Guest Column | November 1, 2009

PCI Compliance: A Moment In Time


By Sean Kramer, CEO, Element Payment Services

When it comes to PCI compliance, merchants and software vendors alike often make the mistake of viewing their compliance as a "checklist" rather than an ongoing process. Too many people assume that PCI compliance is achieved once. In reality, however, it is maintained, through vigilant adaptation to both PCI requirements and evolving security threats.

A closer look at PCI DSS requirements should make it quite clear that compliance is an ongoing exercise. For example, requirement 1 reads, "Install and maintain a firewall configuration to protect cardholder data." Requirement 5 mandates that you "Use and regularly update anti-virus software." Requirement 6 states that you "Develop and maintain secure systems and applications." Requirement 11 implores that you "Regularly test security systems and processes." And, of course, Requirement 12 states that you must "Maintain a policy that addresses information security."

Clearly, five of the twelve PCI requirements explicitly mention either maintaining or updating, which should make it clear to all paying attention that there is no finality to PCI compliance.

In fact, any proclamation of "PCI compliance" is best viewed as a snapshot of compliance at a specific time. While merchants and software vendors are able to use a variety of means to test compliance at any given date, the truth remains that ongoing compliance requires both vigilance and, often, quarterly and yearly compliance assessments.

Merchants and software vendors must ensure that their processes, or their applications as the case may be, are PCI compliant. But how does one know if they are PCI compliant? What is PCI compliant? Well, the answer to those questions is slightly more complicated that it might seem.

Assuming that you have a good understanding of PCI compliance basics, and that you've moved beyond the "checklist" mentality, verifying your compliance involves understanding the ongoing nature of PCI compliance. At its root, PCI compliance is about securing data and, by that process, protecting cardholders/customers. For PCI standards to be effective, periodic re-evaluation and adaptation is imperative.

People sometimes forget that PCI compliance requirements apply to all "system components," and that ongoing assessments, on both a quarterly and yearly basis, are mandatory for most merchants. This means, of course, that any change in hardware or software within your network must meet PCI requirements on an ongoing basis.

PCI compliance is dynamic, requiring ongoing adaptation. PCI compliance starts with a set of 12 basic requirements, it continues with vigilance and adaptation, and it ends with….well, it doesn't end.

About Element Payment Services, Inc. (
Headquartered in Phoenix, Arizona, Element Payment Services Inc. provides fully integrated PCI DSS compliant payment processing solutions to merchants through partnerships with leading business management software providers. Focused primarily on helping ISVs navigate through the requirements of PA-DSS compliance, our expert solutions greatly simplify PA-DSS validation, or remove the cost and burden entirely. Through our Compliance Relief Program, Element will cover part, if not all, of the PA-DSS assessment for qualified ISVs. Alternatively, for those who prefer to eliminate the need for compliance, Element's Hosted Payments solution removes ISVs from the scope of PA-DSS, while still enabling a fully integrated payment solution.

For more information about Element, visit