Your Helpful PCI-DSS Audit Checklist

Tag: PCI Compliant



In 2019, global retail sales grew by 3.4% from the previous year to hit $21 trillion. Global eCommerce accounted for 16.4% of total retail sales at $3.46 billion. Ecommerce sales continue to grow, thanks to globalization and the internet. 

This growth also comes with a few challenges, among which is payment card fraud. In 2018, payment card fraud amounted to $27.85 billion and was expected to hit $35.67 billion in the next five years.

If you intend to pursue the e-commerce route, you’ll need to consider a few things, one of which is the payment method. How many payment alternatives will you offer your customers? Are the payment methods secure?

Your customers will offer you their financial data on a silver plate; they expect that it’s secure and confidential. To guarantee this, you need to prove that you’re PCI-DSS compliant.

What is PCI-DSS?

This is a set of standards formulated by the PCI Security Standards Council. This council is made up of major credit card companies who joined forces to create security standards that protect credit card data.

As a merchant, your compliance guidelines are dictated by the number of annual transactions. Merchants are grouped into four levels:

  • Level 1

This covers merchants who handle over 6 million transactions every year or have experienced a data breach.

  •  Level 2

Merchants who handle 1-6 million transactions annually.

  •  Level 3

Merchants with less than a million transactions but more than 20,000 annual transactions.

  •  Level 4

Merchants with less than 20,000 annual transactions.

Each of these levels has different compliance requirements. The more the transactions you process every year, the tougher the compliance requirements become.

PCI DSS Compliance Checklist

PCI has six control objectives that constitute twelve compliance requirements. These requirements are not subject to merchant levels; thus, all merchants are required to adhere to the compliance requirements regardless of transaction volume.

These control objectives include:

  1. Secure Network and Systems

This control objective has two requirements:

  • Protect cardholder data by installing and maintaining a firewall

Firewalls are barriers that protect your network by preventing security threats from accessing or spreading through your network. Firewalls act as filters that determine whether information passing from one computer to another is safe or not.

  • Limit the use of vendor-supplied passwords

Every system comes with security parameters, among which are passwords. These passwords are often easy to hack; thus, you should change them before you deploy the systems. Ensure that you update system configurations and security measures as you identify new threats.

  1. Protect Cardholder Data

Cardholder data refers to personally identifiable information that’s associated with a credit or debit cardholder. According to PCI DSS, cardholder data includes PAN, which is the unique payment card number used to identify the cardholder’s account and the issuer. The standards require that merchants encrypt the transmission of cardholder data and protect stored cardholder data as stipulated in the guidelines.

  1. Implement vulnerability protection programs 

Create a program to help you identify weaknesses in your payment card infrastructure system. Hackers will exploit these vulnerabilities to access your cardholder which you can mitigate by:

  • Implementing measures to protect your systems against cyberattacks such as malware.
  • Maintain secure systems
  1. Access control measures

Limit access to cardholder data by vetting everyone who needs access to this data. This is achieved by:

  • Restricting access to cardholder data

Only authorized personnel should have access to this data. Limit the privileges of everyone to a need-to-know basis and deny all other access unless authorized.

  • Authenticate access

Employees that have access to cardholder data should be assigned unique identification. They will use these identifications to access the data, thus making it easy to track how data is handled. Do not use group IDs; every member with access needs unique identification.

  • Restrict physical access to the data

Your onsite systems are also vulnerable to attacks or internal leaks; thus, you need to put measures in place to limit physical access to cardholder data.

  1. Monitoring and testing networks

Monitor your physical and wireless networks to identify vulnerabilities that cybercriminals can exploit to gain unauthorized access to your systems and data. To prevent cybercriminals from exploiting these vulnerabilities, you are required to:

  • Thoroughly track, analyze, and monitor cardholder environments in search of weakness.
  • Frequently test your system components, processes, etc. to ensure that you maintain security over time. 
  1. Information security

Your business needs a strong security policy that details the responsibilities of your employees towards protecting cardholder data.


PCI compliance isn’t a guarantee that your systems and data are safe; hundreds of companies have experienced data breaches despite being PCI-DSS compliant. Achieving compliance is merely a baseline. You need to meet the requirements as stipulated by the governing body and implement extra measures that protect your systems from emerging threats. You can never be too sure when dealing with cybersecurity, going the extra mile helps prevent cyber attacks.

