PCI compliance checklist: Become compliant

How do I become PCI DSS compliant?

In this guide, you’ll learn the following (click to scroll to that section):

What level of compliance is right for your business?
How to comply with the PCI DSS (includes a PCI compliance checklist)
How we can help you become compliant
How much PCI DSS compliance costs
About data security partners and third parties

If you’re taking card payments, you’ve already committed to ensuring your systems and policies are secure to the Payment Card Industry Data Security Standard. (For more background on PCI DSS and why it’s important, read our guide: What is PCI DSS?)

Get the right level of compliance for your business

Different businesses will need to comply with different levels of PCI DSS, depending on the volume of transactions they process. This is called a ‘merchant level’, and the definitions of these levels are outlined below.

Please also note that we list some examples of how merchants can comply, but their individual needs will have specific requirements set out by a ‘PCI Security Standards Council (SSC) accredited Qualified Security Assessor’. You can find a PCI compliance checklist in the 'How to comply with the PCI DSS' section, below.

Level 1 merchants

What qualifies a merchant as level 1?

Any merchant processing over six million payment card transactions per year
Any merchant who has had a data breach

How can level 1 merchants comply?

Yearly on-site security assessment by a PCI SSC-accredited Qualified Security Assessor, with a subsequent report on their compliance
Quarterly network scans (if they take payments online)
Yearly penetration testing
Implemented security policies

Level 2 merchants

What qualifies a merchant as level 2?

Any merchant processing one to six million payment card transactions a year.

How can level 2 merchants comply?

Annual Self-Assessment by a PCI SSC accredited Internal Security Assessor, or an annual onsite security assessment by a PCI SSC Accredited Qualified Security Assessor
Quarterly network scans (if they take payments online)
Yearly penetration testing
Implemented security policies
If your organisation is completing an annual Self-Assessment, make sure any staff involved in the self-assessment attend PCI Security Standard Council merchant training programmes, and also that they pass any yearly associated accreditation programmes

Level 3 merchants

What qualifies a merchant as level 3?

Any merchant processing 20,000 to one million payment card online transactions per year.

How can level 3 merchants comply?

Barclaycard offer two services for PCI level 3 and 4 customers to manage PCI DSS compliance reporting: the basic self-service package called Data Security Manager (DSM); or the premier 'hand-held' service package called Proactive Security Service (PSS).

Here’s how the process works:

Within 1 month of opening your merchant account, we’ll assign you an account on the DSM portal. We’ll send your login details by post.
We’ll charge a fee for DSM to your account in the month you join the service. See your Charges and Fees document for more information on this.
We give you a 90-day grace period so you have time to: log into DSM, register, complete your profile, complete the assigned self-assessment questionnaire (SAQ), then attest your compliance at the end of the process. (Note: You must attest your compliance a minimum of every 12 months).
If you haven’t reported your compliance via the DSM portal within 90 days of joining DSM, we’ll automatically upgrade you to the hand-held service, PSS. From there, we’ll be in touch to guide you through the steps you need to take to achieve compliance every year. See your Charges and Fees document for how much this service costs.
If you’d like to request an upgrade to the PSS at any time, give us a call on 0330 058 3940 and our specialist team will be happy to help.
You can opt out of this service if you prefer to stay on DSM, however, this means that in addition to the Data Security Fee, you could be charged for non-compliance, which could work out more expensive overall. For more information, see your Charges and Fees document.
If you choose to use an alternative PCI assessor for reporting your compliance, you'll still need to upload your Attestation of Compliance or your Self-Assessment Questionnaire to the DSM portal in order to provide evidence of your compliance status to us.

If you’re required to run quarterly vulnerability scans as part of your compliance validation, the scans must be conducted by an Approved Scan Vendor (ASV). This can be done using either the Barclaycard Data Security Manager (DSM) service or Proactive Security Service (PSS). Or if you prefer, you can use an ASV listed with the PCI security standards organisation (see below for details). If you use another ASV, you must upload the technical report which demonstrates a ‘Pass’ status to the DSM portal each quarter.

Level 4 merchants

What qualifies a merchant as level 4?

eCommerce-only merchants processing fewer than 20,000 payment card transactions per year, or
Non-eCommerce merchants processing up to one million payment card transactions per year.

How can level 4 merchants comply?

