12 Steps to Earning PCI Compliance


Any business that utilizes a payment card system must be aware of the best practices required to protect their customers’ personal and financial information. Fortunately, Payment Card Industry Data Security Standards (PCI-DSS) compliance exists to protect cardholder data from both online and physical security breaches. The twelve requirements for compliance are discussed below.

1. Install and Maintain a Firewall Configuration

Firewall and router configurations restrict all traffic from untrusted networks and hosts. Your firewall configuration must be PCI compliant as well as continually tested against to assure it is secure.

2. Do Not Use Vendor-supplied Defaults

Ensure you are not using vendor-supplied defaults for system passwords as well as other security parameters that impact your firewall configurations. Make sure to change vendor-supplied defaults before the initial instillation of a system on your network. You should also develop configuration standards for system components to address all known security vulnerabilities.

3. Protect Stored Cardholder Data

Cardholder protection can be accomplished by limiting the data storage and retention time required for business, legal and/or regulatory purposes.

4. Encrypt Transmission of Cardholder Data Across Open, Public Networks

Encrypting transmission of cardholder data simply scrambles plain text data so that it is no longer legible. The only way to unscramble this data is by entering the encryption key or password, further protecting this valuable information.

5. Use and Regularly Update Anti-Virus Software or Programs

Maintain a vulnerability management program, which is the process of systematically and continuously finding weaknesses in an entity’s infrastructure. PCI-DSS requires the use of anti-virus software or programs. This ensures all anti-virus mechanisms are current, actively running and generating audit logs. Additionally, vulnerability management programs must be regularly updated.

6. Develop and Maintain Secure Systems and Applications

This requirement guarantees all system components and software are protected from known vulnerabilities. Installing the latest vendor-supplied security patches will keep your security up to date. Additionally, it is important to identify coding vulnerabilities by developing applications based on secure coding guidelines and reviewing custom application code.

7. Restrict Access to Cardholder Data by Business Need to Know

Implement strong access control measures that restricts personal access to cardholder data. Vulnerable data must only be handled by employees who are trained to handle sensitive information.

8. Assign a Unique ID to Each Person with Computer Access

Not only does this allow companies to guarantee only people with an ID access to their systems, but it also identifies who and when secured personnel are accessing restricted information.

9. Restrict Physical Access to Cardholder Data

Physical access to cardholder data from devices, systems or even hardcopies should be restricted. Facility controls that monitor physical access as well as record visitor logs help to maintain an audit trail of visitor information and activity. These records should be kept for three months at a minimum unless otherwise dictated by law.

10. Track and Monitor all Access to Network Resources and Cardholder Data

Establish a process for linking all access to system components to each individual user. This is especially prevalent when access is completed with administrative privileges. A great way to accomplish this is by implementing automated audit trails for all system components for reconstructing these events.

11. Regularly Test Security Systems and Processes

New vulnerabilities are always being discovered. Cyber attackers are constantly finding new ways to infiltrate systems and intercept data. That’s why it’s crucial to regularly test and monitor your system components, processes, software and entire network.

Test wireless access points, run internal and external vulnerability scans, perform penetration testing, use an IDS or IPS to monitor all network traffic and deploy file integrity monitoring software. These efforts will ensure that security of your environment is maintained over time and able to withstand the latest methods employed by cyber attackers.

12. Maintain a Process that Addresses Information Security for All Personnel

Develop daily operational procedures consistent with requirements in PCI-DSS that allow businesses to maintain their security policy. However, creating a security policy that cohesively addresses all threats to cardholder data is often a challenge for PCI compliant businesses. If cardholder data is shared with service providers, a business must maintain policies and procedures for securing the data, while monitoring and ensuring the provider’s PCI-DSS compliance.


Credit card data is one of the most sought after data by hackers and thieves; it is probably one of the most important pieces of personal information that your business stores for your customers. If you have any questions about how Edge can help you meet PCI-DSS standards, feel free to reach out to us! We’re here 24/7/365 for you.

Go back