About the author

Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.


What is the PCI Data Security Standard and why should I care?

PCI Data Security Standard or PCI DSS are the standards governing credit card industry. The task of administration of these standards is entrusted to the Payment Card Industry Security Standards Council. The main aim of these standards is to create a safe environment for credit card transactions and minimize the risk of financial frauds. While credit card protection is vital for all the users, it is of utmost importance for online businesses. Compliance with PCI DSS can help you secure your business as well as your clients’ sensitive information.

What is PCI DSS?

PCI DSS are internationally applicable and are designed to maintain the integrity of customer data and merchant payment systems. The standard was originally proposed to encourage the credit card companies to take adequate steps to ensure the safety of the data. In order to be PCI DSS compliant, an organization is required to fulfill twelve core requirements which include the obligation to build and maintain a secure network, protect the data pertaining to the cardholders and implement robust access control measures. There are also different levels of compliance, which you may choose to best meet your resources and requirements. Even if you outsource your payment processes, you are still required to be PCI DSS compliant. Similarly, you are required to fulfill PCI DSS requirements even if you do not store credit card data.

How to Become PCI DSS Compliant?

There are several ways to fulfill 12 core requirements for becoming PCI DSS compliant. Some of the steps you can take to ensure that your business complies with the set regulations are given below:

  • Ensure the safe recording of financial information such as credit card numbers, expiry date and CVV. You can simply outsource your requirements to a payment gateway which will then be responsible for the proper upkeep of data.
  • Update software and How security programs on your machines so that the malicious codes may not be installed on them.
  • Educate your employees to take adequate measures to secure the data. All systems should be password protected and such passwords should be frequently changed. Further, the employees should also be directed to not share their passwords and other login details.

There are main four levels of compliance and these levels are defined on the basis of transaction volume. Level 4 is applicable to businesses processing less than 20,000 transactions annually, whereas Level 3 covers the organizations carrying out 20,000 to 1 million transactions annually. Level 2 is applicable where the volume of transactions is between 1 and 6 million in a year and the upper most level is Level 1, which needs to be complied with by the businesses processing over 6 million transactions.

The process to become PCI DSS compliant varies for different organizations, based on their policies and procedures. The standard is applicable to all the businesses which process, transmit or store card details. You can start the process by completing the self-assessment questionnaire and undergoing vulnerability scan with an approved scanning vendor.

Why PCI DSS Compliance is Important?

The main aim of PCI DSS is to make payments processes safe and secure. The standard provides guidelines about the prevention and detection of data loss and payment frauds. It also offers remedial steps to be undertaken in cases where breach has already occurred. The compliance with this standard is important to ensure that the risk of a financial breach is minimized.

An organization can also boost its image and reliability by complying with PCI DSS. In the absence of such compliance, it may lose out on traffic and revenue volume as its clients may choose not to deal with the firm, in order to protect their financial details. The compliance with PCI DSS helps in elevating the trust level, which ultimately leads to a stronger top line.

Apart from gaining clients’ trust, compliance with PCI DSS can ensure the longevity and survival of the business as well. Financial data breaches can have devastating consequences for a business. Such frauds may lead to financial and even criminal liabilities, severely hampering the operations of an organization. Therefore, it is important that the risk of such catastrophic events is curtailed by following PCI DSS norms.

Boost sales conversion with the right payment integration strategy

Boost sales conversion with the right payment integration strategyWhile window shoppers are welcome to browse the e-commerce website, merchants are mainly concerned with serious buyers who proceed to the payment gateway after adding the products to the cart. We shall look at the various approaches of how to integrate a payment gateway and the best option to increase sales conversion.

