Your Helpful PCI-DSS Audit Checklist




In 2019, global retail sales grew by 3.4% from the previous year to hit $21 trillion. Global eCommerce accounted for 16.4% of total retail sales at $3.46 billion. Ecommerce sales continue to grow, thanks to globalization and the internet. 

This growth also comes with a few challenges, among which is payment card fraud. In 2018, payment card fraud amounted to $27.85 billion and was expected to hit $35.67 billion in the next five years.

If you intend to pursue the e-commerce route, you’ll need to consider a few things, one of which is the payment method. How many payment alternatives will you offer your customers? Are the payment methods secure?

Your customers will offer you their financial data on a silver plate; they expect that it’s secure and confidential. To guarantee this, you need to prove that you’re PCI-DSS compliant.

What is PCI-DSS?

This is a set of standards formulated by the PCI Security Standards Council. This council is made up of major credit card companies who joined forces to create security standards that protect credit card data.

As a merchant, your compliance guidelines are dictated by the number of annual transactions. Merchants are grouped into four levels:

  • Level 1

This covers merchants who handle over 6 million transactions every year or have experienced a data breach.

  •  Level 2

Merchants who handle 1-6 million transactions annually.

  •  Level 3

Merchants with less than a million transactions but more than 20,000 annual transactions.

  •  Level 4

Merchants with less than 20,000 annual transactions.

Each of these levels has different compliance requirements. The more the transactions you process every year, the tougher the compliance requirements become.

PCI DSS Compliance Checklist

PCI has six control objectives that constitute twelve compliance requirements. These requirements are not subject to merchant levels; thus, all merchants are required to adhere to the compliance requirements regardless of transaction volume.

These control objectives include:

  1. Secure Network and Systems

This control objective has two requirements:

  • Protect cardholder data by installing and maintaining a firewall

Firewalls are barriers that protect your network by preventing security threats from accessing or spreading through your network. Firewalls act as filters that determine whether information passing from one computer to another is safe or not.

  • Limit the use of vendor-supplied passwords

Every system comes with security parameters, among which are passwords. These passwords are often easy to hack; thus, you should change them before you deploy the systems. Ensure that you update system configurations and security measures as you identify new threats.

  1. Protect Cardholder Data

Cardholder data refers to personally identifiable information that’s associated with a credit or debit cardholder. According to PCI DSS, cardholder data includes PAN, which is the unique payment card number used to identify the cardholder’s account and the issuer. The standards require that merchants encrypt the transmission of cardholder data and protect stored cardholder data as stipulated in the guidelines.

  1. Implement vulnerability protection programs 

Create a program to help you identify weaknesses in your payment card infrastructure system. Hackers will exploit these vulnerabilities to access your cardholder which you can mitigate by:

  • Implementing measures to protect your systems against cyberattacks such as malware.
  • Maintain secure systems
  1. Access control measures

Limit access to cardholder data by vetting everyone who needs access to this data. This is achieved by:

  • Restricting access to cardholder data

Only authorized personnel should have access to this data. Limit the privileges of everyone to a need-to-know basis and deny all other access unless authorized.

  • Authenticate access

Employees that have access to cardholder data should be assigned unique identification. They will use these identifications to access the data, thus making it easy to track how data is handled. Do not use group IDs; every member with access needs unique identification.

  • Restrict physical access to the data

Your onsite systems are also vulnerable to attacks or internal leaks; thus, you need to put measures in place to limit physical access to cardholder data.

  1. Monitoring and testing networks

Monitor your physical and wireless networks to identify vulnerabilities that cybercriminals can exploit to gain unauthorized access to your systems and data. To prevent cybercriminals from exploiting these vulnerabilities, you are required to:

  • Thoroughly track, analyze, and monitor cardholder environments in search of weakness.
  • Frequently test your system components, processes, etc. to ensure that you maintain security over time. 
  1. Information security

Your business needs a strong security policy that details the responsibilities of your employees towards protecting cardholder data.


PCI compliance isn’t a guarantee that your systems and data are safe; hundreds of companies have experienced data breaches despite being PCI-DSS compliant. Achieving compliance is merely a baseline. You need to meet the requirements as stipulated by the governing body and implement extra measures that protect your systems from emerging threats. You can never be too sure when dealing with cybersecurity, going the extra mile helps prevent cyber attacks.

