PCI DSS Compliance: IT Requirements for Retail and E-Commerce Businesses

# PCI DSS Compliance: IT Requirements for Retail and E-Commerce Businesses

If your business processes, stores, or transmits credit card data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS). Non-compliance risks fines of $5,000-$100,000 per month, increased processing fees, and loss of the ability to accept credit cards.

## PCI DSS 4.0 Overview

PCI DSS 4.0 (effective March 2025) has 12 requirements organized into 6 goals:

### Build and Maintain a Secure Network **Requirement 1:** Install and maintain network security controls (firewalls) **Requirement 2:** Apply secure configurations to all system components

### Protect Account Data **Requirement 3:** Protect stored account data (encryption, masking, retention limits) **Requirement 4:** Protect cardholder data with strong cryptography during transmission

### Maintain a Vulnerability Management Program **Requirement 5:** Protect all systems and networks from malicious software **Requirement 6:** Develop and maintain secure systems and software

### Implement Strong Access Control Measures **Requirement 7:** Restrict access to system components by business need-to-know **Requirement 8:** Identify users and authenticate access (MFA required for all access to CDE) **Requirement 9:** Restrict physical access to cardholder data

### Regularly Monitor and Test Networks **Requirement 10:** Log and monitor all access to system components and cardholder data **Requirement 11:** Test security of systems and networks regularly

### Maintain an Information Security Policy **Requirement 12:** Support information security with organizational policies and programs

## Practical IT Actions

### Network Segmentation

The most impactful step you can take to simplify PCI compliance:

• **Isolate the Cardholder Data Environment (CDE)** — Payment terminals, POS systems, and any system that touches card data must be on a separate network segment (VLAN)
• **Firewall between CDE and corporate network** — All traffic between CDE and other networks must be explicitly permitted and logged
• **No direct internet access from CDE** — Payment processing traffic goes through a defined, monitored path
• **Reduces scope** — Segmentation means only the CDE segment must meet PCI requirements, not your entire network

### Encryption

• **TLS 1.2+ required** for all cardholder data in transit — no exceptions
• **Encrypt stored cardholder data** — If you must store card data (most merchants should not), use AES-256
• **Point-to-point encryption (P2PE)** — Use P2PE-validated terminals to remove card data from your environment entirely
• **Key management** — Encryption keys must be protected, rotated, and access-controlled

### Access Control

• **MFA required** for ALL access to the CDE (new in PCI DSS 4.0) — not just remote access
• **Unique user accounts** — No shared or generic accounts that access cardholder data
• **Role-based access** — Minimum necessary permissions for each role
• **Quarterly access reviews** — Verify that only authorized users have CDE access
• **Immediate revocation** — Remove access within 24 hours when employees depart or change roles

### Logging and Monitoring

• **Log all access** to systems in the CDE — logins, failed logins, privilege changes, data access
• **Centralized log management** — SIEM or log aggregation with tamper-evident storage
• **90-day online retention** — Logs must be immediately accessible for 90 days
• **12-month total retention** — Logs must be available (can be archived) for at least 12 months
• **Daily log review** — Someone must review security events daily (automated alerting counts)
• **File integrity monitoring (FIM)** — Detect unauthorized changes to critical system files

### Vulnerability Management

• **Internal vulnerability scans** — Quarterly at minimum, after any significant change
• **External vulnerability scans** — Quarterly by an Approved Scanning Vendor (ASV)
• **Penetration testing** — Annual by a qualified assessor
• **Patch management** — Critical patches within 30 days, all others within 90 days
• **Anti-malware** — Current, active anti-malware on all systems in the CDE

### Physical Security

• **Restrict physical access** to CDE systems (locked server room, access control)
• **Inspect POS terminals daily** — Check for skimming devices and tampering
• **Visitor logs** for areas containing cardholder data systems
• **Secure media disposal** — Cross-cut shred paper, degauss/destroy magnetic media

## PCI Compliance Levels

Your compliance requirements depend on transaction volume:

| Level | Annual Transactions | Requirements | |-------|-------------------|--------------| | 1 | 6+ million | Annual on-site assessment by QSA, quarterly ASV scans | | 2 | 1-6 million | Annual SAQ, quarterly ASV scans | | 3 | 20,000-1 million (e-commerce) | Annual SAQ, quarterly ASV scans | | 4 | Under 20,000 (e-commerce) or under 1 million (other) | Annual SAQ, quarterly ASV scans (recommended) |

Most small and mid-size businesses fall into Level 3 or 4 and can complete a Self-Assessment Questionnaire (SAQ) instead of hiring a QSA.

## Reducing Your PCI Scope

The less cardholder data you touch, the simpler compliance becomes:

## Common PCI Failures

Summit DNC helps retail and e-commerce businesses achieve and maintain PCI DSS compliance. We implement network segmentation, configure encryption, deploy monitoring, and prepare you for quarterly scans and annual assessments.