When it comes to protecting cardholder data from data breaches, PCI DSS is the foremost security standard.
But with such rigorous requirements, the process of achieving certification can be stressful and intimidating, especially if you’re getting certified for the first time.
Where do you begin? Which policies and controls will you need? If you need an audit, how do you know you’re ready?
Understanding the process of getting PCI certified can help you better prepare for a successful audit or self-assessment. That’s why we’ll walk you through each step of the process below.
PCI DSS compliance process
Step 1: Identify the level of compliance you need
PCI DSS has different levels of compliance depending on a few factors:
- Size of your organization
- Number of annual credit card transactions
- Requirements from your customers or acquiring bank
The first step on the road to certification is determining which level of compliance you need.
The entity that requires your PCI compliance (customers, acquiring bank, credit card companies) will usually specify in their request that you perform either a Report on Compliance (RoC) or a Self-Assessment Questionnaire (SAQ).
If you don’t receive a specific request, you can use these questions to determine your level of compliance.
First: are you a merchant or a service provider?
- Merchants are organizations that accept card payments in exchange for goods and services. E.g., e-commerce companies.
- Service providers are organizations that handle payment processing on behalf of another company.
Next, how many transactions do you process annually?
- Merchant Level 1: More than 6M transactions
- Merchant Level 2: 1-6M transactions
- Merchant Level 3: 20k-1M transactions
- Merchant Level 4: Less than 20k transactions
- Service Provider Level 1: More than 300k transactions
- Service Provider Level 2: Less than 300k transactions
Merchant Level 1 and Service Provider Level 1 organizations need to complete a PCI-RoC.
If you don’t fall into these categories, you’ll need to complete an SAQ. The SAQ has two parts:
- A set of self-guided questions designed to assess your level of compliance
- An Attestation of Compliance (AoC). This document requires you to attest that you're both qualified to perform the SAQ and have done so.
- It is possible you would be requested to have a QSA firm attest against your SAQ, depending on your PCI DSS level.
Step 2: Complete a readiness assessment
To prepare for an assessment, you'll need to make sure policies,procedures, and controls are in place and will be followed during the audit period. You'll also need to complete an ASV scan and penetration test.
At this point, most organizations opt to complete a readiness assessment with a Qualified Security Assessor (QSA) or with Secureframe. This PCI DSS expert will determine if your scope, controls, and processes are ready for audit.
Step 3: Complete a RoC or SAQ
If you are a Level 1 Merchant or Service Provider, you’re required to complete an annual Report on Compliance (RoC). This is an external audit performed by a QSA. The QSA will review your policies, processes, controls, and evidence to decide if you meet PCI DSS requirements.
If you do not need a Report on Compliance (RoC), you’ll fill out an SAQ. This questionnaire covers each requirement, the expected testing, and asks if the control is:
- In place
- In place with a compensating control (Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.)
- Not in place
- Not tested
Step 4: Maintain certification
Both the RoC and AoC are valid for one year. To maintain certification, you’ll need to complete an RoC or SAQ and AoC annually.
Here are some other periodic tasks you’ll need to plan on throughout the year to maintain your PCI certification:
- Daily tasks: Review logs and any alerts to identify anomalies or suspicious activity.
- Weekly tasks: File integrity monitoring scans (with critical file comparisons) must be run at least weekly.
- Monthly tasks: Install any vendor-supplied security patches to keep system components and software protected from known vulnerabilities.
- Quarterly tasks: Review user access, scan for unauthorized wireless networks, and verify that data outside of the retention period has been deleted. You will also need to conduct vulnerability scans with an Approved Scanning Vendor (ASV).
- Biannual tasks: Review firewall and router configurations.
- Annual tasks: Review and re-approve policies, required employees to acknowledge the Information Security Policy, and conduct a risk assessment and pen test. Secure code training for developers and security awareness training for employees should also be completed.
What Is a PCI Risk Assessment? + Template