About the author

Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.



Small businesses face many unique challenges such as problems related to payment processing. This issue can manifest itself in a variety of ways and thus requires careful intervention. It is crucial that a small business takes proper care of its payment processing system to ensure that there is timely and accurate collection of the payments due. Identification of different problems is one of the most important steps in this process, so here is the list of the top payment processing issues a small business may have to face: 

Data Security: With the increase in instances of cyber attacks and data frauds, it has become essential for a business to protect itself and its clients from such mishaps. An efficient payment processing system should provide robust protection against such data breaches. Any such fraud or leaking of important data can not only negatively impact the revenue and income of a business, it may also put strain on their position in the market. The businesses should ensure that their payment processing system adheres to Payment Card Industry (PCI) Data Security Standard (DSS). Such compliance saves you and your business from liabilities which may arise from data breaches. 

Chargebacks: These expenses are one of the biggest challenges faced by the businesses with regard to their payment processing systems. Chargebacks are also known as processing fees and can form a big chunk of your overall expenses. There are many factors which influence such chargebacks. Some of the main causes which impact the volume of chargebacks are types of payment options, types of cards used and the size of transactions. Different types of businesses may be levied different types of charges. It is important to remain in constant touch with your providers so that you are aware of different chargebacks. Further, you may also try to negotiate the prices down. Such management of charges can have significant impact on your bottom line. 

Compliance and Regulations: As payment processing systems are becoming more complex, the regulatory requirements are also increasing to keep a proper check on them. These regulations are mainly enacted to safeguard all the parties involved in the payment processing cycle. However, these also tend to increase the paperwork. It is important that you comply with all the requirements laid by these regulations so as to ensure that you have proper recourse as and when there is any issue pertaining to such payments. The outlay required for meeting these rules is generally justified by the benefits granted through these regulations. 

Multi Channel Payments: In order to ensure that you are able to serve your clients in the best possible manner, it is important to offer a wide range of payment options. However, it also means that you have to deal with the terms and conditions attached with large number of such outlets. Multiple vendors may increase the complexity of your payment systems which may require increased outlay of resources. It is generally advisable to integrate such option payments so that they can be managed with relative ease. Further, the ability to control these multiple methods may also increase the efficiency of your operations. 

Payment Support and IntegrationAs payment processing is one of the most crucial functions, it is important that the business pays proper attention to this facet. The businesses should endeavor to keep the downtime to the minimal. There should also be proper backup system, so that your clients do not have to face any hardship if there is any breakdown in the services. You should define such terms and conditions with your service provider explicitly. The integration of various modes of payment and processing systems is important for ensuring efficiency. It is also helpful in keeping the costs down. Such integration allows for the installation of a dashboard which helps in centralizing the control measures. 

It is highly recommended to businesses that they pay proper attention to their payment processing systems. They should also be careful while selecting their payment services partners. The main focus should be on managing costs and expanding the portfolio of services offered. It is also important that the system is flexible so that it can accommodate frequent changes in technologies employed.  


What is the PCI Data Security Standard and why should I care?

PCI Data Security Standard or PCI DSS are the standards governing credit card industry. The task of administration of these standards is entrusted to the Payment Card Industry Security Standards Council. The main aim of these standards is to create a safe environment for credit card transactions and minimize the risk of financial frauds. While credit card protection is vital for all the users, it is of utmost importance for online businesses. Compliance with PCI DSS can help you secure your business as well as your clients’ sensitive information.

What is PCI DSS?

PCI DSS are internationally applicable and are designed to maintain the integrity of customer data and merchant payment systems. The standard was originally proposed to encourage the credit card companies to take adequate steps to ensure the safety of the data. In order to be PCI DSS compliant, an organization is required to fulfill twelve core requirements which include the obligation to build and maintain a secure network, protect the data pertaining to the cardholders and implement robust access control measures. There are also different levels of compliance, which you may choose to best meet your resources and requirements. Even if you outsource your payment processes, you are still required to be PCI DSS compliant. Similarly, you are required to fulfill PCI DSS requirements even if you do not store credit card data.

