Guides and reports

What PCI stands for and how to become PCI compliant

Helen Huyton, Merchant Data Security Analyst at Adyen dives into the not-so-scary world of PCI compliance and what you can do to become compliant quickly and easily.

Helen Huyton, Merchant Data Security Analyst  ·  Adyen
March 3, 2020
 ·  6 minutes
Illustration of a payment card

Disclaimer:This article should be used only for guidance purposes, and should not be taken as definitive advice. You should always consult your acquirer or a Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA) for clarification. It’s mostly relevant for companies processing less than 6 million transactions.

As the population increases, so does the amount of data that’s processed every single day. In the last few years alone, over 90% of the data in the world was generated. It’s a fascinating prospect, and it’s only going to increase.

According to PCI SSC,the average total cost of a data breach is $3.8 Million. And as a growing business, you need to know how to cope with it to set yourself up for success. It’s hard to stay on top of, as you want to be focusing on growing your business rather than worrying about data breaches.

The poor handling of payment card details in particular can have serious implications. If your business isn’t trusted, then you won’t be successful. It’s obvious, and you only need to take a few steps to keep cardholder data secure and be PCI compliant.

In this article, we’ll explore what we’ve learned over the years on how a growing business like yours can take data security seriously. And we’ll outline the steps you can take to build a sustainable business that’s successful now, and over time.

What is PCI compliance?

  • Name: Payment Card Industry Data Security Standards (PCI DSS).
  • Created by: Payment Card Industry Security Standards Council (PCI SSC).
  • Goal: Prevent the theft of cardholder details.

What do you need to do?

To become compliant, you will have to implement the requirements that are applicable to your business set forward by PCI DSS. And alsofill in a form or two. Below we’ll highlight the most common form called a ‘Self-Assessment Questionnaire A’ or ‘SAQ A’. The SAQ A is intended as a tool to help you assess which requirements you need to implement.

To help with your understanding, its fundamentals consist of three security best practices you need to know and take action on.

  1. Don’t use preset usernames and passwords, and don’t use any factory settings.
  2. Use strong passwords and unique user IDs. At least 7 character passwords (numeric, alphabetic and special characters).
  3. Stay up to date with new software patches as soon as they’re released.

How can we help you and your business?

Please note that you have to complete the SAQ A yourself but we’re always here to help guide you in the right direction when it comes to compliance and filling in these forms. Feel free to get in touch usingour contact formandcheck out our PCI FAQ.

A little introduction to PCI DSS

To protect cardholder data, reduce fraud, and minimize the chances of a data breach resulting from malicious attacks, the PCI SSC has implemented certain technical and operational requirements. These requirements apply to every company that collects, processes, stores, or transmits cardholder data. These are called PCI DSS, short for Payment Card Industry Data Security Standards.

Every business accepting credit card payments has to comply with PCI DSS. And even though PCI DSS is not part of any law, the standard is applied around the world.

Every business has to make sure they are compliant every year with PCI DSS by completing one of the official PCI SSC validation documents. And there are some pretty significant penalties and costs for organizations that don’t comply with the requirements.

Being PCI compliant minimizes the chances of a data breach resulting from malicious attacks. It doesn't completely eliminate the chance of a compromise. However, the card brands may significantly lower or eliminate PCI fines if the company in question has taken all the necessary steps to be PCI DSS compliant.

Image showing 7 steps to be compliant with PCI DSS

7 steps to become compliant with PCI DSS

1. Map the flow of cardholder data

Create an accurate data flow diagram to map the movement of cardholder data. This includes any applications, systems and people who work with credit card data, including Service Providers. This is usually done with the assistance of IT staff.

2. Scope your environment

The scope is the identification of people, processes, and technologies that interact with or could otherwise impact the security of the cardholder data (CHD). More information can be foundhere.

3. Make an assessment

Assess your current level of PCI compliance according to an SAQ A. The person completing the assessment should have sufficient knowledge to be able to assess the environment.

4. Make any necessary changes

You may realize your business falls short of at least one criterion. If this is the case, take time to make any necessary security improvements to your business.

5. Fill out the Self-Assessment Questionnaire (SAQ) A

This form should be completed and signed by a professional qualified to sign off on security related matters. This might be your Chief Security Officer or Chief Technology Officer.

6. Submit documents to Adyen

Once you’ve completed your forms, you can submit them to us.

7. Setup regular monitoring

Make sure you monitor compliance on an ongoing basis throughout the year, as PCI DSS is not a single event, but a continuous, ongoing process.

Sometimes your payment page may be overlooked

If an attacker gains unauthorized access to your website, they can find ways to deceive the shopper. For example, attackers can create alternative content for the Drop-in or Components, or drop an IFrame over the already existing IFrame. In these scenarios, the payment may still be completed, but a copy of the cardholder data is sent to the attacker.

The risks associated with this integration can be significantly reduced by implementing the requirements as outlined in the SAQ A.

Filling in your documents

It may seem a little overwhelming at first, but the steps you have to complete aren’t that complicated. One of the final steps is to complete a self-assessment questionnaire. It’s good to fill this in as soon as you can as your payments provider can’t do it for you.

We require different documents, depending on integration. If you’re an Adyen customer, you can find out more about these bygoing to our documentation page. There you’ll find a full breakdown of the forms that you’ll need to complete during your integration. If you process less than 6 million transactions peracquiringregion per year, you are eligible to complete an SAQ.

With many things on your list to do whilst growing your business, data security can sometimes take a back seat. Being compliant isn't as hard as you may have thought. We offer a variety of encryption solutions along with our secure, PCI Compliant platform.

This way you never see and never have access to unencrypted cardholder data. It’s less work for you to comply with PCI DSS, and you’re less likely to be exposed to a cardholder data environment.

What’s next for PCI?

We’re now waiting to hear more from the next version of PCI (version 4), which will be released later this year. As always, we’re ahead of every change and update to compliance standards around the world. And we work closely with all parties involved to keep you, us, and the world a more secure payments space.

Read next

PCI DSS compliance guide

Everything you need to know about PCI DSS compliance guide in our documentation site.

Go to guide

About the author:Helen Huyton guides Merchants on PCI DSS related topics with expertise in the risks involved per integration, how to mitigate the risks and which validation documentation is required in order to be PCI compliant.

Fresh insights, straight to your inbox

By submitting your information you confirm that you have read Adyen's Privacy Policy and agree to the use of your data in all Adyen communications.