PCI DSS
      Back to home
      1. Help Centre
      2. Compliance
      3. PCI DSS

      What are the requirements for PCI DSS?

      Find out what a small-to-medium sized business (Level 4 merchant) has to do to satisfy the PCI DSS requirements and what you are required to do to protect customer card data.

      What does a small-to-medium sized business (Level 4 merchant) have to do to satisfy the PCI DSS requirements?

      • Determine which self-assessment Questionnaire (SAQ) your business should use to validate compliance.
      • Complete the self-assessment Questionnaire according to the instructions it contains.
      • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) or via the VikingCloud portal, at no cost. 
        Note scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
      • Complete the relevant Attestation of compliance in its entirety (located in the SAQ tool on the VikingCloud portal).
      • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of compliance, along with any other requested documentation, to your acquirer.

      What are you required to do to protect customer card data?

      PCI DSS compliance is mandatory for any business that stores, processes, or transmits card data. You need to meet the following PCI DSS requirements:

      Goals

      PCI DSS requirements

      Build and maintain a secure network

      1.     Install and maintain a firewall configuration to protect cardholder data.

      2.     Do not use vendor-supplied defaults for system passwords and other security parameters.

      Protect cardholder data

      3.     Protect stored cardholder data.

      4.     Encrypt transmission of cardholder data across open, public networks.

      Maintain a vulnerability management program

      5.     Use and regularly update anti-virus software.

      6.     Develop and maintain secure systems and applications.

      Implement strong access control measures

      7.     Restrict access to cardholder data by business "Need to know".
      "Need to know" is when access rights are restricted so you are only provided the data and privileges needed to perform a job.

      8.     Assign a unique ID to each person with computer access.

       

      9.     Restrict physical access to cardholder data.

      Regularly monitor and test networks

      10.  Track and monitor all access to network resources and cardholder data.

      11.  Regularly test security systems and processes.

      Maintain an information security policy

      12.  Maintain a policy that addresses information security for employees and contractors

      For more information about how to meet these requirements: