PCI DSS Compliance Requirements Guide & Checklist

Last Updated: February 23th, 2024

Every ecommerce website, regardless of its size or the volume of transactions, must comply with the standards set forth by the Payment Card Industry Data Security Standards (PCI DSS). These crucial guidelines are mandated by major credit card companies to guarantee the secure processing, storage, and transmission of cardholder information.

Phishing-Attacks-How-to-Prevent-Them-Guide-Thumbnail

Introduction

As the owner of an online store that accepts credit card payments, it is your responsibility to protect the sensitive data of your customers. This applies to anyone who accepts payment data, from the largest corporations to the smallest local small businesses. In essence, PCI compliance is about safeguarding all card transactions and customer data.

This guide will explain the goals and requirements of PCI compliance, best practices for securing ecommerce websites, and tactics to combat threats against online stores. We’ll also explain how Sucuri can help you meet regulatory requirements and protect your data.

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a globally accepted set of technical and operational requirements put in place to ensure the protection of cardholder data provided by customers. Created by a global organization known as the PCI Security Standards Council, which is formed by major credit card companies such as Visa, Mastercard, Discover, and American Express, these standards are mandatory for any business that accepts credit card payments.

PCI DSS covers a broad spectrum of practices like restricting access to cardholder information and creating secure and non-default passwords, to more advanced strategies like encryption and the use of a firewall. The primary aim of PCI compliance is to reduce the attack surface, especially in the Card Data Environment (CDE) — how credit card information is handled on your website. This obligation to adhere to the PCI DSS requirements applies even if you use secure payment services such as Stripe, PayPal, or Recurly.

Being PCI compliant demonstrates your business’s commitment to safeguarding your customers’ credit card information while actively working to prevent credit card fraud and potential data security vulnerabilities.

For example, imagine you run a busy ecommerce store that sells handmade jewelry. The practices defined in PCI DSS ensure that your customers’ credit card data remain safe every time they make a purchase.

Small merchants are not excluded from PCI DSS requirements, either. Unprotected ecommerce websites are prime targets for data thieves. If sensitive customer data or cardholder information is stolen from any website that you’re responsible for, you could incur penalties, large fines, and even lose the ability to accept payment cards.

Why is PCI Compliance important?

Trust is the key to your online business. If a security incident occurs, it can wreak havoc on traffic, revenue, and brand reputation. The unfortunate reality is that ecommerce websites are frequent targets for cybercriminals looking to steal sensitive customer data and credit card information.

How big of a target is your ecommerce website? With automated scripts, hackers can find websites with an online store, scan for vulnerabilities, and gain unauthorized access.

Small web stores with few sales aren’t exempt — criminals are opportunists and will target any accessible websites or server resources. It is often easier to hack a thousand small ecommerce websites than it is to hack one large online retailer.

Ecommerce websites are susceptible to a number of risks and threats:

Credit card stealers put your customers at risk of identity theft or credit card fraud.
Hijacking causes loss of sales when customers are redirected to a fake shopping cart.
Injected website content can spread spam, malware, and malvertising.
Server resources can be stolen and used in malware campaigns, DDoS attacks, etc.
Hacked sites can be blocked by search engines, antivirus programs, and browsers.

Because there will always be some level of risk, security is a continuous process. A proper ecommerce security strategy requires frequent assessment and diligence.

PCI compliance checklist

The latest version of PCI DSS is version 3.2,1 released May 2018. The requirements are divided into multiple sub requirements and hundreds of actions. At first glance, meeting all of these requirements can feel like a daunting task.

As we discuss each of these requirements further, remember, these aren’t just rules to tick off a box but are crucial and functional steps towards ensuring the security of your business and website.

Let’s take a look at the goals and requirements table first.

PCI DSS goals and requirements table

Goals	PCI DSS Requirements
Build and Maintain a Secure Network and Systems	1. Install and Maintain Network Security Controls 2. Apply Secure Configurations to All System Components
Protect Account Data	3. Protect Stored Account Data 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Maintain a Vulnerability Management Program	5. Protect All Systems and Networks from Malicious Software 6. Develop and Maintain Secure Systems and Software
Implement Strong Access Control Measures	7. Restrict Access to System Components and Cardholder Data by Business Need to Know 8. Identify Users and Authenticate Access to System Components 9. Restrict Physical Access to Cardholder Data
Regularly Monitor and Test Networks	10. Log and Monitor All Access to System Components and Cardholder Data 11. Test Security of Systems and Networks Regularly
Maintain an Information Security Policy	12. Support Information Security with Organizational Policies and Programs

What are the PCI DSS requirements?

