How to Become PCI Compliant: Your Roadmap to Certification

If your business needs to become PCI compliant, you may be wondering what the process looks like and how to prepare.

This article explains what first-timers need to know about achieving PCI compliance. Find out how to determine the compliance level you need, the requirements you must satisfy, and how much time and money to budget.

PCI DSS is the standard for safeguarding cardholder data

The Payment Card Industry Data Security Standard (PCI DSS) is designed to protect credit, debit, and cash card data against theft and fraud. It applies to any organization that processes, stores, or transmits payment card information. It also applies to any organization that can impact the security of payment card transactions, such as third-party service providers. 

The PCI DSS was created in 2004 by card brands American Express, Discover, JCB International, Mastercard, and Visa Inc. to help businesses protect cardholder data and build trust with customers.

The PCI DSS includes security best practices like using encryption for stored cardholder data, network firewalls, and anti-virus software. The framework currently consists of 6 prime objectives, 12 requirements, and approximately 300+ controls. The PCI Security Standards Council (PCI SSC) is in the final stages of developing version 4.0, which is expected in Q1 2022.

Non-compliance with PCI DSS comes with some serious consequences. Aside from a security breach, your company could suffer monthly fines from payment processors up to $100k. Not to mention the loss of reputation and revenue.

Levels of PCI DSS compliance

There are two types of organizations categorized within PCI DSS: merchants and service providers. 

• Merchants are organizations that accept card payments in exchange for goods and services. 
• Service providers are organizations that process, transmit, or store cardholder data on behalf of another company. This also includes organizations that can impact the security of cardholder data.

There are multiple levels of PCI DSS compliance based on the number of credit, debit, and cash card transactions processed annually or your responsibility to meet requirements from your customers or acquiring banks.

PCI DSS compliance requirements

PCI DSS outlines 12 requirements for handling cardholder data and maintaining a secure network, organized into 6 objectives. Organizations must meet all of these requirements to achieve compliance. 

Objective 1: Build and protect a secure network

PCI DSS requires organizations to their network and change default system settings and passwords. Examples of network security controls include:

• Implementing firewall and router configuration standards to restrict all untrusted traffic.
• Prohibiting public access between the internet and any system components of the internal cardholder data environment.
• Installing personal firewall software on in-scope workstations.

Default user accounts and passwords for network devices, systems, and payment card infrastructure are easy to find, so it’s also required to review and change these default settings.

• Always change vendor-supplied default accounts. You'll also need to remove unnecessary accounts before installing the system on the network.
• Use industry-standard configurations for system components and address all known security vulnerabilities.
• Keep an inventory of all systems and software that’s in scope for PCI DSS.

Objective 2: Protect cardholder data

Safeguarding cardholder data is the primary purpose of PCI DSS. Organizations must protect cardholder data whether it’s stored locally, on the cloud, or transmitted over the internet.

Cardholder data should not be stored unless it is a business need. If primary account numbers (PANs) are stored, they must be rendered unreadable.

• Limit cardholder data retention time to what’s required for business, legal, or regulatory purposes. Review and delete unneeded cardholder data on a quarterly basis.
• Implement key management processes and procedures for keys used to encrypt cardholder data.
• Do not store sensitive authentication data.

Payment card data must be secured with strong cryptography whenever it’s transmitted over an open or public network.  Unprotected PANs should never be sent by end-user messaging technologies.

Objective 3: Create a vulnerability management program

Vulnerability management programs monitor the cardholder data environment to uncover weaknesses. This process includes using anti-virus software on all systems affected by malware.

• Anti-virus software must be current, perform periodic scans, and generate audit logs.
• Anti-virus software should always be running and cannot be disabled.

Security vulnerabilities in production applications should also be continuously monitored. The software development cycle should include change control procedures and cybersecurity measures.

• Establish a process to identify cybersecurity vulnerabilities using reputable outside sources.
• Protect systems from known external vulnerabilities by installing applicable vendor security patches.
• Perform vulnerability assessments on web applications, or use a web application firewall.

Objective 4: Apply strong access control measures

Cardholder data should only be accessed by authorized personnel. Systems and business processes must be put in place to ensure access is on a need-to-know basis.  

• Create policies and procedures to ensure proper user identification and access management.
• Use strong authentication methods such as MFA.

Physical access to cardholder and customer data must also be restricted on a need-to-know basis.

• Develop a secure visitor process, such as assigning ID badges and keeping visitor logs.
• Maintain strict control over the access and distribution of media.
• Protect devices that capture payment or credit card data from tampering and substitution.

Objective 5: Regularly monitor and test networks

In the event of a data or security breach, audit logs are critical for determining what went wrong. PCI DSS requires organizations to be able to track activity within the cardholder data environment.

• Keep audit logs that link all access and changes to individual users.
• Record audit trail entries for specific security metrics and events.
• Review audit logs and security events daily to identify anomalies.
• Keep logs for at least 1 year, with the past 3 months immediately available.

Systems and applications should also be tested frequently to ensure the environment is secure.  

• Run quarterly internal and external network vulnerability scans. Scans should also be done after any major changes. External network scans must be performed by an approved scanning vendor (ASV). Find a list of ASVs curated by the PCI council here. 
• Conduct an annual penetration test.

