How to Become PCI Compliant for Free

Four Parts:Building a Secure NetworkDeveloping an Information Security PolicyTesting and Monitoring Your NetworkMaintaining Appropriate Documentation

If you own or operate a business – whether online or at a physical location – and accept credit card payments from your customer, you must ensure your systems meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS). Compliance isn't a legal requirement, but card brands such as Visa and MasterCard may issue hefty fines to merchants who don't maintain the appropriate standards of data security.[1] The processes required to ensure and maintain compliance can be expensive if you contract with one of the many data security companies, but in most cases small business can become PCI compliant for free. However, keep in mind that PCI compliance is not a one-time thing, but an ongoing process with yearly and sometimes quarterly reporting requirements.[2]

Part 1
Building a Secure Network

  1. Image titled Not Be Weird at Work Step 5
    Determine your merchant level. PCI DSS requirements vary depending on how many Visa transactions you process each year.
    • All merchants who accepts direct payment from customers using credit or debit cards falls into one of four merchant levels based on the volume of Visa transactions that merchant processes during a 12-month period.[3]
    • Transaction volume is an aggregate, so if you have more than one store or location operating under the same business entity, you want to look at the total transactions across all of those locations.[4] For example, if you have a brick-and-mortar store as well as a website, you would need to know the total number of Visa transactions in one year at both the store and the website combined.
    • Most small businesses will fall into merchant level 4. This level includes merchants processing fewer than 20,000 Visa transactions online, and any other merchants processing as many as 1 million Visa transactions per year.[5]
    • Level 4 merchants typically can become PCI compliant for free because less elaborate validation documents are required, and merchants can fill out self-assessed questionnaires rather than having to hire an Approved Scanning Vendor (ASV) such as ControlScan.[6]
    • Keep in mind that if you accept credit card payments directly through your website, you still must contract with an ASV for quarterly vulnerability scans – so if you want to maintain PCI compliance without incurring any additional expenses, you must avoid accepting credit card payments directly online.[7] Instead, you might want to build your online storefront through another website, such as eBay or Etsy, that is PCI compliant and will process payments for you.
  2. Image titled Not Be Weird at Work Step 6
    Work with PCI-compliant contractors. If you use other businesses or services, such as your web hosting service, should understand and implement security measures that are in compliance with PCI DSS.
    • Your web host should understand PCI and be able to work with your business to achieve compliance – especially if you plan to offer products for sale online.[8]
    • Keep in mind that for your business to maintain PCI compliance, every vendor, partner, or service provider you work with also must be PCI-compliant if they are exposed to cardholder data.[9]
  3. Image titled Not Be Weird at Work Step 4
    Encrypt data on all computers and servers. If you store sensitive cardholder data, even for a brief period of time, data encryption helps keep that data secure.
    • If at all possible, avoid storing credit card numbers and other such information on your business's computers or on your network at all. If you do, your entire physical system also must meet PCI compliance standards, which can involve spending money to update security features and install additional protection.[10]
    • If you do store cardholder data, you typically will need encryption on all computers and servers your business uses, including backup drives and restoration files.[11]
    • Encryption keeps someone who might steal your computers or hack into them from gaining access to the data stored there without the encryption key.[12]
    • Although encryption programs can be fairly easy to install and implement across your system, you will incur additional costs in the form of user license fees for the program.[13]
  4. Image titled Balance Your Work and Home Life (for Women) Step 6
    Install antivirus software. Keeping your antivirus software up-to-date protects your network and symptoms from viruses and malware.[14]
    • Your antivirus software should be designed to keep anyone from downloading or installing any program unless he or she enters an administrator password. Only provide administrator passwords to essential employees, and change them regularly.
    • Your antivirus software also should be capable of generating audit logs for all processes completed on your computers or network.[15]
  5. Image titled Assess Your Ability to Start a Business Step 2
    Protect your network with firewalls. Firewalls can help prevent hackers from infiltrating your network and compromising cardholder data.[16]
    • Keep in mind that wireless networks are especially vulnerable to hackers. You may find it easier and more cost-effective to use wired networks, particularly for the transmission of sensitive cardholder data.[17]
  6. Image titled Get Into Journalism Step 4
    Use strong passwords. Any vendor or default passwords should be changed immediately to a unique password[18]
    • Your wireless router also should be password-protected to prevent malicious users from accessing and corrupting your network.[19]
    • Keep in mind that the longer a password is, the harder it is to crack. Don't use dictionary words or phrases obviously connected to you, such as your email address, company name, or computer name.[20]
    • There are many services available online that will provide you with randomly-generated hexadecimal passwords, which can provide some of the strongest password protection.[21][22][23] Even if you acquire strong passwords using such a service, you still should change your password frequently.
    • Never write the passwords down on paper or leave them anywhere near the computers where someone could see or copy them.

