A Guide to Being PCI Compliant

One of the biggest mistakes organizations make is jumping into their being PCI Compliant remediation effort without first understanding their company's gaps. It's crucial to realize that every organization has a different maturity level when it comes to technology and compliance. Without first knowing the level at which one is, taking a "one size fits all" approach to fixing PCI will spell disaster. A pre-compliance assessment is imperative and enables to understand what being PCI compliant effort will entail. The output is a document identifying gaps between current state and what the PCI DSS (Data Security Standard) requirements necessitate. Some of the items covered in the pre-compliance PCI self assessment include: Review of IT infrastructure; PCI-relevant application architecture, policies, procedures and processes; overall network design; Gap analysis; Network vulnerability scanning; Risk analysis; Mapping business flows to technology flows

Validation of payment card industry compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, payment card industry compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of demonstrating payment card industry compliance via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.

Enforcement of payment card industry compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, payment card industry compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers such as hosting companies who have business relationships with in-scope organizations, enforcement of payment card industry compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate payment card industry compliance. Companies not being PCI compliant who maintain a relationship with one or more of the card brands, either directly or through an acquirer, risk losing their ability to process credit card payments and being audited and/or fined.

The major credit card issuers created Payment Card Industry compliance standards to protect personal information and ensure security when transactions are processed using a payment card.


Author is executive with the NSAP IT. For more information on PCI compliant visit the website PCI compliant