Solidgate logo
Log inGet a demo
Get a demo
  1. Home
  2. Blog

PCI DSS requirements: All you need to know to be PCI DSS compliant

Industry
16 Nov 2023
9 min
A hand holds a key with a bank card, padlock icon, and "compliance" label, symbolizing payment security and regulatory compliance.
Author Image
Andrii Stoikov
Head of Support, Integration, Billing Operations, Solidgate
Secure infrastructure, trusted partners, and ongoing monitoring—discover PCI DSS essentials. Ensure compliance, reduce fraud risk, and safeguard customer data.
The Payment Card Industry Data Security Standard (PCI DSS) outlines crucial PCI DSS requirements that protect payment systems from credit card fraud. Meeting these standards is mandatory for merchants and payment providers handling cardholder data. This guide explains what PCI DSS entails, how to be PCI DSS compliant, the role of PCI DSS tokenization, and details on PCI DSS validation, including who has to validate PCI DSS compliance.

What are PCI DSS requirements?

The Payment Card Industry Data Security Standards (PCI DSS) have several essential requirements for payment systems to protect against credit card fraud. Some key provisions include:
  • Building and maintaining a secure network: This includes installing and maintaining a firewall configuration to protect cardholder data.
  • Protecting cardholder data: This includes protecting stored cardholder data, encrypting the transmission of cardholder data across open, public networks, and regularly monitoring and testing networks.
  • Maintaining a vulnerability management program: This includes regularly identifying and assessing vulnerabilities in systems and networks and implementing a process for applying security patches and updates.
  • Implementing strong access control measures: This includes restricting access to cardholder data to only those who need to know and regularly monitoring and testing access controls.
  • Regularly monitoring and testing networks: This includes regularly monitoring and testing networks to detect and respond to security incidents.
  • Maintaining an information security policy: This includes creating, maintaining, and disseminating an information security policy that is regularly reviewed and updated.
  • Managing service providers: This includes ensuring that any third-party service providers that handle cardholder data are also PCI DSS compliant.
  • Regularly reporting to the payment brands: This includes submitting regular compliance reports to the payment brands to demonstrate ongoing compliance with the PCI DSS.
Solidgate
is compliant with PCI DSS, which means that it follows the security standards set by the major credit card companies to protect against credit card fraud and ensure the security of customer data.

Integration method and PCI DSS

There are several methods for integrating payment systems with a merchant’s website or application, and each method has its implications for
PCI compliance
. List of PCI DSS Requirements:
  • Requirement 1 Install and maintain a firewall configuration to protect cardholder data
    When storing credit/debit card data, you must protect it via a hardware and software firewall. To configure your firewall, you first need to establish security settings for each switch port. Then you need to create firewall rules, including the types of traffic allowed in and out of your network.
  • Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters
    To enhance the security of your network, it is essential to change all passwords and usernames for administrator accounts. Passwords should be randomly generated, sufficiently long, and feature a mixture of letters, numbers, and symbols.
  • Requirement 3 Protect stored cardholder data
    Cardholder data needs to be stored so that even if hackers bypass your firewall and get into your network, they can’t access readable data. This is achieved through a combination of encryption, hashing, truncation, and masking.
  • Requirement 4 Encrypt transmission of cardholder data across open, public networks
    Whenever cardholder data is being sent and received across open public networks, it must be encrypted. This ensures that even if it is intercepted by a 3rd party, they can’t access usable data like card numbers, expiry dates, and CVVs.
  • Requirement 5 Use and regularly update anti-virus software or programs
    Cybercriminals regularly gain access to networks and sensitive data by infecting an employee’s device with malware, which is often done remotely by sending nefarious links and attachments via messaging apps or email. Malware attacks can be prevented and quickly neutralized by installing anti-virus software on all devices connected to the network.
  • Requirement 6 Develop and maintain secure systems and applications
    To keep the network secure, you must regularly update and install security patches. These patches are vendor-provided and quickly plug any vulnerabilities that hackers exploit.
  • Requirement 7 Restrict access to cardholder data by business need to know
    To reduce the risk of inside attacks or a single compromised device causing cardholder data to be leaked, as few people as possible should have access to critical data. Only authorized personnel whose job responsibility involves cardholder data should have access.
  • Requirement 8 Assign a unique ID to each person with computer access
    Before a user can access the network, they should be easily identifiable by a unique ID. This is so you can track users’ actions and quickly identify the source of any attacks.
  • Requirement 9 Restrict physical access to cardholder data
    Cardholder data doesn’t just need to be digitally protected. You also need to protect criminals from physically stealing cardholder data by keeping track of device inventory, restricting certain physical areas where sensitive data is stored, and having a visitor log.
  • Requirement 10 Track and monitor all access to network resources and cardholder data
    To quickly identify how, when, and where cardholder data was compromised, it is imperative that you track and log all users’ access to the network, including time stamps and user IDs.
  • Requirement 11 Regularly test security systems and processes
    While your security system might theoretically work, you don’t know its true effectiveness until you fully test it. It is best practice to perform regular internal and external network vulnerability scans every 3 months and conduct network penetration tests yearly.
  • Requirement 12 Maintain a policy that addresses information security for all personnel
    The information security policy must clearly explain the role and responsibilities that everyone in the company has in protecting against a cyber attack, and the policy must be updated annually. Companies need to create a formal training program, and employees need to undergo background checks.

