Becoming PCI Compliant for the First Time

Becoming PCI Compliant for the First Time

Becoming PCI compliant for the first time?

Becoming PCI compliant can be an overwhelming undertaking if you are unsure of where to start.

With approximately 394 controls, this comprehensive data security standard can be a large undertaking that is best tackled with expert assistance.

The first step toward achieving PCI compliance is to have a Gap Analysis performed by a PCI expert. Working with a PCI expert will help you to understand all of your business processes and understand how PCI compliance impacts your unique business organization. Your PCI expert will work through each of the requirements with you, how they relate to your business, and allow you to see how your current security posture will stand up to a PCI audit. The Gap Analysis process will uncover any missing pieces you may have in your security, and leave you with a list of recommendations that you can spend time remediating to ensure that you have everything in place you need to pass your PCI audit.

Once the remediation process is complete, it’s time to reconnect with your auditor to being the PCI audit process.

Your PCI auditor will work with you through each of the PCI audit requirements, gather all of the necessary evidence and collect all documentation to complete the PCI assessment process for you.

PCI DSS compliance means compliance with all of the requirements, which are divided into the following 12 requirements:

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

Once the audit process is completed, you will receive your PCI Report on Compliance, or ROC, that demonstrates to your clients your compliance with the data security standard.

If you’re ready to start the journey toward PCI compliance, don’t hesitate to contact a PCI Qualified Security Assessor (QSA), like KirkpatrickPrice. We can help you through the process, eliminate the stress of a PCI audit and help you be confident you will receive your PCI Report on Compliance.


Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices. The original blog post may be found here.