Objective 6: Create a policy for information security

Strong security policies and procedures are the foundation of a robust security posture. 

• Establish, publish, and maintain a formal information security policy. 
• Develop a usage policy for critical technologies. This policy should define proper use for remote, wireless, and internet access.
• Define security responsibilities and PCI DSS training for all personnel.
• Create an annual risk assessment process to identify critical assets, threats, and vulnerabilities. This process should also include a remediation plan.

Steps to becoming PCI compliant

Step 1: Identify the level of compliance you need 

PCI DSS has different levels of compliance depending on a few factors:

• Size of your organization
• Number of annual credit card transactions
• Requirements from your customers or acquiring bank

The first step on the road to certification is determining which level of compliance you need. 

The entity that requires your PCI compliance (customers, acquiring bank, credit card companies) will usually specify in their request that you perform either a Report on Compliance (RoC) or a Self-Assessment Questionnaire (SAQ).  

If you don’t receive a specific request, you can use these questions to determine your level of compliance.

First: are you a merchant or a service provider?

• Merchants are organizations that accept card payments in exchange for goods and services. E.g., e-commerce companies. 
• Service providers are organizations that handle payment processing on behalf of another company. 

Next, how many transactions do you process annually?

• Merchant Level 1: More than 6M transactions
• Merchant Level 2: 1-6M transactions
• Merchant Level 3: 20k-1M transactions
• Merchant Level 4: Less than 20k transactions
• Service Provider Level 1: More than 300k transactions
• Service Provider Level 2: Less than 300k transactions

PCI SAQ vs RoC

PCI-RoC applies to Merchant Level 1 and Service Provider Level 1 organizations. If you don’t fall into these categories, you’ll need to complete an SAQ. 

The SAQ has two parts:

• A set of self-guided questions designed to assess your level of compliance
• An Attestation of Compliance (AoC). This document requires you to attest that you're both qualified to perform the SAQ and have done so.

The three main types of SAQs are:

SAQ A

SAQ A is for any e-commerce organization where payment cards are not present during the transaction. All cardholder data functions are outsourced to a third-party service provider. No cardholder data is stored, processed, or transmitted on the merchant’s systems or premises.

SAQ A-EP

SAQ A-EP is also for e-commerce merchants who outsource all payment processing to PCI DSS-compliant third parties. No cardholder data is stored, processed, or transmitted on the merchant’s systems or premises. However, A-EP organizations do have websites that can impact the security of the payment transaction.

SAQ D

All merchants who don’t fit into one of the categories above will need an SAQ D. All service providers who are eligible to complete an SAQ will also need an SAQ D.

Step 2: Complete a readiness assessment

To prepare for an assessment, you'll need to make sure policies and procedures are in place and will be followed during the audit period. You'll also need to complete an ASV scan and/or penetration test.

At this point, most organizations opt to complete a readiness assessment with a Qualified Security Assessor (QSV). This PCI DSS expert will determine if your scope, controls, and processes are ready for audit.

Step 3: Complete a Self-Assessment Questionnaire or RoC

If you are a Level 1 Merchant or Service Provider, you’re required to complete an annual Report on Compliance (RoC). This is an external audit performed by a QSA.

They will review your policies, processes, controls, and evidence to decide if you meet PCI DSS requirements.  

If you do not need a Report on Compliance (RoC), you’ll complete an SAQ. This document states each requirement for PCI and helps you to determine your level of compliance. It covers each requirement, the expected testing, and asks if the control is: 

• In place
• In place with a compensating control (your organization can't meet a requirement as stated due to technical or business constraints, but has mitigated the risk in other acceptable ways)
• Not in place
• N/A
• Not tested 

Step 4: Maintain certification

Both the RoC and AoC are valid for one year. To maintain certification, you’ll need to complete an SAQ or RoC annually. Here are some other periodic tasks you’ll need to plan on throughout the year to maintain your PCI certification:

• Daily tasks: Review logs and any alerts to identify anomalies or suspicious activity. 
• Weekly tasks: File integrity monitoring scans (with critical file comparisons) must be run at least weekly. 
• Monthly tasks: Install any vendor-supplied security patches to keep system components and software protected from known vulnerabilities. 
• Quarterly tasks: Review user access, scan for unauthorized wireless networks, and verify that data outside of the retention period has been deleted. You will also need to conduct vulnerability scans with an Approved Scanning Vendor (ASV). 
• Biannual tasks: Review firewall and router configurations.
• Annual tasks: Review and re-approve policies, required employees to acknowledge the Information Security Policy, and conduct a risk assessment and pen test. Secure code training for developers and security awareness training for employees should also be completed. 

Get PCI compliant with Secureframe

When it comes to protecting customer data and credit card information from data breaches, PCI DSS is the foremost security standard. Achieving certification protects both your customers and your business from evolving threats. But with such rigorous standards, the process of achieving certification can be stressful and intimidating. 

Our compliance automation platform simplifies the PCI compliance process from start to finish. With Secureframe, you can build PCI-compliant policies from our library of templates, train your employees, automate evidence collection, and continuously monitor your PCI controls. Request a demo to learn more.