So, what are the requirements in the PCI DSS table and what do they mean, exactly? Let’s take a closer look at each requirement and outline some of the steps you can take to meet them.

PCI Requirement 1: Install and maintain a firewall configuration to protect cardholder data

This first requirement directly relates to securing and documenting your network. Depending on your skill level, you can do it yourself or find an affordable service provider who can help.

If you are going through the PCI assessment process, we recommend that you follow these steps:

Identify your Card Data Environment (CDE). If you’re hosting your website in-house and handling cardholder data, your local network is likely part of the CDE.
Write a “Firewall Process” document. This should list all of your servers, their purpose, who has access to them, what is externally accessible, and what services are running there.
Create a firewall rule that blocks potentially malicious behavior. Only allow what’s needed for required business functions. This should be applied to both inbound and outbound traffic.
Write these rules into your new “Firewall Process” document. Apply the rules and restrictions to all of your servers.

Completing these steps will help you meet the requirements for knowing your web assets, as well as restrict and separate access between environments through a firewall.

PCI Requirement 2: Don't use vendor-supplied defaults for system passwords and other security parameters.

PCI Requirement 2 states that you should not use vendor-supplied defaults for system passwords and other security parameters. By fulfilling requirements 1 and 2 of the PCI DSS, you are meeting the goal to build and maintain a secure network.

Here are our suggestions for fulfilling PCI requirement 2:

Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
Maintain an inventory of system components that are in scope for PCI DSS.
Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
Shared hosting providers must protect each entity’s hosted environment and cardholder data.

PCI Requirement 3: Protect stored cardholder data.

Requirement 3 of the PCI-DSS states that you must secure cardholder data. Many online stores use a reputable payment gateway to help process credit card payments and transactions. While this can help you lift some PCI requirements, it doesn’t mean you’re off the hook entirely!

The best way to meet this requirement is to use a trusted payment gateway and not store credit card details. By only maintaining customer IDs and successful payment confirmations, you significantly reduce the impact of a compromise.

Another important (and sometimes overlooked) recommendation is to enact strong policies with employees and colleagues by enforcing proper security practices.

Caution

Never store payment card data on personal hard drives, USBs, or other external or mobile media (including cell phones). We also strongly advise against processing payments yourself; accomplishing this correctly involves considerable security efforts to maintain PCI compliance.

PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Requirement 4 of the PCI-DSS states that you must encrypt transmission of cardholder data across open, public networks.

SSL/TLS is the technology used for securing and encrypting sensitive data as it travels between two systems. While technically different protocols, the term “SSL” is commonly used to refer to any encrypted HTTP connection, including TLS. When using an SSL certificate, the website can be accessed over HTTPS rather than HTTP.

As a website that accepts payments, using TLS v1.1 and higher is mandatory for PCI compliance. Encrypting sensitive data like credit card numbers, card holder information, and passwords protects your customers and prevents fraudulent transactions and data breaches.

The use of TLS prevents man-in-the-middle attacks (MITM), which occur when bad actors secretly intercept and possibly modify sensitive user data and credentials via insecure networks.

SSL certificates are also good for establishing and maintaining trust. This allows the green padlock icon to be visible in the browser address bar.

Using SSL can also improve your SEO rankings. Search authorities like Google have encouraged webmasters to secure their websites by ranking sites with HTTPS higher than those without certificates.

Many hosting providers offer free and paid SSL certificates. They may even help implement certificates for you. If you’re a Sucuri Firewall user, we offer free certificates by default.

PCI Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

PCI DSS Requirement 5 states that you must protect all systems against malware and regularly update antivirus programs. Under most circumstances, bad actors don’t manually hand-pick websites to attack since this is very time consuming. The majority of attacks against websites are automated and performed by bots who are looking for websites with known vulnerabilities.

In order to comply with PCI Requirement 5, we suggest the following:

Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Ensure that all antivirus mechanisms are maintained.
Ensure that antivirus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties.

Solutions like Sucuri can help detect and block malware threats at the site and server levels, but you’ll need to employ an antivirus on the computers of anyone who accesses the site and its data. You’ll also need to protect against attack vectors outside of the site directory, including access via SSH and FTP.