Here’s how the process works:

Within 1 month of opening your merchant account, we’ll assign you an account on the DSM portal. We’ll send your login details by post.
We’ll charge a fee for DSM to your account in the month you join the service. See your Charges and Fees document for more information on this.
We give you a 90-day grace period so you have time to: log into DSM, register, complete your profile, complete the assigned self-assessment questionnaire (SAQ), then attest your compliance at the end of the process. (Note: You must attest your compliance a minimum of every 12 months).
If you haven’t reported your compliance via the DSM portal within 90 days of joining DSM, we’ll automatically upgrade you to the hand-held service, PSS. From there, we’ll be in touch to guide you through the steps you need to take to achieve compliance every year. See your Charges and Fees document for how much this service costs.
If you’d like to request an upgrade to the PSS at any time, give us a call on 0330 058 3940 and our specialist team will be happy to help.
You can opt out of this service if you prefer to stay on DSM, however, this means that in addition to the Data Security Fee, you could be charged for non-compliance, which could work out more expensive overall. For more information, see your Charges and Fees document.
If you choose to use an alternative PCI assessor for reporting your compliance, you'll still need to upload your Attestation of Compliance or your Self-Assessment Questionnaire to the DSM portal in order to provide evidence of your compliance status to us.

How to comply with PCI DSS

There are twelve general requirements that form the PCI Data Security Standard (taken from the PCI SSC website). This PCI compliance checklist breaks down what you need to know into headers and gives pointers on actions you need to take.

Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel

After profiling your payment environment, your compliance assessor will give you specific actions you need to take, all of which will be based around the twelve principles laid out in the PCI compliance checklist.

How we can help with your compliance

Barclaycard customers enjoy these benefits:

A dedicated Payment Security team who are happy to help with any queries you have
Information and guidance about the PCI DSS, payment security and fraud
Access to a PCI DSS compliant payment gateway solution
Barclaycard staff members on the PCI SSC Advisory Board, providing a voice for you, the merchant
For Level 1 and Level 2 merchants, we assign you a Payment Security Manager, who will support you throughout the PCI DSS compliance process
For Level 3 and Level 4 merchants, you can access our self-assessment services (see below for more information).

Barclaycard Data Security Manager

Data Security Manager is our online portal¹ which provides level 3 and 4 merchants with all the tools and resources they need to be able to report their PCI DSS compliance each year.

For just £4.80 per month, per attestation point*, you get:
Access to the online portal. The portal takes you step-by-step through registration, profiling your business, completing the assigned Self-Assessment Questionnaire (SAQ), and completing your Attestation of Compliance.
Access to a team of trained advisors. You can speak to us via the portal’s live chat feature, or by phone if you have any issues or questions.
Access to a Qualified Security Assessor (QSA) as a referral, if needed.
Access to quarterly vulnerability scans to help you stay compliant with PCI DSS, if you need it.

* ‘Attestation point’ refers to the level at which you report your compliance, i.e. one single attestation for a number of outlets or an individual attestation for each outlet

For help with using Data Security Manager, contact the DSM Help Desk either by using the online live chat feature at barclaycard.co.uk/dsm, or by calling 0844 811 0089 (Mon–Fri, 8am–8pm, and Sat 9am–12pm).

¹To use DSM, the Minimum browser requirement: Microsoft Internet Explorer 8, Firefox 4.0 and Safari 5.0 and above. Flash Versions: Adobe Flash Player 8 and above or Adobe Flash Player Plugin for Firefox. The Data Security portal is an online service. If you do not have access to the internet, please call the Data Security Helpdesk on 0844 811 0089.

Barclaycard’s Proactive Security Service

PSS provides a dedicated point of contact to guide you through everything you’ll need to report your compliance with the PCI DSS every year; from correctly profiling your business to ensure the relevant SAQ is completed, to reminding you every time you need to take action to maintain your compliant status.

If any weaknesses in your cardholder data environment are discovered during your conversations with the PSS team, you’ll receive advice on the essential steps to remedy the situation quickly and efficiently in order to comply with the PCI DSS.

The service has been designed to save you time and effort and provide ongoing support with every PCI DSS related task, every year.

In addition, this service is packed with cybersecurity tools to help you strengthen your data environment and go further towards maintaining that all-important compliant status.

To find out more about how Barclaycard’s Proactive Security Service can help you, call 0330 058 3940 (Mon–Fri, 8am–8pm, and Sat 9am–12pm).

To use the Proactive Security Service, your operating system must be a version currently supported by Microsoft (i.e. Windows), Apple (i.e. Mac OS) or Google (i.e. Android mobile). Please call 0330 058 3940 to verify suitability.

