A few years ago, the major players in the credit card business (Visa, MasterCard, American Express, Discover and JCB) banded together to reduce credit card data loss. They created the Payment Card Industry Security Standards Council and that council established a standard for security of cardholder data and has released it as the PCI Data Security Standard (PCI DSS).

The Council has no legal authority, and each of the various card companies apply the Data Security Standard in their own way, but ultimately if your business wishes to do credit card (or debit card) transactions, then it will be required to adhere to the standards.

How Can I Ensure My Business Is PCI Compliant?

Validating compliance is a process of “proving” that your business meets PCI standards. As of January 31, 2017, Visa requires that all businesses, regardless of size, validate compliance. Many business owners are unsure of how to become PCI compliant, but often feel too intimidated to start.

Becoming PCI compliant doesn’t need to be painful, just follow these four steps:

  1. Determine Your Compliance Level
    To figure out which level of PCI compliance your business falls under, collect data on how many transactions are done through your organization with every major credit card brand.
  2. Take the PCI DSS Self-Assessment Questionnaire
    The PCI DSS Self-Assessment Questionnaire (SAQ) is a set of documents containing questions based on the requirements of PCI that you’ll answer “yes” or “no” to. This step is crucial to identifying the missing pieces of your payment security.
  3. Complete a Formal Attestation of Compliance
    After bridging the gaps in your payment security, the next step is to fill out a formal attestation of compliance (AOC). This claims your business is compliant with all relevant PCI standards. Once you complete the AOC, you can have a qualified security assessor review your findings and create a report on your compliance.
  4. Submit Your Documents
    The final step in your PCI compliance journey is submitting your filled SAQ and AOC documents to your bank, as well as the major card issuing companies.

After completing these four crucial steps, an external Qualified Security Assessor (QSA) creates a Report on Compliance (ROC). For businesses handling large amounts of transactions they will also perform a PCI compliance audit.

Ultimately, it is up to each business owner that accepts payment cards to ensure their network is safe, as is their customers’ data. If a company is curious what kind of form they need to fill out, they should first contact their banker. Educational material is also available on the PCI Council’s website.