PCI Requirement 6: Develop and maintain secure systems and applications.

PCI Requirement 6 states that website owners must ensure system components are protected from known vulnerabilities and common coding vulnerabilities must be addressed.

It doesn’t matter if you’re just starting out and your website is small with very little traffic. If you have a vulnerable CMS, extension, plugin, or theme on your website you will likely be identified by a malicious bot at some point in the future.

By keeping your website software and system components patched and up to date, you are not only mitigating the risk of automated attacks, but also ensuring PCI compliance.

If you are unable to update a vulnerable theme or plugin for your CMS, you can still mitigate exploitation attempts with a firewall that offers virtual patching to prevent the exploitation of known vulnerabilities.

We recommend that you take a look at our firewall features to learn how you can utilize one to secure your website, protect your CDE, and maintain compliance.

PCI Requirement 7: Restrict access to cardholder data by business need-to-know.

PCI Requirement 7 states that you must restrict access to cardholder data by business need-to-know. This means configuring your systems so that they’re only accessible to authorized individuals.

In order to comply with Requirement 7 you should:

Limit access to only those individuals whose job requires access to cardholder data..
Examine written policy for access control and explain its importance.
Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.

PCI Requirement 8: Identify and authenticate access to system components.

PCI Requirement 8 states that you assign a unique ID to each person with access to system components so you can limit their access and monitor their activities.

Here are some ideas to help comply with Requirement 8:

Create and document policies and procedures to ensure only specific individuals have access to cardholder data. This can be done by assigning unique and secure IDs.
Implement two-factor authentication for both employees and third-party vendors.
Do not use group, shared, or generic IDs, passwords, or other similar authentication methods.
All access to any database containing cardholder data should be restricted.
Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties.

PCI Requirement 9: Implement Strong Access Control Measures

PCI Requirement 9 states that you must restrict physical access to cardholder data. This is especially important for anyone that has onsite personnel or staff or physically stores all of their cardholder data without a third party.

Physical access can refer to:

Devices
Data
Systems of payment card data
Hardcopies of payment card data

Maintaining strict controls can help identify individuals who physically access areas storing cardholder data. This is also important for protecting personally identifiable information, especially if you need to comply with the requirements of the General Data Protection Regulation (GDPR).

Here are some key restrictions to minimize risk:

Network Jacks: Restrict access to network jacks to helpl prevent bad actors from plugging into readily available inputs that may allow them into your network. Consider turning off network jacks while not in use and reactivating them only when needed. Also, be sure to create private networks for internal use and a public one for visitors to limit exposure to protected information.
Visitors & Unauthorized Personnel: Visitor controls are important to restrict certain areas and ensure they are identifiable as visitors. It makes it easier to spot unusual activity. This may even include employees who have no reason to approach sensitive access points. For example, the social media manager shouldn’t need access to a storage facility where cardholder data is readily available. A log that tracks information about the visitor will be useful in the event of a data breach investigation. Keeping a log can help identify which visitors have physical access to a room and who has potential access to cardholder data. Consider logs at the entry to facilities and especially designated areas where that data resides.
Monitor Cardholder / Personal Data: If a visitor made their way through an authorized sequence of doors within your facility, cardholder data is still susceptible to unauthorized viewing, copying, or scanning if it is unprotected. It can even be accidental if authorized employees are not well informed. A startling number of businesses have cardholder data on portable media, hard drives, sticky notes, or printed hard copies on someone’s desk. This is especially problematic with orders taken by phone, fax, or email. Without proper visibility or protection, data can be stolen and used for fraudulent purposes. It’s important to ensure the data remains hidden/encrypted if not immediately needed. The development of an approved process for handling sensitive data will help in complying with Requirement 9.6: Maintain strict control over the internal or external distribution of any kind of media.

Steps must be taken to destroy cardholder information contained on electronic devices. Dispose of hard copies via paper shredding. Failure to do so can result in a major data breach, leading to a negative reputation and expensive fines after an investigation.

One thing to consider is “dumpster diving”. This is where bad actors search through trash and recycle bins to search for devices that may contain data. If they happen to find a tossed, unencrypted USB drive that wasn’t wiped prior to disposal or a paper that wasn’t shredded finely enough; the consequences can be major.

Using strong, unique passwords on your website, restricting the privileges available to users through assigned roles, and enabling two-step or multi-factor authentication is mandatory for PCI compliance. This reduces the risk of a website compromise or data breach by a bad actor.