Direct integration

This method integrates the payment system directly with the merchant’s website or application. In this case, the merchant is responsible for ensuring that the payment system and their website or application are PCI-compliant.

Hosted Payment Page

This method involves redirecting the customer to a hosted payment page for the payment process. In this case, the merchant is not responsible for ensuring that the payment system is PCI-compliant. However, they are still responsible for ensuring that the customer’s personal and payment information is securely transmitted to the hosted payment page.

PCI DSS tokenization

This method involves replacing sensitive cardholder data with a unique token, which can then be used for future transactions without storing or transmitting sensitive cardholder data. In this case, the merchant is not responsible for ensuring that the payment system is PCI-compliant. However, they are still responsible for ensuring that the tokenization process is secure and that the tokens are appropriately protected.

Payment gateway integration

This method involves using a payment gateway to handle the payment process. The payment gateway is typically PCI compliant, so the merchant is not responsible for ensuring that the payment system is PCI compliant. However, they are still responsible for ensuring that the customer’s personal and payment information is securely transmitted to the payment gateway.
In all cases, ensuring that the payment system used is PCI-compliant and that the integration method chosen is secure and meets industry standards is essential.

PCI DSS validation

PCI DSS validation is the process of demonstrating compliance with the Payment Card Industry Data Security Standards (PCI DSS). The PCI Security Standards Council (PCI SSC) has established four levels of validation based on the number of transactions a merchant processes per year.
PCI DSS validation types: SAQ, ROC, Onsite Assessment, and AOC, each with transaction and payment channel requirements.
  • Self-Assessment Questionnaire (SAQ): This validation level is for merchants who process fewer than 300,000 transactions per year and use only a single payment channel (such as a website or mail-order/telephone-order system). These merchants must complete a self-assessment questionnaire (SAQ) to demonstrate compliance with the PCI DSS.
  • Report on Compliance (ROC): This validation level is for merchants who process between 300,000 and 6 million transactions per year and use multiple payment channels. These merchants must complete a Report on Compliance (ROC) that is reviewed and verified by a Qualified Security Assessor (QSA).
  • Onsite assessment: This validation level is for merchants who process over 6 million transactions per year and use multiple payment channels. These merchants must have an on-site assessment conducted by a QSA to demonstrate compliance with the PCI DSS.
  • Attestation of Compliance (AOC): This validation level is for merchants who process fewer than 300,000 transactions per year and use multiple payment channels. These merchants must complete an Attestation of Compliance (AOC), which is reviewed and verified by a Qualified Security Assessor (QSA).
It’s important to note that PCI DSS compliance is an ongoing process, not a one-time validation. Merchants must regularly review and update their security measures to ensure they remain compliant with the PCI DSS.

Achieving compliance through Solidgate

Solidgate, as a payment gateway company, offers a platform that enables merchants to securely accept and process credit card payments, and provides various tools and services to help merchants achieve and maintain PCI DSS compliance. Some ways Solidgate can help merchants achieve compliance include:

PCI DSS-Compliant infrastructure

Solidgate’s platform is built on a PCI DSS-compliant infrastructure, which means it follows the security standards set by the major credit card companies to protect against credit card fraud and ensure the security of customer data.

Tokenization

Solidgate provides
tokenization services
, which involve replacing sensitive cardholder data with a unique token. The token can then be used for future transactions without storing or transmitting sensitive cardholder data. This helps merchants reduce their PCI DSS scope and compliance burden.

Secure payment gateway

Solidgate provides a secure payment gateway that encrypts and transmits customer data to the merchant’s payment processor, which reduces the merchant’s responsibility for protecting customer data.

Compliance support

Solidgate provides support and guidance to merchants in understanding and meeting the requirements of the PCI DSS, including completing self-assessment questionnaires and providing documentation and evidence to demonstrate compliance.

Regular security updates and monitoring

Solidgate continuously monitors and updates its security measures to maintain compliance with the PCI DSS and protect customer data.

