PCI DSS compliance: Is hiring a service provider worth it?

Thursday, September 29, 2022

You know it when you feel it. That sense of accomplishment that comes from rolling up your sleeves, digging in and getting your hands dirty. Remodeling a bathroom, planting a vegetable garden: No matter the project, there’s a certain type of validation only do-it-yourself (DIY) work can provide.

But that unique kind of fulfillment can quickly turn to regret. Ask any DIY-er who found themselves in over their heads. They would all likely tell you the same thing: Sometimes, letting experts take the wheel is the right way to go.

But is outsourcing Payment Card Industry Data Security Standard (PCI DSS) compliance to a service provider the right choice for you? By the end of this article, you’ll have the information you need to decide.

Read on to learn:

What is PCI DSS compliance and why does it matter?

If you’re reading this, chances are you have a general idea of what PCI DSS compliance is and why it’s important. But in case you don’t or if you need a refresher, here’s the skinny.

The PCI DSS requirements consist of 12 overarching principles. These principles show businesses that accept debit and credit cards how to reasonably safeguard cardholder data and the transmission of cardholder data. Because the principles describe what security should look like in general, business owners will need to take several steps to comply with each one.

So why go to all of the trouble? Aside from being a good steward of your customers’ most sensitive data, you’ve agreed to it. That’s right.

online shopping icon

Any business — big or small, old or new, e-commerce or brick and mortar — that accepts debit or credit cards has entered into a merchant agreement with the Payment Card Industry Security Standards Council (PCI SSC) .

Part of the agreement stipulates that businesses will comply with the PCI DSS in exchange for the ability to accept cards: a critical business need.

Businesses that break the agreement and experience a data breach could face hard times. The card brands that make up the PCI SSC — Visa, Mastercard, American Express, Discover and JCB International — have the authority to ban a merchant from being able to accept their cards as payment. Considering that the majority of in-store or online purchases are made using debit or credit cards, a banned merchant could have a tough time operating profitably or at all.

One woman working on a laptop

What to expect if you go it alone

Ultimately, complying with the requirements of PCI DSS means evaluating the systems and security measures you have in place to ensure they meet the standard. And it’s not for the faint of heart. Doing it on your own is difficult and time consuming, especially if you’re not well versed in IT or information security. It’s also incredibly easy to make a mistake due to the sheer volume and technicality of the requirements. For these reasons and more, most business owners choose to outsource PCI DSS compliance to a service provider.

But in case you’re still thinking of giving it a go on your own, we’ll cover what that could look like. That way, you get a rough idea of what’s in store. We won’t share every step in detail, but here are just a few tasks you would need to complete to DIY your PCI DSS compliance:

1. Determine your merchant level

Even though all businesses that accept debit and credit cards should comply with PCI DSS, the way they go about it looks different depending on the number of card transactions they or their payment processor run. The PCI SSC categorized these differences by merchant levels. You will need to determine which level best describes your business to understand the scope of your compliance requirements and how often you have to perform an assessment.

It’s also important to note whether your level allows DIY compliance as an option. Businesses with a large number of credit card transactions are typically required to hire a qualified security assessor (QSA).

2. Establish the scope of your cardholder data environment (CDE)

To perform a successful assessment and build a secure network, you first need to determine what you will evaluate. And we’re not just talking about your firewall or anti-virus software. You must identify every part of your network and payments system that is subject to the standard. That often consists of anything or anyone that processes payments, and protects, transmits or stores customers’ debit and credit card data. It also includes people who have physical access to cardholder data.

The PCI DSS refers to this collection of people, security controls and system components as the cardholder data environment (CDE). It often includes — but isn’t remotely limited to — your security policy, routers, network devices, wireless access points, servers, computers, laptops, printers, paper files, images, applications, software programs, code repositories, back-up sites, IT workers, general employees and more.

3. Choose and download the appropriate self-assessment questionnaire (SAQ)

To perform an assessment, you’ll need a roadmap. And that roadmap is the SAQ. Eight versions of it exist, so you’ll need to select the one that’s most applicable to your business. The major differences between them concern whether you accept payments in-person or online, what types of hardware you use, if you store cardholder data and if you outsource payment processing or not.