If you own a website and collaborate with others, the principle of least privilege is a very solid principle to adhere to. This computer science principle has applications and benefits to strengthen your website security.

PCI Requirement 10: Track and monitor all access to network resources and cardholder data.

PCI Requirement 10 is one of the most important requirements for PCI compliance. This requirement explicitly states that you must implement audit trails and review logs to monitor your web assets and identify a compromise or data breach.

The intent of PCI Requirement 10 is to essentially determine the “who, what, where, and when” of users accessing your data processing resources and website environments. Knowing this information is critical in the event that sensitive information (like credit card data) goes missing.

If you fail to properly log all internal and external users, you may be unable to pinpoint a breach timeline or identify who is responsible for a compromise.

A number of different website monitoring solutions can help look for indicators of compromise (IoC), which can include malware, obfuscated JavaScript injections, cross-site scripting, phishing, backdoors, drive-by-downloads, spam SEO, defacement, malicious redirects, or conditional malware. Integrity monitoring can also help verify the files on your website and alert you of any suspicious changes to DNS settings, SSL certificates, or modifications of core files.

PCI Requirement 11: Regularly test security systems and processes.

PCI Requirement 11 states that you must regularly test security systems and processes. This includes scanning and reporting on potential vulnerabilities in your network both externally and internally.

Bad actors and researchers alike continue to uncover vulnerabilities, especially with the introduction of new software. For example, recently WordPress published a near-immediate patch after Gutenberg’s official debut.

We recommend the following to help comply with PCI Requirement 11:

Run vulnerability scans every few months and after any big changes.
Implement a system for website penetration testing.
Use detection and prevention techniques to safeguard against hackers.
Monitor any changes to system, configuration, or content files.
Ensure that security policies and procedures are documented and followed.

To account for this, you should take full advantage of a Web Application Firewall (WAF) that can also function as a virtual patching tool.

PCI Requirement 12: Maintain an Information Security Policy

PCI Requirement 12 is to maintain a policy that addresses security for all personnel. This policy must be reviewed annually (at least) and include a risk assessment process, incident response plan, and usage policies.

This requirement is broken into several sub-requirements:

Establish, document, maintain, and follow an information security policy.
Implement a risk-assessment process and assign security responsibilities.
Develop usage policies for critical technologies and define proper use of these technologies (such as third-party script and libraries for your website).
Ensure that the security policies and procedures clearly define what you expect and the responsibilities of any of your employees. Additionally, make them aware of the importance of protecting customers data.
Screen new hires and any third-party service providers with access to cardholder data to minimize the risk of attacks from internal sources. They should agree to protect cardholder data in writing.
Implement an incident response plan. Be prepared to respond immediately to a system breach. It can happen to anyone.

If you’re using WordPress, you can use Sucuri’s free WordPress security plugin to monitor file changes, review audit trails, apply hardening features, and detect malware.

What happens if you’re not PCI compliant?

If a merchant is found to be non-compliant with the PCI-DSS, there can be a variety of penalties & consequences ranging from fines, loss of time, and reputation damage.

PCI non-compliance fines

Non-PCI compliant websites can suffer hefty penalties by payment industry regulators if customers experience fraudulent transactions. As of 2023, the global average cost of a data breach was 4.45 million US dollars while in the United States average costs were a hefty 9.48m.
GDPR regulation

Under GDPR, any business that experiences the breach of EU residents’ personal information has 72 hours to notify supervisory authorities or risk facing heavy fines. This regulation joins a number of US federal and state laws which hold organizations accountable for the security of customer data.
Suspension of credit cards

Perhaps worse than fines, the ability to process credit card payments may be revoked. The PCI standards are created by the major credit card companies, and this is their defense against irresponsible merchants. If a data breach occurs for your ecommerce store, the PCI council can revoke the privilege of using their payment cards.
Mandatory forensic examination

Merchants suspected of a data breach are required by the PCI-DSS to undergo a mandatory forensic examination, which requires hiring professionals and conducting a time-consuming investigation. A forensic examination may cost between $10K to over $100K depending on the size of your business.
Notification and credit monitoring

If a compromise of financial information is suspected, a number of states require the merchant to notify customers and inform them of the breach. Merchants may also need to produce up to a year’s worth of credit monitoring or counseling services to affected customers.
Liability for fraud charges

Lawsuits may claim liability on merchants for security breaches. It is important to emphasize that protecting your customer’s sensitive information is your responsibility as a business owner. That is why having a secure website is vital.
Credit card replacement costs

Card issuers may require merchants to pay the cost of reissuing credit cards, which includes shipping, activation, and communication to the customer. These fees can range from $3 to $10 per card.
Reassessment for PCI compliance

In order for a website to accept credit card transactions again, a complete PCI reassessment by an external Qualified Security Assessor (QSA) must be performed.

In the US, businesses are also held accountable for the security of customer data by several federal and state laws. So, it’s in your best interest to abide by the rules to protect your customers, online business, and reputation.

How much does PCI compliance cost?

The cost of achieving PCI compliance for your online store can vary. Factors such as the size and type of business, current security infrastructure, and existing level of PCI compliance play a role in determining the cost.

Here’s what you need to take into account before you even start the process for PCI compliance:

Upgrades in security infrastructure: Meeting PCI standards could require some updates to your existing security systems. As such, you might need to invest in a website firewall, new software, hardware, or other security measures. This investment could range from several hundred to multiple thousand dollars.
Maintenance and training costs: You may incur ongoing expenses of maintaining secure systems and educating your staff about PCI security practices. Such costs can range annually from a few hundred to several thousand dollars.
Self-assessment: If you are operating a smaller online business and meet the criteria, self-assessment can be a cost-effective route to earning PCI compliance. This typically involves purchasing a self-assessment kit, which could cost anywhere between $100 and $500.

Estimated PCI compliance costs per business level

Your organization setup and number of card transactions will dictate your costs. Let’s look at the estimated costs for achieving PCI compliance for each business level:

Level 1: Businesses in this category must complete a Report on Compliance (ROC). An extensive report detailing the business’s server environment, security standards, and its measures to protect customer data. A Qualified Security Assessor (QSA) compiles the report through an onsite audit and review. Level 1 businesses must also complete quarterly network scans by an Approved Scanning Vendor (ASV), along with an Attestation of Compliance. The combined cost for meeting these requirements annually can range from $30k to $200k.
Level 2: Level 2 businesses require completing quarterly ASV scans, a self-assessment questionnaire, and an Attestation of Compliance. The annual cost for this typically begins at $10k.
Level 3: Level 3 businesses must adhere to regular ASV scans and complete a self-assessment questionnaire and an Attestation of Compliance. The ASV scan pricing is based on the number of IP addresses used by your business. Since smaller businesses tend to use fewer IP addresses, costs are usually less. As such, annual costs for Level 3 businesses usually start around $1500, rising depending on the specific requirements.
Level 4: Smaller online businesses fall under Level 4, requiring ASV scans, a self-assessment questionnaire, and an Attestation of Compliance. The annual cost for businesses in this category can be under $1000, but it can increase depending on the specific configuration of the business.

While the expenses may seem hefty, remember, they are significantly less than the potential costs of non-compliance, which may include substantial fines, brand damage, and remediation costs.

Wrapping up PCI compliance

Non-compliant ecommerce websites often suffer hefty penalties by payment industry regulators if their customers complain about fraud after using the site.

If a data breach occurs for your ecommerce store, you may even have the ability to accept payments by credit cards suspended or revoked.

There are also non-monetary damages that can be extremely detrimental for your business and reputation.

A 2023 report conducted by IBM showed that:

Only 1/3 of companies discovered the data breach through their own security teams, highlighting a need for better threat detection.
Organizations with fewer than 500 employees reported that the average impact of a data breach increased from USD 2.92 million to USD 3.31 million or 13.4%
57%) of respondents indicated that data breaches led to an increase in the pricing of their business offerings, passing on costs to consumers.

These statistics highlight how critical PCI DSS compliance is for all e-commerce businesses, protecting both the business and its customers from potential data breaches and ensuring secure and trustworthy transactions. Understanding and implementing these guidelines may seem challenging, but it’s essential for protecting your and your customers.

A key tool that can make this task easier is the Sucuri web application firewall. The firewall not only provides a strong line of defense against threats but also aids in meeting PCI DSS requirements related to safeguarding your site against malware, securing your systems, and maintaining the overall integrity of your online store.

If you need help securing your online store or implementing a website firewall, contact us for a free consultation.

Trusted by Industry Leaders