How much does it cost to become PCI DSS compliant?

Unfortunately, there’s no simple answer to how much it costs to become compliant with the PCI DSS. It all depends on the security you have in place at the moment, and how much it needs to change for you to become compliant.

PCI DSS compliance costs typically fall into three categories:

Technology upgrades, such as applications, networks, firewalls and monitoring tools
Validation costs, such as assessments, audits and network scans
Compliance maintenance, including keeping up with the development of the standard and information security, checking policies are in place and being adhered to, and making sure documentation is up to date

Complying with PCI DSS isn’t just about ticking boxes. Any changes you make in order to comply also mean you’re upgrading the security and efficiency of your systems, so you can attribute these to your bottom line as infrastructure costs, as opposed to a PCI DSS entry.

The total cost for these upgrades will vary depending on the size, scope and setup of your organisation. Typical expenses for PCI DSS validation would be:

On-site audits

These are mandatory for Level 1 merchants, or merchants who have been compromised. An on-site audit needs to be performed by a Qualified Security Assessor (QSA), or a qualified internal assessor. This could cost upwards of £10,000.

The final cost depends on how much work the QSA has to do, and whether you have the right level of information security resources in house.

Self-Assessment Questionnaires (SAQs)

At Barclaycard, we require all Self-Assessment Questionnaires to be validated by a QSA. For Level 3 or 4 merchants, you can use Barclaycard Data Security Manager or Proactive Security Service to validate your compliance online.

If you’re a Barclaycard customer and you want to use a different supplier for your self-assessment, you will still need to prove your compliance by logging into Barclaycard Data Security Manager and uploading your completed SAQ or signed Attestation of Compliance (we can’t accept paper or emailed copies).

Network vulnerability scans

Network vulnerability scans need to be done by an Approved Scanning Vendor. These tend to cost around £100 per external facing IP address.

Customers using Barclaycard Data Security Manager or Proactive Security Service get scans for up to 10 IP addresses included in their monthly management fee.

The cost of non-compliance

While it may seem expensive and painful to become PCI DSS compliant, a data breach can cost far more than the cost of compliance. Sometimes costs can run into the millions, and even result in bankruptcy. Not to mention the potential damage to your organisation’s reputation.

Third party compliance

If you’re a merchant

It’s not just your business that needs to be PCI DSS compliant. If any third party suppliers handle your cardholder data, they also have to comply with PCI DSS.

Ask yourself this:

Do any of my suppliers directly or indirectly process, store or transmit my customers’ cardholder data?
Do they have an impact on the security of my customers’ cardholder data?

If the answer to either of these questions is yes, the PCI DSS also extends to these suppliers. So if any third party suppliers aren’t proven to be compliant, and there’s a data breach involving your customers’ cardholder data, you will share responsibility for any damages. That’s why it’s important to only work with PCI DSS-compliant suppliers.

Third parties may include those that supply:

Hardware. Tills, EPOS systems, card machines/POS systems/PDQ machines
Software. Online shopping carts, billing platforms
Hosting. Web hosting, data storage, data transmission
Processing. Payment service providers, payment processing bureaux, payment gateways

If you’re a third party supplier

If you’re a third party (or if you work with a third party) who supplies services that could impact the security of cardholder data, you need to take the following steps:

Register with the card schemes and inform them of your PCI DSS compliance:
- Register as a Third Party Agent with Visa
- Register as a Service Provider with MasterCard
Make sure you have an enforceable agreement with the merchant, acknowledging that each party (Service Providers/Merchant Agent/Third Party) is responsible for their security of payment card data under their respective control, as required by the PCI DSS.
Create an incident response plan for the event of a system breach. Find out more about how to respond to a data breach.
Implement the incident response plan, and be prepared to respond immediately to a system breach. If you suspect a compromise, notify the merchant immediately, so they can inform their acquirer, who will then tell the Card Schemes to take action

Payment applications

If you buy payment applications which store, process or transmit cardholder data, they must be compliant with the Payment Applications Data Security Standard. You can see a list of these officially validated applications on the PCI SCC website.

Latest news

Here are some good places for keeping up to date on what’s happening in the industry:

If you don't have Adobe Reader installed on your computer, download it here for free:
Get Adobe Reader

If you still have questions, please visit our payment security FAQs page.

Next up, we recommend reading How to deal with a data security breach.

How to become PCI DSS compliant (including a PCI compliance checklist)