How to Become PCI DSS Compliant?

There are several ways to fulfill 12 core requirements for becoming PCI DSS compliant. Some of the steps you can take to ensure that your business complies with the set regulations are given below:

  • Ensure the safe recording of financial information such as credit card numbers, expiry date and CVV. You can simply outsource your requirements to a payment gateway which will then be responsible for the proper upkeep of data.
  • Update software and How security programs on your machines so that the malicious codes may not be installed on them.
  • Educate your employees to take adequate measures to secure the data. All systems should be password protected and such passwords should be frequently changed. Further, the employees should also be directed to not share their passwords and other login details.

There are main four levels of compliance and these levels are defined on the basis of transaction volume. Level 4 is applicable to businesses processing less than 20,000 transactions annually, whereas Level 3 covers the organizations carrying out 20,000 to 1 million transactions annually. Level 2 is applicable where the volume of transactions is between 1 and 6 million in a year and the upper most level is Level 1, which needs to be complied with by the businesses processing over 6 million transactions.

The process to become PCI DSS compliant varies for different organizations, based on their policies and procedures. The standard is applicable to all the businesses which process, transmit or store card details. You can start the process by completing the self-assessment questionnaire and undergoing vulnerability scan with an approved scanning vendor.

Why PCI DSS Compliance is Important?

The main aim of PCI DSS is to make payments processes safe and secure. The standard provides guidelines about the prevention and detection of data loss and payment frauds. It also offers remedial steps to be undertaken in cases where breach has already occurred. The compliance with this standard is important to ensure that the risk of a financial breach is minimized.

An organization can also boost its image and reliability by complying with PCI DSS. In the absence of such compliance, it may lose out on traffic and revenue volume as its clients may choose not to deal with the firm, in order to protect their financial details. The compliance with PCI DSS helps in elevating the trust level, which ultimately leads to a stronger top line.

Apart from gaining clients’ trust, compliance with PCI DSS can ensure the longevity and survival of the business as well. Financial data breaches can have devastating consequences for a business. Such frauds may lead to financial and even criminal liabilities, severely hampering the operations of an organization. Therefore, it is important that the risk of such catastrophic events is curtailed by following PCI DSS norms.

What Is Online Payment Fraud and How PayTabs Deals With It?

What Is Online Payment Fraud and How PayTabs Deals With It?

Every now and then people become victim of payment fraud in various ways. You must have heard news of someone transacting with someone’s money without their permission. Well, that is the perfect definition of payment fraud. In short – illegal transaction of money is defined as payment fraud. You can save yourself from such frauds by using secure online payment systems.

How Payment Fraud Takes Place?

Today, there are many ways through which your card’s data gets copied and that’s how such a fraud takes place. Payment frauds can be done in different ways such as identity theft in which the personal information gets stolen and further gets used for illegal activities.

Another way is page-jacking in which the traffic from your e-commerce website is taken to another website by hackers. However, the most common way of payment fraud is phishing in which emails and messages asking about bank details, personal information, etc. are circulated to people.

These are the commonly used methods for payment frauds. However, the good part is that with a little awareness, you can save yourself from falling into such a trap. Read on to know more.

Things to Keep in Mind to Avoid Online Fraud:

  • Always shop from reputed and well-known websites.
  • Create a proper profile by registering your email and contact number so that the shopping experience is hassle free and if any unknown activity happens, you get notified via email or SMS.
  • Set passwords which are not easily recognizable.
  • Make sure that you have your number registered so that online payment platforms ask for a one-time password before processing online payment request.
  • Turn on the message alert so that whenever some unknown activity happens with regard to your account or card, you get instantly notified.
  • Keep your credentials private and safe. Do not share important passwords and OTP with anyone.

Payment Fraud: What Can Be Done On a Bigger Level?

Since people have started paying through online payment platforms, the risk of payment fraud has also increased. To have a risk-free online payment experience, you can use different options available on the internet. One of the most reliable ways to have a safe online payment experience is using PayTabs.

PayTabs is a highly recommended and reliable payment gateway. It is one of the most reliable payment platforms and accepts payments in around 168 currencies. The user-friendly dashboard helps users in monitoring & managing their online transaction details with ease.

