Skip to content
Go to GoCardless homepage
Pricing
Log inSign up

Checklist: How to meet PCI DSS compliance requirements

PCI DSS compliance is crucial when taking card payments. From global behemoths to tiny food stalls, every merchant that accepts credit card payments (offline and online) is required to comply with PCI DSS requirements. Designed to reduce the “attack surface” of e-commerce websites – the total number of points through which attackers can enter – they play an important role in safeguarding payment security. Read on to find out more about PCI assessment requirements and see the PCI compliance checklist.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standards. They are a set of general practices – governed by the major credit card companies – intended to ensure cardholder information is transmitted, stored, and handled securely. They set out the technical and operational requirements for any organisation that accepts or processes payment transactions, as well as manufacturers and developers involved in the production of devices or applications that are used in these transactions.

Do I need to worry about PCI requirements?

If you’ve ever explored PCI, you’ll know how difficult it is to get a handle on the scope of PCI DSS requirements. However, it’s relatively easy to work out what you need to do. Simply put, adherence to PCI requirements is not dictated by the volume of transactions; if you take card payments or financial information is entered on, stored on, or passes through your site, compliance is mandatory. 

On the other hand, you don’t need to worry about adhering to PCI DSS requirements if your site never comes into contact with payment data at any point (i.e. your customers are directed to your payment service provider or payment gateway) or your customers make payments using iFrame (i.e. your customer’s payment details go directly to your payment service provider or payment gateway). 

It’s also important to note that the specific PCI assessment requirements you need to meet are determined by the size of your business:

  • Level 1 – 6 million+ transactions per year

  • Level 2 – 1 to 6 million transactions per year

  • Level 3 – 20,000 to 1 million transactions per year

  • Level 4 – Less than 20,000 transactions per year

Why is PCI compliance important?

Data security is non-negotiable for e-commerce companies. If you’re asking customers to input their financial information on your website, they need to be able to trust you. Data breaches can destroy that trust and could pose a real threat to the continued success of your business. Over the past few years, the number of data breaches in the United Kingdom has risen substantially. Almost one third (32%) of businesses and two out of every 10 (22%) charities experienced a data breach or attack in 2019, according to the government’s Cyber Security Breaches Survey 2019. Bottom line? This isn’t a theoretical issue – it happens to companies just like yours every day, making adherence to PCI DSS requirements extremely important.

What happens if you fall out of compliance?

While PCI DSS is not a law, it is enforced by contracts between merchants, banks, and payment brands. There are a number of potential consequences that can result from non-compliance with PCI assessment requirements, including:

  • Fines – After a breach, non-compliant websites can be forced to pay hefty fines by regulators.

  • Suspension of credit cards – If you experience a data breach, PCI regulators can revoke your ability to accept credit card payments.

  • Mandatory forensic examination – You may be required to undergo an expensive and time-consuming forensic examination.Liability for charges of fraud – It’s possible that you will be liable in a fraud lawsuit if your customer’s sensitive data has been stolen.

  • Credit card replacement costs – The cost of reissuing credit cards (including shipping, communication, and activation) may be passed onto you by card issuers.

  • Notification and credit monitoring – You may be required to inform all customers of a security breach, as well as provide affected customers with credit monitoring services.

  • Reassessment for PCI compliance – Finally, you may need to undergo a complete PSI reassessment in order to regain the ability to accept credit cards.

PCI Compliance Checklist

There are 12 PCI DSS requirements that are organised into six different control objectives. To get a handle on data security, ensure that you’re covered for every item on this PCI DSS compliance checklist:

Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data

  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder data

  1. Protect stored cardholder data

  2. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  1. Protect all systems against malware and regularly update anti-virus software or programs

  2. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business need to know

  2. Identify and authenticate access to system components

  3. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data

  2. Regularly test security systems and processes

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel

We can help

By using a trusted payments provider like GoCardless, you’ll never need to worry about touching sensitive financial information. Find out how GoCardless can help you with ad hoc payments or recurring payments.

GoCardless makes it easy to collect recurring payments

Sign upContact sales

Interested in automating the way you get paid? GoCardless can help

Contact sales

Contact Us

Sales

Contact sales

+1-415-223-0253

help@gocardless.com

Support

help@gocardless.com

Seen 'GoCardless Ltd' on your bank statement? Learn more

GoCardless Ltd., 600 California St, San Francisco, CA 94108, USA

GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.