8 Critical PCI Compliance Requirements all Businesses Need to Know About

Share Article

PCI compliance is mandatory for all businesses involved in the processing, storage, and/or transmission of cardholder data. Avoiding penalties, fines, and cost overruns should be the highest priority for companies, so take note of the following 8 essential PCI compliance requirements all businesses need to know about, according to PCI-QSA Charles Denyer of NDB Advisory:

PCI-QSA Charles Denyer

PCI-QSA Charles Denyer

Learn about 8 Essential PCI Compliance Requirements all Businesses Need to Know About

PCI compliance is mandatory for all businesses involved in the processing, storage, and/or transmission of cardholder data. Avoiding penalties, fines, and cost overruns should be the highest priority for companies, so take note of the following 8 essential PCI compliance requirements all businesses need to know about, according to PCI-QSA Charles Denyer of NDB Advisory:

1. Compliance is mandatory - Yes, PCI is a strict requirement for merchants, service providers, and other related entities that have a true and credible nexus with cardholder data. And yes, fines can be levied against these various organizations who don’t comply.

2. Policies and Procedures are a Must – Organizations spend so much time –rightfully so – on the technical merits of PCI compliance that they fail to recognize the importance of having documented PCI compliance policies and procedures in place. Who wants to spend countless hours developing these documents? Find a credible, high-quality template online and save hundreds of hours.

3. Quarterly Scanning – Also commonly known as vulnerability assessments – they are required each quarter, so find a trusted provider for these services. Checking with your gateway | payment processor or acquiring bank is usually a good idea as they may very well have a provider, and one that’s offering services built into their compliance fees for PCI.

4. Penetration Testing – Many organizations have to actually undertake a penetration test – both from a network and application layer perspective. They can become expensive, and the scope for an actual penetration test is often very subjective.

5. Report on Compliance – More commonly known as the “RoC”, the Report on Compliance is actually the end deliverable for onsite assessments conducted by Payment Card Industry Qualified Security Assessors (PCI-QSA).

6. SAQ vs. Onsite Assessments - PCI compliance really comes down to two (2) options - self-assessing via the Self-Assessment Questionnaires (SAQ) or onsite assessments by a PCI-QSA, such as Charles Denyer of NDB Advisory (1-800-277-5415, ext. 705, cdenyer@ndbcpa.com).

7. If you process, store and/or transmit cardholder data, you’re in scope for PCI compliance - Just remember that if you have any type of relationship or a credible nexus with cardholder data, then PCI compliance will become a requirement.

8. PCI is a moving target, stay with it - Forget about the notion of "one and done" - that's not what PCI is about - rather, it takes a constant commitment for staying compliant with the Payment Card Industry provisions.

Contact PCI-QSA Charles Denyer at 1-800-277-5415, ext. 705, or cdenyer(at)ndbcpa(dot)com, to learn more about PCI compliance requirements for today’s businesses.
Author: Charles Denyer

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Charles Denyer
NDB Advisory
1-800-277-5415 705
Email >
Follow us on
Visit website