In the world of digitization when most of the businesses are marking their online presence, it is necessary to have a platform where all the payment related aspects can be taken care of without any hassle. This is where PayTabs comes into the picture.

From transparent pricing to user-friendly interface to 24/7 assistance, there are many reasons for you to give PayTabs a try. With PayTabs, you can quickly get your payment deposited, accept payment in 168 currencies, enjoy customized pricing solutions, and much more.

PayTabs is a PCI-DSS certified payment platform, equipped with dual-layer fraud protection mechanism which lessens the chances of payment frauds. In addition to these, 3D secure authentication and EV SSL certification ensure foolproof transactions at all times.


Though there are many risks associated with online payment, the truth is that it is quite convenient and saves a lot of time. Therefore, foregoing online payment is not a judicious choice. What you should do is attain a good amount of knowledge about the measures you can take to avoid online payment frauds.

5 Factors to Consider while Selecting a Payment Gateway in UAE

5 Factors to Consider while Selecting a Payment Gateway in UAE

The success of e-commerce depends on various factors, the choice of payment gateway being one of them. The payment service on your e-commerce portal influences user experience. And if a user finds it convenient to shop on your online store, you can expect recurring sales in the future.

While selecting a payment gateway in the UAE, you must keep certain factors in mind. Although payment gateways function in a similar way, irrespective of the country, there may be slight variances in the selection procedure here. We have outlined five factors that you should consider while selecting a suitable payment gateway for your online store.

Transaction Charges

The cost of installing a payment gateway is the foremost consideration for every online retailer. In addition to the setup fee, the payment gateway provider charges a fee on per transaction basis. Some of the providers in the UAE may not ask for a setup fee. In this case, the transaction fee may be high.

Talking about the transaction fee, it may be a fixed amount or a percentage of the transactional amount or a combination of both. The transaction fee may vary according to the types of products and services, the number of transactions, and other parameters.

Payment Method Options

There was a time when online payments were processed using credit and debit cards. But now there are multiple modes of payment such as digital wallets, internet banking, EMIs, and others. Depending on the acceptable modes of payment in the UAE, the ideal payment gateway should be integrated with all the needed payment options. Some of the online businesses work on the recurring payment model. Discuss the recurring payment feature with the service provider before finalizing the payment gateway.

When you offer diverse payment options to the user, the probability of a conversion increases. If you are into import and export, currency conversion facility is a necessity for you. Before finalizing a payment gateway, ensure it accepts payment modes that provide seamless currency exchange facility.

Security Parameters

Secure online payment systems ensure that customer’s financial information is secured against theft and misuse. Most of the payment gateways adopt the latest security standards, such as 256-bit AES and two-factor authentication (2FA). Also, the payment service providers must work in strict accordance with the regulatory framework issued by the Central Bank of the UAE.

In addition to security, seamless connectivity is necessary to reduce the transaction failure rate. Check out the payment gateway’s transaction success rate to determine its technical prowess and reliability.

Hosted or Shared

The hosted payment gateway redirects your customer to another link for payment. The transaction doesn’t happen on your website, and therefore, you don’t have to obtain a merchant ID. No confidential information is being shared on your website. The hosted payment gateways cost you more as they handle security risks as well.

The shared payment gateway processes payments on your website. The customer shares financial information with the payment gateway integrated into your website. To enable shared payment gateway, you have to integrate an API. For this purpose, the payment service provider must ensure reliable backend support. Also, you must ensure that your online trading platform is PCI-DSS compliant.

Compatibility & Support

It is crucial to determine whether the payment gateway works seamlessly on your website or not. Besides processing payments using different payment methods, test the payment gateway for mobile payments as well. Nowadays, users are biased towards mobile payment as it is convenient and secure. Also, check out the payment gateway’s cross-platform compatibility.

Access to prompt and reliable support system is a mandatory requirement. The technical executives should be capable enough to solve gateway problems pertaining to payment processing.

The Bottom Line

Some of the most prominent payment gateway service providers operate in the UAE. Depending on your online business, whether it is local or global, one-time or recurring; you can select a suitable payment gateway that integrates effortlessly with your online store.