  1. Redirect the customer: The online payment platform is hosted on an external third-party webpage. It is not integrated into the merchant’s own website. Thus, the customer is redirected to a website with a different URL.
    • Disadvantages: The merchant lacks control of the payment process as it is outsourced to an external vendor. The customer might not enjoy services of the same standard as those offered by the merchant. Poor server speed or any other payment processing error that hampers payment would adversely reflect on the brand image of the merchant.
    • For the merchant: The merchant has no control over the operational aspects like error message, back-end process and security levels. Further, there is no way for the merchant to confirm customers’ payments. In many cases, redirection can hurt sales. The customer might abandon the purchase on being directed to a separate website with different design and logo, owing to security concerns. One might even end up losing business to a rival that offers more convenient features in accepting payments.
    • For the customer: The time for the transaction to be completed depends on the speed of the third-party server. Generally, an online customer would prefer a transaction that takes minimum time until final checkout. The customer would like to see a confirmation of the order delivery on the merchant’s website after payment. It might not be possible to return to the e-commerce site after payment.
  2. I-frame based forms: The iframe feature allows one to add an external payment form to one’s website. This works like an appendage to one’s payment page, in return for a code received from the payment solutions company. However, the design is as per the payment provider. This would cause inconsistency with the layout of the webpages of one’s own website. Further, in case the third-party servers are down or operating slowly, the customer might face issues in making payments. One would not be in a position to offer much support and track the error in real time as the payment process is outsourced. Code changes might also have limited options. The delay might result in the customer cancelling the order or abandoning the cart. Payment management is difficult as the merchant lacks control over the process.
  3. Customized forms: The custom form is completely integrated into the merchant’s own website. Thus, the payments process is completely managed onsite. The input fields like the customer details to be entered within the HTML payment page can be entirely customised. The payment processor handles the security aspect of the payment gateway, ensuring it is compliant with the leading PCI certification. This ensures that the customer data is safe and confidential. Since the merchants obtain real-time information, they can offer live chat support to the customer in the event of any difficulty in making payments. With the customization feature, the merchant can design a payment form compatible in look and need with the rest of the website. The last option is a sure-shot way to boost sales conversion. The merchant has complete control of the transaction and there is no risk of any dilution in quality at any stage.

In online transactions, it’s best not to risk losing control of the business transaction to a third party at the crucial stage of payment processing. Hence, it’s best for a merchant to take complete ownership from start to end of each online transaction. This would entail having a seamlessly integrated, customized payments platform within one’s e-commerce site. Often, a crucial decision like payment integration can result in winning or losing customers.

6 Ways to Ensure Secure Online Payments

6 Ways to Ensure Secure Online Payments

Today, even though so many people depend on online transactions extensively while shopping or paying bills, there are many others who are afraid of going digital. Since some myths about online payments are still out there, it can be tough for people to trust the authenticity of this payment mode.

So, as an online merchant, you need to assure your customers that the payment gateway you use is safe. Only then can you expect increased traffic and better sales. There are plenty of ways to eliminate the risks associated with online transactions and ensure secure payments. Read on to know about them.

Online Payments – The Need of Every Hour

The reason why a huge number of people go online to shop for everything from fashion garments and groceries to pet food and baby products is because, it is simple, fast and reliable. Naturally, seamless and safe online payments are what they look forward to.

So, before you take payments online, make sure you are aware of at least the basic security measures. Educate your employees and customers about the same, so that frauds and scams can be avoided as much as possible.

  • Do Not Underestimate a Strong Password

Most of the times, people set obvious passwords – such as name, date of birth, mobile number – that anyone, with a little effort, can decode. Hackers are especially adept at this. So, make sure you insist that the customer provides a password that comprises of more than 6 digits including special characters, alphabets, and numbers. But at the same time, they should choose a password that they will not forget.

  • Be a Trusted Website

Malicious websites can expose the customers’ personal as well as account information. So, you need to make sure that you are a trusted website. How can you achieve that? You need a valid SSL certificate for this, and make sure that the terms of services and privacy policy are clearly mentioned, and payments are processed via secure payment processors.

  • Authenticate Everything

When it comes to your business and customers, it is really important to not be careless. After all, it’s really hard to grow a business and even harder to maintain a healthy relationship with your customers.

You should make sure that the transactions which are done on your website are 100% secure. Some of the ways of authenticating online payments are using two-factor authentication (2FA), using a 3D secure pin, and so on.

  • Install Anti-Malware Software

The chances of getting hacked increases when your website doesn’t have any anti-malware protection. So, you should install the latest anti-malware software as it shuts down all the online attack vectors. Not only does it deal with the old malware or viruses, but takes care of new malware attacks as well.

  • Secured Connection is All That You Need

Now, we don’t know if you already know this or not but you must keep your connection secure by figuring out the difference between a secure connection and an unsecured connection. The secure connection starts with https://, and the unsecured one with http://. You must install an SSL certificate to ensure a secure connection for taking online payments.

  • PCI Compliance Is Important

It is very important to make sure that the cardholder’s data is safe. To ensure this, it is mandatory that the merchants fulfill all requirements mentioned by PCI SSC. Since online payments require holding and processing cardholder’s data, you must ensure that your online shopping portal is hosted on PCI-compliant servers.

All in all, it is possible to secure online payments effectively if you follow the tips above. Adopting a PCI-DSS compliant payment gateway can solve your problems to a great extent. Also keep all your software updated and inform your customers about security measures for better results.

Why is It Important to Be PCI Compliant?

Why is It Important to Be PCI Compliant?

The e-commerce market continues to grow at an incredible pace across all industries.  More consumers now shop online, and online retail sales keep increasing every year. However, it is not all hunky dory in the online business landscape. One of the biggest concerns online businesses must grapple with is the increase in data breaches.  Now that payments happen online, there is a big risk of data loss without proper data protection mechanisms. The industry has adopted secure online payment systems, but there is still a need for regulation and close monitoring. This is where Payment Card Industry (PCI) standards come in to protect cardholder data. If you are an online business owner, there are various benefits of becoming PCI compliant.

This article examines the risks of insecure payment systems, PCI standards and the importance of PCI compliance. Keep reading.

PCI in Brief 

The advent of internet technology provided an ample opportunity for businesses to expand their reach. As more people went online, trendsetters in all industries moved their operations to this platform to tap into the new opportunities. The early online stores had to accept credit cards to offer a seamless online shopping experience, and this is where security problems started.

With no regulation on data security, data processing, and data storage, it was only a matter of time before credit card fraud started to hamper online shopping. At this point, providers of payment solutions came together to develop the Payment Card Industry Data Security Standard or PCI DSS compliance standard.

PCI standards define data security requirements for businesses handling online payments. The bottom-line is to protect the online shopper by minimizing risk to cardholders’ data. Today, this is an industry regulatory requirement accepted worldwide. Businesses must undergo rigorous requirements, to become PCI compliant and it is an ongoing process.

Reasons for PCI Compliance

The process of PCI compliance is tough but when your company is compliant, there are multiple benefits you enjoy. These include:

  1. Reducing the Risk of a Data Breach

The last thing you want as an online business owner is for your customers to lose their data while transacting on your website. This can lead to devastating lawsuits, loss of brand trust and ultimate failure of your business.  Information flow online is fast and swift and within no time, your business will hemorrhage customers leading to a slump in sales. By complying with PCI standards, you can rest easy knowing your customers’ card data is safe and secure.

  1. Increase Brand Trust

The PCI badge on your website makes shoppers more comfortable to undertake transactions. It is a badge of honor for any business to attain and it takes a lot of investment in security standards on your website.  It is easy to build customer loyalty when you offer a secure shopping experience.

  1. Boost Sales Conversion and Revenues

When your customers feel secure shopping from your website, they will always come back. If there is no security breach on your e-commerce website, there is a higher chance of retaining existing customers while attracting new ones. All these factors boost sales conversion which in turn improves returns.

  1. Avoid Costly Fines

The issue of data fraud affects all businesses in the online ecosystem. If your business suffers a data breach, there is an immediate impact on all other businesses as customers will fear the same will happen elsewhere. For this reason, your business will suffer hefty fines from PCI in case of failure to comply with the standards. These hefty fines force businesses to observe best practices in data protection while at the same time implementing all guidelines provided by PCI.

  1. Build Your Company’s Image

Internet shoppers can always switch to another online store if they feel uneasy making payments on your website.  For this reason, you need to invest heavily in your image branding and one way of doing this is by becoming PCI compliant. Consumers now appreciate the importance of security when shopping online. If you have met the highest standards, they will comfortably shop from you and recommend you to their friends too.

When thinking about facilitating online payments on your e-commerce website, you should look for a payment solutions company that will boost your efforts to achieve PCI compliance. By becoming PCI compliant, you will easily sustain your business by averting fraud, increasing customer loyalty and building brand trust.