PCI DSS-Certified partners

Solidgate works with certified partners such as PCI DSS QSA, PA-DSS, and PCI-DSS-certified Payment Service Providers (PSPs) to ensure that the merchants comply with industry standards.
By choosing Solidgate’s platform, merchants can focus on their core business while ensuring that their customers’ payment data is secure and protected.

How is PCI compliance validated with Solidgate?

In Solidgate, PCI compliance is validated through a combination of self-assessment and third-party assessment. The process of validation generally includes the following steps:
  • Self-assessment: Solidgate conducts regular self-assessments to ensure that its platform and infrastructure comply with the Payment Card Industry Data Security Standards (PCI DSS). This typically includes a review of policies, procedures, and controls related to security, as well as regular testing and monitoring of the platform.
  • Third-party assessment: Solidgate engages a Qualified Security Assessor (QSA) to independently evaluate the platform and infrastructure to verify compliance with the PCI DSS. This typically includes an on-site assessment of the platform and infrastructure, as well as a review of policies, procedures, and controls related to security.
  • Reporting: Solidgate submits regular compliance reports to the payment brands to demonstrate ongoing compliance with the PCI DSS.
  • Ongoing compliance: Solidgate continuously monitors and updates its security measures to maintain compliance with the PCI DSS and protect customer data.
  • Attestation of Compliance (AOC): Solidgate provides Attestation of Compliance (AOC), which is reviewed and verified by a Qualified Security Assessor (QSA) to merchants who process fewer than 300,000 transactions per year and use multiple payment channels.
It’s important to note that PCI DSS compliance is an ongoing process, not a one-time validation. Solidgate must regularly review and update its security measures to ensure it complies with the PCI DSS.
Also, it is crucial for merchants to ensure that they are using a PCI DSS-compliant payment gateway and to work with the payment gateway to understand and meet the requirements of the PCI DSS.

Reporting a non-compliant payment provider

If you suspect that a payment provider is not abiding by the PCI DSS standards, you can file a complaint with the payment provider and/or the relevant credit card brand.

Complain to the payment provider

You can contact the payment provider’s customer service department and raise your concerns about their compliance with the PCI DSS. Provide any relevant information or evidence you may have to support your complaint. The payment provider is required to investigate and respond to your complaint.

Complain to the credit card brand

You can also contact the relevant credit card brand (Visa, MasterCard, American Express, Discover, and JCB) and file a complaint about the payment provider’s compliance with the PCI DSS. The credit card brand will investigate your complaint and take appropriate action if it finds that the payment provider does not comply with the standards.

File a complaint with the PCI SSC

You can also file a complaint with the PCI SSC (Payment Card Industry Security Standards Council) if you suspect that a payment provider does not comply with the PCI DSS. The PCI SSC will investigate your complaint and take appropriate action, including revoking the payment provider’s compliance certification, imposing fines and penalties, and even terminating the merchant agreement.
It’s important to note that the PCI SSC does not have the authority to enforce compliance with the PCI DSS. Still, they can revoke a merchant’s PCI DSS certification and issue fines to the QSA (Qualified Security Assessor) that issued the certification.
In summary, if you suspect that a payment provider is not abiding by the PCI DSS standards, you can file a complaint with the payment provider, the relevant credit card brand, and the PCI SSC. They will investigate your complaint and take appropriate action if they find that the payment provider does not comply with the standards.

Frequently asked questions

Recent articles
Article Card Image
Corporate
How Solidgate powers scalable, efficient B2B transactions for Ideals
Corporate
Article Card Image
Product
Our top product updates: J.P. Morgan Payments integration, new modules for e-commerce & more
Product
Article Card Image
Product
Solidgate Billing dashboard: Your actionable subscription analytics at a glance
Product
Article Card Image
Payments 101
Recurring Billing 101: How to get it right
Payments 101
Article Card Image
Product
No-code Payment Routing 2.0 in HUB: Take control of your payment flows
Product
Article Card Image
Product
Solidgate Treasury joins the global SWIFT network
Product
Solidgate x Ebanx logo
Corporate
Solidgate partners EBANX: Simplifying your entry into Latin America and emerging markets
Corporate
Article Card Image
Payments 101
Card account updater (CAU): How it works, and why businesses need it
Payments 101
Article Card Image
Corporate
Solidgate Treasury unlocks seamless SEPA payments across Europe with LHV 
Corporate
Hierarchical diagram illustrating the merchant of record model, with a seller at the top, merchant of record in the middle, and multiple end customers at the bottom.
Corporate
Is the Merchant of Record (MoR) model right for your business?
Corporate