• Who It Applies To: This level applies to merchants, regardless of their acceptance channel (e-commerce, retail, etc.), that process over 6 million Visa or Mastercard transactions per year.
• Compliance Requirements: Merchants must undergo an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or an Internal Auditor if signed off by an officer of the company. They must also complete a quarterly network scan by an Approved Scan Vendor (ASV).

• Who It Applies To: Merchants that process 1 to 6 million Visa or Mastercard transactions per year fall into this category.
• Compliance Requirements: These merchants are required to complete an annual Self-Assessment Questionnaire (SAQ) to evaluate their compliance with PCI DSS requirements. They also need to undergo a quarterly network scan by an ASV.

• Who It Applies To: This level specifically targets merchants processing 20,000 to 1 million Visa or Mastercard e-commerce transactions per year.
• Compliance Requirements: Similar to Level 2 merchants, those at Level 3 must complete an annual SAQ and perform a quarterly network scan by an ASV.

• Who It Applies To: This level is for merchants processing fewer than 20,000 Visa or Mastercard e-commerce transactions annually or those processing up to 1 million transactions annually across all channels.
• Compliance Requirements: Level 4 merchants are required to complete an annual SAQ and may need to undergo a quarterly network scan by an ASV, depending on the acquirer or payment brand’s requirements.

• Transaction Volume: The primary factor determining a merchant’s PCI DSS compliance level is the total yearly transaction volume across all channels.
• Validation Requirements: Higher levels of transaction volume require more rigorous validation of compliance, including external audits and network scans.
• Tailored Requirements: The PCI DSS recognizes the varied risk levels associated with different transaction volumes and tailors its requirements accordingly to ensure that all merchants implement adequate security measures.

Firewalls act as a barrier between your internal network and untrusted external networks such as the internet. A properly configured firewall will help protect sensitive cardholder data by controlling inbound and outbound network traffic based on a set of predetermined security rules.

Action Steps:

• Ensure that hardware and software firewalls are properly configured and updated regularly.
• Establish rules that specifically limit access to cardholder data to only what is necessary for business operations.

Manufacturers often ship hardware and software with default usernames and passwords to simplify setup. These defaults are well-known and pose a significant security risk if not changed.

Action Steps:

• Change default passwords and other security parameters before deploying new devices or software on your network.
• Regularly update passwords to more complex and unique alternatives.

Even if the bulk of cardholder data is handled by PayPal or Square, your business might still store some form of this data temporarily or inadvertently.

Action Steps:

• Understand data flow within your business to ensure that no unnecessary cardholder data is stored.
• If storage is necessary, ensure it is encrypted and access is restricted.

Data transmitted over the internet is susceptible to interception. Encryption protects this data, making it unreadable to unauthorized individuals.

Action Steps:

• Use strong encryption (such as SSL/TLS) for transmitting cardholder data and sensitive information.
• Avoid sending sensitive data via email or other unsecured methods.

Malware can compromise system security and give attackers access to sensitive data.

Action Steps:

• Install anti-virus software on all systems commonly affected by malware, not just workstations.
• Ensure the anti-virus software is set to update automatically and perform regular scans.

Vulnerabilities in systems and applications can be exploited by attackers to gain unauthorized access to cardholder data.

Action Steps:

• Regularly apply vendor-supplied security patches and updates for all software.
• Implement a process for evaluating software development practices if you develop in-house applications that process payment information.

Not everyone in your organization needs access to cardholder data. Limiting access reduces the risk of unauthorized access.

Action Steps:

• Implement role-based access controls to ensure that only authorized personnel have access to sensitive information.
• Regularly review access permissions to ensure they align with job responsibilities.

Tracking access to network resources and cardholder data is crucial for identifying and preventing unauthorized access.

Action Steps:

• Ensure each user has a unique username and strong password.
• Implement two-factor authentication for accessing sensitive systems and data.

The SAQ comes in different versions, each tailored to various business environments and how they handle payment card data. Selecting the correct SAQ is crucial because it determines the specific requirements you need to validate as part of your compliance effort.

Selecting the Right SAQ

To determine which SAQ applies to your business, you’ll need to consider several factors:

1. The Way You Process Payments: This includes whether you process payments in-person, online, or both, and whether you use a third-party service for processing.
2. Your Payment Systems: Whether you have a fully outsourced, hosted payment solution, an integrated point-of-sale system, or something in between.
3. Cardholder Data Environment: The extent to which you store, process, or transmit cardholder data.

Common Types of SAQs

• SAQ A: For merchants that outsource all cardholder data functions to third parties and do not store, process, or transmit any cardholder data on their systems or premises.
• SAQ A-EP: For e-commerce merchants who outsource all payment processing to PCI DSS validated third parties but have a website that could impact the security of the payment transaction.
• SAQ B: For merchants using only standalone, dial-out terminals to process payments and do not electronically store cardholder data.
• SAQ C: For merchants with payment application systems connected to the internet, without electronic cardholder data storage.
• SAQ D: For all other merchants and service providers that don’t fit into the categories for SAQs A through C, and for those with more complex environments.

Completing the SAQ requires a thorough review of your payment card operations and IT environment against the specific control objectives and requirements outlined in the questionnaire.

1. Gather Documentation: Before starting, gather relevant documentation about your payment processes and IT environment. This includes network diagrams, data flow charts, and any policies and procedures related to payment processing and data security.
2. Assess Your Environment: Go through each question in the SAQ, assessing your current practices against the requirements. This will likely involve discussions with various stakeholders in your business, including IT personnel, vendors, and possibly even customers.
3. Implement Required Controls: If you identify gaps in compliance, you’ll need to implement the required controls to meet the PCI DSS requirements. This may involve technical adjustments, process changes, or both.
4. Validate and Attest: Once you’ve completed the SAQ, you’ll need to attest to the accuracy of the information and your compliance status. This attestation is typically signed by an officer of the company, affirming that the assessment is complete and truthful.
5. Submit Documentation: Depending on the requirements of your acquiring bank or payment brands you work with, you may need to submit your completed SAQ and attestation, along with any other requested documentation, to validate your compliance.

Regularly monitoring and testing your networks can help identify vulnerabilities before they become serious threats. This includes running scans and checking for unauthorized access to the network.

Implement a Process for Monitoring Security Controls

• Continuous Monitoring: Set up systems for continuous monitoring of security controls to detect unauthorized access or anomalies in network traffic that could indicate a security threat. Tools like intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be invaluable here.
• Log Management: Ensure that all access to network resources and cardholder data is logged and that logs are retained for at least one year, with a minimum of three months immediately available for analysis. Regularly review logs to identify suspicious activity.

Conduct Regular Vulnerability Scans and Penetration Tests

• Vulnerability Scans: Perform automated scans of your networks and systems at least quarterly or after any significant changes to the network (such as new system component installations, changes in network topology, firewall rule modifications, or product upgrades). Use an Approved Scanning Vendor (ASV) certified by the PCI SSC for external scans.
• Penetration Testing: Conduct penetration testing at least annually or after significant changes to the network. This involves hiring a qualified professional to attempt to breach the security of your systems using the same techniques as an attacker. The goal is to identify and fix vulnerabilities before malicious actors can exploit them.

Use Intrusion Detection/Prevention Systems

• Deploy IDS/IPS solutions to monitor network and system traffic for signs of a potential attack. These systems can help in identifying and stopping attacks on the network.

Implement File Integrity Monitoring (FIM)

• FIM Tools: Use FIM tools to alert you to unauthorized changes to critical system files, configuration files, or content files. This can help in detecting and responding to malicious changes in real-time.

• Segment Your Network: By segmenting your network, you can reduce its complexity and make it easier to monitor and secure. Ensure that systems that store, process, or transmit cardholder data are isolated from other parts of the network.
• Stay Informed About New Threats: Regularly update your knowledge of the latest cybersecurity threats and vulnerabilities. This can help you adjust your monitoring and testing practices to be more effective against new types of attacks.
• Train Your Staff: Ensure that your staff is trained on the importance of security monitoring and knows what to do in case they detect suspicious activity.
• Create an Incident Response Plan: Have a plan in place for responding to security incidents. This plan should include steps for containment, eradication, and recovery, along with procedures for notifying affected parties and reporting breaches to the appropriate authorities.

Finally, it’s important to establish and maintain a policy that addresses information security for all employees. This policy should outline your business’s approach to maintaining PCI DSS compliance.

• Comprehensive Coverage: The policy should cover all aspects of your business’s security practices, from employee conduct and physical security to digital security measures and response plans for potential breaches.
• Clear and Accessible: Make sure the policy is written in clear, accessible language so all employees can understand it. It should be readily available to all staff members who handle or could affect the security of cardholder data.

• Data Protection: Detail how cardholder data is protected, including the use of encryption, access controls, and any restrictions on data storage and transmission.
• Access Control: Define who has access to cardholder data and the systems that store, process, or transmit this data. Include the processes for granting, revoking, and managing access rights.
• Physical Security: Outline measures to protect physical assets that store or process cardholder data, including servers, workstations, and network equipment.
• Incident Response Plan: Include a plan for responding to security incidents, detailing response procedures, roles and responsibilities, and communication strategies.
• Vendor Management: If you work with vendors or third parties that impact the security of cardholder data, your policy should include criteria for selecting and monitoring these partners.

• Annual Reviews: Conduct at least annual reviews of your security policy to ensure it remains relevant and effective. This review should also consider any changes in business operations, technology, or threats.
• Adjustments and Improvements: Make necessary adjustments to address any weaknesses or gaps identified during reviews or as a result of security incidents.

• Regular Training Sessions: Organize regular training sessions to ensure employees understand the security policy and their individual responsibilities. Training should also cover recognizing and responding to security threats.
• New Employee Orientation: Include security policy training as part of the orientation process for new hires.

• Accountability: Establish clear consequences for violating the security policy to ensure employees take their responsibilities seriously.
• Monitor Compliance: Use audits, security reviews, and other methods to monitor compliance with the policy and address non-compliance promptly.

• Engagement: Involve stakeholders from across your business in the development and review of the security policy to ensure it addresses all relevant areas and has broad support.
• Customization: Tailor your policy to the specific needs and risks of your business rather than using a one-size-fits-all approach.
• Communication: Communicate any changes to the policy to all relevant parties promptly and clearly.