Part 2
Developing an Information Security Policy

  1. Image titled Balance Your Work and Home Life (for Women) Step 2
    Designate a compliance manager. Your staff should include one person who is responsible for maintaining and testing PCI compliance.
    • Your compliance manager should review the PCI DSS regulations on a regular basis to maintain familiarity with them, and monitor information made available by the PCI Security Standards Council regarding interpretation and implementation of those regulations.[24]
    • Your compliance manager can download the most recent PCI DSS documents from the Security Standards Council's online Documents Library, available at
    • Although PCI DSS applies to all major card brands, each may have slightly different compliance requirements. Your compliance manager should be familiar with the specific standards for every type of card you accept.[25]
    • The general compliance guidelines provided by the Security Standards Council are only the minimum – each card provider can require additional protections. So to ensure you're fully PCI compliant, you must have knowledge of and familiarity with the standards for all the card brands you accept.[26]
    • If your business can't afford to hire someone specifically for this role, you still should have a particular manager on staff who handles PCI compliance. You also can reach out to the bank that processes your credit card transactions – typically referred to as your acquiring bank – and ask how best to comply with the standards. Many of these banks have resources and expert advice that they will offer you free of charge.[27]
  2. Image titled Set Up a Virtual Office Step 4
    Buy and use only approved PIN-entry devices and payment software. Approved and verified devices and software have already met PCI compliance standards.[28]
  3. Image titled Optimize Productivity in a Home Office Step 4
    Change employee passwords regularly. Having a policy of changing employee passwords on a regular basis or when certain events happen can help prevent unauthorized parties from gaining access to your system.
    • Prohibit employees from writing down their passwords or leaving them next to the computer or anywhere someone else could gain access to them.
    • Change all employee passwords anytime an employee leaves your company for any reason, and remove that employee's old password from the system. Allowing someone no longer employed with your company continued access to your system could result in a serious security breach.
    • Have individual employee passwords with levels of access that comport with their role in your business, rather than having generic administrative accounts or giving everyone administrative access.[32]
  4. Image titled Set Up a Virtual Office Step 5
    Train staff on data security. All employees who handle sensitive cardholder data should understand how best to keep that information secure and what to do if a security breach occurs.[33]
    • Make sure everyone knows who the compliance manager is and how to get ahold of him or her if a breach is discovered.
    • Typically your compliance manager also would be in charge of communicating your data security policies and procedures to your other employees and keeping them informed of any changes or updates.[34]
    • Emphasize to staff the importance of keeping cardholder data secure, and sanction employees who violate your information security policies.[35]
  5. Image titled Build Trust in a Small Business Step 6
    Physically secure all paper records. You want to avoid keeping paper records that include cardholder data such as full credit card numbers on paper.[36]
    • Strictly control access to any paper records that do contain any cardholder data.[37]
    • Never write down a customer's full credit card number, particularly with any other identifying information such as his or her name or the expiration date of the card.[38][39]
    • Make sure the customer's full account number is masked on all receipts, including the customer copy.[40]
    • Keep in mind that you may have to install a physical security system including security cameras and door alarms, that may not be covered or included in your property lease. You can prevent these additional costs by not storing cardholder information on your own system.[41]
  6. Image titled Work Better in an Office Step 4
    Create an incident response plan. In the event of a security breach, all managers need to know what steps should be taken immediately to secure your network.
    • Keep in mind that most states have laws requiring notification of cardholders in the event of a data breach.[42]
    • You must check the law of the state or states in which your business operates to determine what sort of notification is required for security breaches.[43][44]
    • You should work with your compliance manager to make sure that any breaches or vulnerabilities that are discovered are patched or remedied as soon as possible after they are first detected.[45]
  7. 7
    Update your policy as needed to address new regulations. When PCI DSS regulations are revised, you need to determine what changes you must make to your system or procedures to maintain compliance.[[Image:Be-a-Business-Analyst-in-Top-


