A PCI Compliance Checklist for MSPs

Tips for ensuring your clients take responsibility for their actions

Electronic payments have become the norm for businesses and consumers. The shift towards credit, debit and virtual cards, ACH (direct deposit, direct debit and electronic checks), cryptocurrency and other non-cash transactions had already been accelerating before the pandemic. Adoption of those methods gained even more momentum and greater acceptance following the shutdowns, business restrictions and fears of face-to-face interactions brought on by that global crisis.          

According to a recent McKinsey & Co. survey, 82% of Americans now use a digital or online system to pay for their purchases and recurring bills. While the breakdown of B2B transactions is not listed in that report, market and economic forces are driving more businesses to make and accept contactless payments. The benefits of those systems over cash and paper checks are too hard to ignore.

As younger generations of workers and executives take over purchasing decisions and responsibilities, electronic payments will likely gain even greater traction. According to another recent study, Millennials and Gen Z indicate that debit cards (94%), mobile wallets (82%), and digital payment apps (83%) are their chosen methods of payment. With life-long experience and a high level of comfort using these primarily virtual processes, the latest generation embraces technology in the workplace—and relatively few use paper checks and cash. Most of their payment-related activities involve smartphones or online autopay programs.

Convenience is a major factor. With digital payments, there’s no need to carry cash or balance checkbooks. On the business side, most applications allow users to easily verify and document transactions and export relevant data into corporate accounting and expense programs.

However, as many organizational leaders have discovered over the years, convenience often comes at a premium price. Protecting credit and banking data and transaction details online requires not only attention and due diligence, but critical investments to secure networks, devices and data in transit. Whether hosting card terminals onsite or accepting payments online, every company that processes credit and bank card information must follow very specific rules to protect the processes and systems.

Embracing Industry Standards        

The growth of electronic transactions caught the attention of cybercriminals and scammers nearly twenty years ago. In 2004, as payment fraud began to rise, American Express, Discover Financial Services, JCB International, Mastercard and Visa came together to develop an industry standard to secure customer data and discourage illegal activities. The Payment Card Industry Data Security Standard (PCI DSS) requires every organization that accepts, processes, stores, or transmits credit card information to ensure its proper protection. Compliance is mandatory for every business—failure to meet those rules can lead to the loss of electronic payment privileges and hefty fines.  

While the organizations participating in these programs are ultimately responsible for meeting these mandates, many look to MSPs for solutions and support. PCI DSS outlines specific best practices that every business must follow, and many companies don’t have the knowledge and expertise to implement, manage and periodically test those measures. That situation creates door-opening opportunities for IT services firms with the right skillsets and cybersecurity acumen.      

Businesses need someone to rely on with expertise in PCI DSS. MSPs that can keep end-users on the right track—monitoring compliance, implementing and managing systems, enforcing best practices, and testing systems—are invaluable to companies that accept electronic payments. Safeguards and audits are the heart of PCI-DSS.  

The Payment Card Industry Security Standards Council understands the challenges business face in that arena. Decision-makers updated the requirements in 2018 and then again in 2022 to address the rapidly escalating cybersecurity threats and incorporate the latest processing and storage methodologies. PCI-DSS v4.0 requires companies to implement stronger firewall controls, multi-factor authentication (MFA) for accessing data environments, and flexibility for demonstrating compliance with security objectives.

Those changes are in addition to the original controls, which MSPs can use as a PCI checklist, including:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

The important thing for MSPs to remember is none of these requirements is “one-and-done.” In other words, businesses must maintain these controls continuously, with auditors periodically checking each guideline to protect the processes, systems and data.

Follow the Prescribed Plan

The PCI Standards Council also developed three steps to help businesses (and the IT services providers that support many of those organizations) adhere to their standards. Using these focal points, MSPs can construct the infrastructure and methodologies to safeguard devices, networks, and information. Those steps include the following:

  1. Assess: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
  2. Remediate: Fixing vulnerabilities and eliminating cardholder data storage unless absolutely necessary.
  3. Report: Compiling and submitting required reports to the appropriate acquiring bank and card brands.

These three “steps” serve as a guide for the design, construction and ongoing management strategy for PCI compliance. For MSPs, that can spell long-term recurring revenue opportunities and stronger client engagements—a win-win situation for everyone.  


A secure payment gateway, as found with ConnectBooster, helps MSPs comply with these industry rules and best practices and protects online transactions. Locking down payment and credit information in a secure online portal minimizes the risks for MSPs and the clients who entrust them with that data. Protect your customers’ data; schedule a demo with ConnectBooster.

Published October 31, 2022

Subscribe to Stay in the Loop

This field is for validation purposes and should be left unchanged.

See ConnectBooster In Action

See all the ways your business can start saving time and money every single time you collect a client’s payment.