You are on page 1of 4

Step by Step Guide to PCI DSS Compliance

Read the PCI DSS Standard • Map the end-to-end data flow
• Identify Third Parties

Define Environment
• Start Gap Analysis / Funding
• Produce Initial Project Plan / milestones

Gap Analysis

If cardholder data
Appoint QSA (recommended) infrastructure connected
to the internet

Notify Barclaycard of milestones Network scans
& QSA Appointment required?

(all in-house) NO

ASV Undertakes Notify Barclaycard of Appoint ASV

Network Scan ASV Appointment (if necessary)

All externally facing IP

addresses should be
scanned (quarterly)

3rd Parties ASV Scan
exist? passed?

NO Provide Barclaycard with

Exec Summary Report

Finalise Gap Analysis

& Remediation Plan

• Complete Gap Analysis (in conjunction with

QSA if necessary)
• Define Remediation Activity

Check All 3rd Check Visa/ MasterCard for Provide Barclaycard with
Parties Contracts 3rd party accreditation Project/ Remediation Plan

Revise Contracts if necessary

3rd Party to Implement Compliant 3rd Parties
accredited? Merchant to Implement
Solution or Merchant to select
Compliant Solution
alternative compliant 3rd Party
YES Use recommended
prioritised steps

• On site final audit

undertaken by QSA, OR
• Self Assessment complete
PCI DSS Final Register Compliance
Repeat Annually
Audit undertaken with Barclaycard
Prioritisation Checklist for PCI DSS Compliance

Barclaycard recommend that the following prioritisation checklist be used by merchants to help
them with their compliance programme planning activity:

1. Undertake an initial evaluation of the anticipated impacts of PCI DSS on the merchant and
its third parties

2. Choose an QSA or ASV (if any internet applications are used)

3. Train resources on PCI DSS (Free Webinars are available from MasterCard)

4. Develop a plan to move towards PCI DSS compliance

5. Remove sensitive authentication data and limit data retention

6. Protect the perimeter, internal and wireless networks

7. Secure application

8. Protect through monitoring and access control

9. Protect remaining cardholder data (PAN and expiry date) through encryption or masking

10. Archieve and maintain final PCI DSS compliance

Share your plans with Barclaycard, and any actions taken and issues being faced.
Visual Status Matrix for PCI DSS Compliance

Merchant Status Details

COMPLIANT • Internal Audit Completed and passed (Level 1)

• Successfully completed SAQ (Level 2-3-4)
• Passing Quarterly Network scans

IN PROGRESS • Has QSA or agreed Independent Assessment.

• Completed gap analysis
• Action plan and remediation plan in place.
• Indication of final audit/compliance date
• Passing quarterly network scans (using an ASV)

COMMITTED • Has QSA or agreed Independent Assessment.

• Gap analysis complete and preparing remediation
plan/seeking budgetv
• Performing network scans (ASV)

PREPARING • Contacted by acquirer

• Gap analysis in progress

NON-COMPLIANT • Unable to make contact

• Merchant unwilling/ unable to progress
Useful Links for PCI DSS Compliance

What? Who? Link

PCI Standard Security PCI SSC

Council (SSC) web site

PCI DSS Standard and PCI SSC

supporting documents pci_dss.shtml
available for download

Free Network MasterCard

Vulnerability Scan promotions/index.html

Barclaycard Merchant Barclaycard/

Education & Awareness MasterCard pcibarclaycard/index.html
Programme (Free offline

Barclaycard PCI DSS Barclaycard

Resource Centre security/pci_dss.html

360 Degree View on PCI... MasterCard

A Series of Payment Card
Industry Discussions

MasterCard Merchant MasterCard

Education Programme

AIS: Visa’s compliance VISA


MasterCard SDP programme MasterCard

OWASP Article: Handling E- OWASP

commerce Payments Payments

Self Assessment PCI SSC

Questionnaire (SAQ) guidelines_v1-1.pdf
Instructions and Guidelines

SAQ (select type A, B, C or D) PCI SSC

List of Approved QSAs PCI SSC

List of Approved ASVs PCI SSC

List of Certified Service VISA

Providers certified_service_providers_18082008.pdf

List of Validated Payment VISA

Applications europe_payment_applications_05092008.pdf