  1. 1
    • Keep in mind that standards have to evolve quickly to stay on pace with advances in technology. Hackers work to break new security protocol the moment it's implemented, so your policy must remain flexible and adaptable to a rapidly changing technological environment


Part 3
Testing and Monitoring Your Network

  1. Image titled Be a Business Analyst in Top Management Step 3
    Conduct quarterly vulnerability scans. If you accept payments directly over the internet, you must scan for security vulnerabilities on the public network.
    • Not all merchants are required to submit quarterly scan reports. If you don't have a store online, or if your online payment processes are entirely outsourced, you don't have to complete these scans to remain PCI compliant.[47][48]
    • However, if your payment processes are only partially outsourced, or if you accept payments directly through a public online network, you do have to complete quarterly scans and file reports.[49][50]
    • Keep in mind that conducting quarterly scans will cost money. You must contract with an approved scanning vendor such as ControlScan to maintain compliance. These quarterly scans typically will cost a few hundred dollars a year.[51][52]
    • If you are required to submit quarterly scans, your acquiring bank may recommend a particular provider. You can go with that company if you want, but it may be worth your time to shop around and see if you can find more cost-effective solutions with another vendor. The only requirement is that the vendor must be approved by the PCI council.[53]
  2. Image titled Develop Basic Journalism Skills Step 12
    Check PIN-entry devices and computers regularly. Hackers can attach "skimmers" or similar devices to your machines to capture credit card data as it is entered by employees or customers.[54]
    • Devices can be placed on the outside of machines and can be virtually undetectable unless you look closely at your machine. Software also can be installed to steal sensitive cardholder data. Make sure you're checking all machines and systems regularly and that your antivirus program forbids the installation of programs or software without an administrator's password.
  3. 3
    Implement visitor logs and automated audit trails. In the event of a breach or problem with a transaction, these logs and trails provide you with information about every time that transaction has been accessed.[[Image:Work-Effectively-and-Keep-


  1. 1
    • Logs should have enough detail to enable you to recreate all individual user accesses to any cardholder data, actions by anyone using an administrator password, any invalid access attempts, and any access to the logs themselves.[55]
    • Each log entry should include user identification, the type of event, the date and time of the event, whether the access attempt succeeded or failed, where the access attempt occurred, and what data was involved.[56]

Part 4
Maintaining Appropriate Documentation

  1. Image titled Work with Pessimists Step 9
    Submit quarterly scan reports. If you're required to complete quarterly vulnerability scans, you must send the reports of those scans to your acquiring banks and all the card brands with which you do business.[57]
    • The report provides evidence that you passed the vulnerability scan conducted by an approved scanning vendor.[58]
    • Every 90 days or at least once per quarter, you must submit a successful scan report to your acquiring bank. Typically the bank will set the schedule that dictates when your reports are due.[59]
  2. Image titled Use Time Management in the Workplace Step 9
    Complete your self-assessed questionnaire (SAQ) each year. In most cases, small businesses are eligible to complete an SAQ rather than paying for more elaborate validation.
    • The SAQ is designed for small businesses, and in most cases you can fill it out yourself, or with assistance from your compliance manager, without incurring any additional costs.[60]
    • The particular SAQ you must fill out each year will depend on the processing methods you use and whether you process your own payments or outsource payment processing to a PCI-validated third party.[61]
    • Your assessment reports should be sent to your acquiring bank as well as every card brand you accept at your business.[62]
  3. Image titled Update a Daycare Business Plan Step 2
    Maintain documentation of all encryption keys and audit trail history. You need to record and keep all cryptographic keys required to access encrypted data in case something happens to your system and you need to restore your data.
    • If you have data encryption on your drives and network, you must maintain proper documentation of the keys so recovery files can be un-encrypted.[63]
    • As with all other data, this documentation should also be secured. If you keep this information in a physical file, it should be kept under lock and key with access strictly restricted and monitored. However, at the same time you must ensure that key people such as your compliance manager can access the information when necessary.[64]
    • Visitor logs should be kept for at least three months, and audit trail history should be kept for at least a year.[65]

Sources and Citations

Show more... (62)

Article Info

Categories: Business