewall must be installed and maintained
- II. System passwords must be original, not vendor-supplied
- Secure cardholder data
- III. Stored cardholder data must be protected
- IV. Transmitting cardholder data across public networks must be encrypted
- Vulnerability management
- V. Antivirus software must be adopted and regularly updated
- VI. Secure systems and applications must be developed and maintained
- Access control
- VII. Cardholder data access must be restricted to a need-to-know basis
- VIII. Everyone with computer access must have a unique ID
- IX. Physical access to cardholder data must be restricted
- Network monitoring and testing
- X. Access to cardholder data and network resources must be tracked and monitored
- XI. Security systems and processes must be regularly tested
- Information security
- XII. An information security policy must be maintained
Your compliance level is based on the annual number of credit/debit card transactions your business processes. The level determines what you must do to maintain compliance.
- Level 1: 6 million transactions per year
- Level 2: 1-6 million transactions per year
- Level 3: 20,000-1 million transactions per year
- Level 4: <20,000 transactions per year
An organization that starts taking card payments has 90 days to meet the PCI DSS requirements. After this, you must maintain compliance and show it at least once a year.
- Understand the requirements: familiarize yourself with the 12 certification requirements.
- Identify your organization’s needs: determine the requirements relevant to you, based on the four compliance levels.
- Locate and map your payment card movements: create a data map outlining your security systems, physical access to network resources and apps interacting with card data in your business. Identify all customer-facing aspects linked to card payments and the various pathways and weaknesses.
- Complete a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC): an SAQ helps you double-check self-assessment answers. A ROC is for level-1 companies undergoing security audits, as they are valid for one year.
- Examine your security controls and protocols: the aim is to establish the correct security settings and protocols.
- Conduct quarterly scans: routinely check your operations and methods to remain compliant and follow best practices. An Approved Scanning Vendor (ASV) ensures your scans are reliable and meet PCI guidelines.
- The risk/audit/security assessment: perform a detailed risk assessment in your payment environment, measuring the complex payment flow.
- Conduct a gap analysis: review the PCI DSS requirements to identify gaps before creating a remediation plan to close them quickly.
- Conduct an internal PCI DSS audit: your internal expert or a third-party auditor checks your security functionality, reviews documents and determines any noncompliance.
- Continuously monitor your system: as the PCI DSS is an ongoing process you must regularly review plans and systems, consider additional reports and involve the relevant people.
- Prepare for PCI DSS certification: select an external Qualified Security Assessor (QSA) and what they will evaluate. The audit evaluates your security controls against the applicable requirements in your data environment, including devices, public networks and apps handling cardholder information. They also review your overall security requirements before creating a detailed report.
Every organization is different, from its size and type to its information security and cybersecurity measures. Therefore, an organization is judged individually. What you must do to comply depends on your potential security risks.
If you cannot prove you are protecting customer cardholder data, the consequences could be severe for both sides, including:
- Lawsuits
- Financial penalties
- Reputational damage
- Customer disillusionment and distrust
- Theft of customers’ money and identities