The PCI DSS annual compliance checklist
Find out what you must do every year if you're not using a hosting solution.
Why you must meet PCI DSS requirements
The full requirements of the PCI DSS must be met if you are not using a hosted solution. If the card payment application is in the merchant environment or, if the code that links to the hosted payment page is integrated into a merchant’s shopping cart, we recommend that as well as doing the checks indicated in the previous section, the following steps need to be undertaken. We recommend undertaking these steps to enhance the continuous security of your website and to help mitigate the risk of compromise to card and personal data.
Engage a QSA *(1) or ISA to complete the annual ROC (Report of Compliance). Merchants can complete a questionnaire called a ‘Self-Assessment Questionnaire’ (SAQ), if they process less than ‘x’ card transactions per year. Regardless which annual method of attestation is completed, the following activities are required:
Where appropriate, software also has to conform to Payment Application Data Security Standard (PA-DSS) requirements.
The PCI DSS requirements
These actions need to be done EVERY year. If you don’t continue to do this, you will not maintain on-going compliance. Scans have to be undertaken on a quarterly basis.
- Complete the annual Risk Assessment on the environment where the card data is handled or touches the cardholder environment.
- Ensure third parties that store, process and/or transmit card data or are connected to the cardholder environment provide evidence that they have maintained their PCIDSS compliance and are still registered with the Card Schemes.
- If using a third party payment application in your environment, you must ensure the product and the particular version you are using is PA DSS compliant and that the guidelines provided by the supplier are fully adhered to.
- If you use an integrator to bring the products together, ensure they are certified to the X standard to do so.
- Train your staff to follow PCI-DSS procedures. You can view the
- PCI DSS Quick Guide to find out more about being compliant
- Make sure that you are only keeping data that is essential and ensure it is encrypted and/ or masked.
- Monitor and control access to your e-commerce environment (i.e. make sure you have security controls for your e-commerce environment ).
- Protect your data network by making sure that you are using not only a firewall but also compliant and up-to-date anti-virus software. There are many anti-virus products on the market but you should purchase yours from a reputable company
- Ensure that the shopping cart application is patched with the most up to-date version available
- Network scans have to be undertaken on a quarterly basis and undertaken by an Approved Scanning Vendor (ASV)
- Discuss security with your web hosting provider, to ensure that they have secured their systems appropriately. Web and database servers should be hardened to disable default settings and unnecessary services. Many International system hardening standards exist such as those provided by the centre for Internet security – http://www.cisecurity.org/benchmarks.html and merchants should encourage their web host provider to adopt these standards.
- PED tests must be run annually and after any significant chance to the environment.
- With any software or hardware that you choose to use to process transactions, the vendor should have product approval from the Payment Card Industry Security Standards Council (PCI SSC). We would recommend that you check the council lists to check the product approval.
If you have any questions around being compliant, please speak to your Acquirer for assistance, your Acquirer is the company that you have your merchant account with. Most Acquirers have programs in place to manage and support their merchants’ ongoing PCI DSS compliance and validation.