INFOGRAPHIC - Navigate The PCI-DSS Compliance Process with Confidence

These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.

March 18, 2020Manhattan Tech Support

Tech Support & Managed IT ServicesBusiness IntelligenceCloud ServicesIT Consulting & StrategySecuritySoftware DevelopmentTelecommunicationsFinanceConstructionEducationHealthcareLegalReal Estate

PCI DSS infographic

Navigate The PCI-DSS Compliance Process with Confidence

By Manhattan Tech Support

These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.

The Payment Card Industry Data Security Standard (PCI DSS) is a regulation that’s designed to protect data related to credit card transactions. Unlike other compliance standards, PCI-DSS is enforced by the credit card companies themselves, not by a government agency.

So, Who Should Maintain PCI-DSS Compliance?

Many small businesses may believe the PCI-DSS standard only applies to big companies, but this is false. Any company that accepts credit card payments must be PCI-DSS compliant — even if they only process a few payments a month.

According to Verizon’s 2018 Payment Security Report, none of the firms that were affected by a payment card data breach were in full compliance with PCI-DSS.[i]

The Importance of an Accurate Self-Assessment

Unlike regulations such as HIPAA or FINRA, PCI-DSS regulators won’t come and check on your systems – you must be proactive and self-report your compliance. The criteria for this reporting will be based on how many credit card transactions you process.

The Four Levels of PCI-DSS

  • Level 1 – Businesses that do 6 million or more transactions per year, accept global transactions or have experienced a serious data breach in the past.
  • Level 2 – Process 1 to 6 million transactions per year
  • Level 3 – Process between 20,000 to 1 million in e-commerce transactions per year
  • Level 4 – Process less than 1 million total transactions per year, or less than 20,000 e-commerce transactions per year

Self-reporting doesn’t mean you have room for error! Any business that’s caught out of compliance faces thousands of dollars in fines per day and could lose the right to process credit card transactions entirely.

Fines aren’t the only problem associated with PCI-DSS non-compliance

  • Damaged reputation
  • Revenue loss
  • Legal action

81% of consumers would stop doing business with a company they know had experienced a data breach.[ii]

What Makes a Company PCI-DSS Compliant?

PCI-DSS is long and technical in nature, which can make it difficult for a layperson to understand. The 130-page body of the PCI-DSS features:

  • 12 high-level objectives
  • Over 300 separate controls for the monitoring and reporting of IT systems

The process of achieving PCI-DSS compliance involves a commitment to the cycle of assessing, remediating and reporting your status.

  • Assess
    Identify what card data you’re responsible for protecting, which IT assets house that data, and any existing compliance gaps.
  • Remediate
    Address the vulnerabilities you discovered, which includes properly managing all external vendors that help with credit card processing.
  • Report
    Compile and submit remediation and validation records, in addition to a self-assessment questionnaire (SAQ), and other documents.

According to Juniper Research, online payment fraud will reach $48 billion per year by 2023.[iii]

The Good News: PCI-DSS is Built on Strong Cybersecurity

PCI-DSS is complex, but it’s based on established cybersecurity best practices. Those best practices can help you achieve PCI-DSS compliance, while also protecting your network and business from cyberattack.

Proper Firewall Configuration

Firewalls help prevent unwanted access, but they must be configured correctly to ensure they’re providing 100% compliance.

  • Establish and implement standards for firewall configuration
  • Block direct access between the Internet and your cardholder data environment (CDE)

Monitor and Track Network Access

You should create a documented process for tracking all the people in your organization who have access to your CDE while ensuring that unauthorized personnel is kept out.

  • Isolate your cardholder data environment (CDE) from other systems
  • Ensure that proper logging and monitoring are performed for PCI-DSS audits

Effective Password Management

Passwords are a major security liability. An important part of PCI-DSS is making sure that a weak or lost password doesn’t result in disaster.

  • Maintain a complete record of all systems that are relevant to PCI-DSS
  • Change vendor default passwords on all software and hardware
  • Disable all unnecessary accounts with access to the CDE

Proper Implementation of Data Encryption

Encrypting at-rest and in-transit data is a significant focus of PCI-DSS.

  • Make sure cardholder data always runs through SSL/TLS encrypted tunnels
  • Document processes for the management of encryption keys

Common PCI-DSS Stumbling Blocks

In our 20 years helping businesses achieve complete PCI-DSS compliance, we’ve identified a few common problem areas where businesses are prone to non-compliance.

Safe Data Removal

PCI-DSS dictates how cardholder data should be removed from your premises. Any data that includes a primary account number (PAN), magnetic stripe data, or sensitive authentication data must be deleted to PCI-DSS standards.

Does Your Organization Have the Right Physical Security Protections?

Although the majority of PCI-DSS is about securing technology, the regulation also contains requirements for physical security too. Protecting devices – such as laptops, desktop PCs, servers, and routers – as well as your physical facility, are all necessary to prevent fines by your credit card companies.

According to Verizon, 55.4% of organizations that passed a PCI-DSS audit in 2016 failed an interim audit within just twelve months.[iv]

PCI-DSS Training – The Human Element

Your staff is the first line to strong PCI-DSS compliance. Without their awareness and vigilance, your PCI-DSS compliance efforts are almost sure to fail.

Manhattan Tech Support has made high-quality PCI-DSS awareness training a major feature of its service offering. Training helps companies:

  • Learn about PCI-DSS requirements ahead of a self-assessment
  • Better understand the credit card infrastructure and process
  • Gain the latest insights into PCI-DSS best practices
  • Drive strong PCI-DSS compliance across your organization

Manhattan Tech Support – NYC’s Trusted PCI-DSS Compliance Partner

We’ve been serving the security and compliance needs of NYC businesses for over two decades and can provide any business big or small with a documented path to reliable PCI DSS compliance. If you have a question for our compliance experts about how to achieve compliance with PCI-DSS or any other standard, we’re always available to answer your questions.

Contact us any time at 212-299-7673 or [email protected]!










Kaytuso – the cybersecurity & regulatory compliance division of LLC.

Exceed Digital – the custom software development and business intelligence solutions division of LLC

Related Articles

Hiring versus outsourcing the IT

calendar May 5, 2022

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

Hiring versus outsourcing the IT

When you run a business, especially a bigger one, the idea of outsourcing any aspects of the work that needs to be done might seem a bit off. This is a conversation that comes up a lot when companies are

Read More
A guide to  IT disaster recovery planning

calendar April 28, 2022

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

A guide to  IT disaster recovery planning

While it might seem like an inconvenience to a lot of people, downtime isn’t something a lot of businesses can afford to deal with. It isn’t just annoying, it’s straight-up expensive for any business when something goes wrong.  According to

Read More
Security challenges while migrating to the cloud

calendar April 14, 2022

author Manhattan Tech Support

Business Intelligence IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Construction Finance Healthcare Legal Non-Profits Real Estate Startups

Security challenges while migrating to the cloud

Moving to the cloud? Here’s what you need to know about doing it safely Moving at least some part of your business to the cloud can potentially make a huge difference to your business.  Cloud adoption brings unparalleled flexibility that

Read More