Once you’ve selected the right SAQ, download it. As part of that download, you’ll also receive an attestation of compliance (AOC) form. You’ll complete it after performing the assessment as a pledge to the accuracy of your results.

staff helping out employee

4. Perform and submit your assessment

Before you get started, review the steps outlined in your SAQ and prepare yourself and your team for the amount of time and effort it will take to complete. Spoiler: It’s going to be a lot.

It’s important to note that just documenting whether you’re compliant isn’t enough to meet the PCI DSS. If you discover that you don’t have critical information security measures in place, you’ll need to strategize, document and implement a plan to correct it before you will be considered compliant.

Because the SAQ also essentially serves as a report on compliance, you’ll need to turn it into the card payment brands we mentioned earlier and other regulatory organizations. When you’ve completed the assessment, submit it — along with any other required or requested documentation, like the AOC — to the organization that’s requesting it. You’ll know who that is based on which merchant level you fall into.

5. Conduct vulnerability scans if necessary

According to the PCI DSS Guide, you may be required to enlist a certified, approved scanning vendor (ASV) to test your website, IP and other digital environments. These tests — or scans — will find vulnerabilities in your IT architecture, prepare a report on the findings and even recommend steps you can take to shore up your security. Your specific merchant level and SAQ will determine if scans have to be performed, how often they should occur and who you should report them to.

6. Keep it going

Perhaps the biggest thing to remember about PCI DSS compliance is that it’s not a one-time task you can cross off of your list. Whether you enlist the help of professionals, or go it alone, PCI compliance has to be a way of life.

As you go through your self-assessment, you’ll see that ensuring everything is up to snuff is about more than checking your firewall or locking a file cabinet. It’s about putting security at the core of your everyday operations and processes.

So what could that look like? Creating an information security policy that requires employees to change default passwords and create strong passwords is a start, along with enabling multi-factor authentication. Enlisting help to regularly conduct penetration testing as a part of ongoing vulnerability management is another potential solution. Ensuring your security policy includes strong access control measures that restrict access to customers’ debit and credit card information — like account numbers and authentication data — is also a good example.

This list isn’t complete, but hopefully it gives you an idea of how you can incorporate PCI compliance into your everyday routine. Whether it’s cybersecurity measures to keep hackers and malware at bay, or security systems that prevent open access to credit card data, vigilance is the name of the game.

You’re either 100% compliant with every standard that applies to your business, or you are not PCI compliant.

One last thing: If you’re still considering DIY-ing PCI DSS compliance, keep in mind that half measures don’t count. You’re either 100% compliant with every standard that applies to your business, or you are not PCI compliant. There’s no such thing as partial credit, so it’s worth devoting as much time and as many resources as necessary to get it right.

That’s especially true if you were to take any of the steps we mentioned above on yourself. If you get any of them wrong, you could end up completing the wrong SAQ, still being in non-compliance and having to start all over again.

using a credit card while using laptop

How enlisting a service provider makes PCI DSS compliance easier

Working with a service provider means letting technology and a team of experts take a lot of the guesswork out of PCI DSS compliance. Based on a few details you provide about your transaction volume, level of risk, security practices and more, they can establish a profile, determine your merchant level and select the right SAQ for your business.

Once you’re ready to begin the assessment, you should be able to rely on a service provider’s solution to guide you through it, flagging any answers that don’t meet the standard or requirement, and helping you troubleshoot steps you can take to fix it. Once you’ve taken the required action and updated your answer, the system should let you know when it is correct.

The right solution will also take the information from your profile and pre-populate relevant parts of the assessment so you don’t have to answer as many questions. It should also be powerful enough to perform a vulnerability scan with the click of a button. Finally, the best tools will help you maintain compliance in real time — alerting you to any requirements you may need to address as they come up. A simplified questionnaire, easy scanning, helpful reminders and the peace of mind that comes with it? Yes, please.

While DIY has its time and place, ensuring your business complies with PCI DSS is something best left to the experts. If you would like to learn more about how Heartland can do all of this for less than our competitors, drop us a line.


Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us