How to Get PCI DSS Certification?

The purpose of PCI DSS is simply to ensure that all companies that accept, process, store or transmit credit card information, are careful to actively maintain a secure environment. The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five major payment card brands that formed the Payment Card Industry Security Standards Council (PCI SSC): American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Obtaining PCI DSS certification is not impossible and usually takes companies between one day and two weeks to complete, depending on the complexity of payments within the company and the state of information security. 

Larger more complex companies will usually have an internal IT infrastructure or compliance department to coordinate the PCI compliance process. Smaller companies should ideally take advantage of a compliance management software to steer them safely through the process of gaining PCI DSS for individuals or they can make use of online tools and guidance that are out there. 

PCI DSS certification costs vary greatly by company, but they are generally estimated at $300 annually for a smaller company, whilst a large enterprise may be upwards of $70,000. Being smart with your compliance tools and using automation where possible may relieve you of some of that cost.

Besides being an obligatory compliance, PCI DSS is a worthwhile undertaking with many benefits. For example, PCI DSS will:

• Help keep your data secure
• Deter identity fraud
• Help to avoid costly breaches
• Protect both employees and customers
• Enhance your company’s reputation and trustworthiness.

Here we break down for you the process and components of a PCI DSS compliance. Read on until the end for our expert insider tips for a successful process.

How does PCI DSS work?

Achieving compliance with PCI DSS is a simple process that varies slightly according to the number of credit card transactions a company processes. 

The four main steps are:

1. Scope – Determine the components and systems that should be in the scope for PCI DSS. This is also a good time to determine your merchant level (see below) and appropriate RoC or SAQ (whose meaning will become clear below).

2. Assess- Take inventory of your IT assets, identify all the places cardholder data is found, look at your business processes, security controls and analyze whether there are any vulnerabilities in the system.

3. Repair- Patch any vulnerabilities, secure systems and processes, and remove unnecessary storage of cardholder data.

4. Report- An assessor and/or entity needs to submit the appropriate documentation: an SAQ or RoC (explained in detail below), ASV scanning records, pentest results and any compensating control information.

There are 12 specifications that make up the core requirements:

• Secure your system with firewalls
• Passwords and preferences should be configured
• Keep cardholder information secure
• Ensure that data about cardholders is transferred safely over public networks that are open to the public
• Anti-virus software should be updated regularly
• Systems should be updated regularly
• Access to cardholder data should be limited to those who have a business need to know.
• Each individual with computer access should be given a unique ID
• Physical access to the workplace and cardholder data should be limited
• Logging and log monitoring should be implemented
• Vulnerability scans and penetration checks should be performed
• Conduct documentation and risk assessments

Breaking down the Levels

All merchants will fall into one of four levels, depending on the number of credit card transactions they process annually. According to the level, a merchant will either need to fill out a Self Assessment Questionnaire (SAQ), or undertake a Report of Compliance (RoC) to be approved by a Qualified Security Assessor (QSA). It is worth noting that if a merchant has suffered a breach that resulted in account data compromise, they may be asked by their acquiring bank (the financial institution that initiates and maintains the relationships with merchants that accept payment cards) to fill a higher validation level. 

Another aspect of PCI DSS certification are scans, via an Approved Scanning Vendor (ASV) and penetration test results. These requirements vary according to levels. 

A merchant can determine their PCI compliance level by consulting their merchant services provider or using their providers reporting tools. This should give a clear picture of the number of transactions that take place annually.

Level 1 – Merchants that process over 6 million credit card transactions annually.

Seeing that the purpose of the PCI process is to secure cardholder data, it seems obvious that entities processing data at this level need to be extra vigilant due to the sheer volume of transactions. 

For a level 1 merchant the PCI DSS assessment will consist of an external audit performed by a Qualified Security Assessor (QSA) (or Internal Security Assessor (ISA)). After validating the scope, reviewing documentation and measuring the PCI DSS requirements against your organization, the QSA will submit a Report on Compliance (RoC) to your acquiring bank to validate your compliance with PCI DSS.

Level 2 – Merchants that process between 1 and 6 million credit card transactions annually.

Merchants at level 2 will complete an annual Self Assessment Questionnaire (SAQ). No need for an external audit. In addition, merchants at this level will need to present a quarterly network scan by an Approved Scanning Vendor (ASV) and an attestation of compliance (AoC) form. 

Level 3 – Merchants that process between 20k and 1 million credits card transactions annually.

Merchants at level 3 will also complete an annual Self Assessment Questionnaire (SAQ). No need for an external audit. In addition, merchants at this level will need to present a quarterly network scan by an Approved Scanning Vendor (ASV) and an attestation of compliance (AoC) form. 

Level 4 – Merchants that process less than 20k credit card transactions annually.

As before, merchants at level 4 will also complete an annual Self Assessment Questionnaire (SAQ). No need for an external audit. In addition, merchants at this level will need to present a quarterly network scan by an Approved Scanning Vendor (ASV) and an attestation of compliance (AoC) form. 

Introducing PCI DSS Version 4.0

PCI DSS 4.0 has taken the stage, and it’s a familiar dance with a new partner for compliance teams. We’re in the twilight of v3.2.1, which gracefully exits in March 2024, making way for the solo performance of v4.0. 

Hold the applause; some new requirements only take center stage after March 31, 2025, allowing companies ample preparation time to achieve PCI DSS certification.

PCI DSS 4.0: The Security Evolution

PCI DSS 4.0 brings a more flexible, outcome-based approach to security. As Emma Sutcliffe, SVP, Standards Officer of PCI SSC, notes, “Version 4.0 reinforces core security principles while providing flexibility.” It’s security with a tailored touch. 

Let’s move on with the discussion of how to become PCI compliant.

PCI DSS Compliance Checklist: Requirements in a Nutshell

The twelve high-level requirements, categorized into six sections, get a modern twist in PCI DSS 4.0:

Build and Maintain a Secure Network and Systems:

• install and maintain network security controls.
• apply secure configurations to all system components.

Protect Cardholder Data:

• protect stored account data.
• protect cardholder data with strong cryptography during transmission over open, public networks.

Vulnerability Management Program:

• protect all systems and networks from malicious software.
• develop and maintain secure systems and software.

Strong Access Control Measures:

• restrict access to system components and cardholder data by business need to know.
• identify users and authenticate access to system components.
• restrict physical access to cardholder data.

Regularly Monitor and Test Networks:

• log and monitor all access to system components and cardholder data.
• test the security of systems and networks regularly.

Maintain an Information Security Policy:

• support information security with organizational policies and programs.

PCI DSS 4.0: Compliance Levels

The compliance levels stand strong, each with specific requirements:

Level 1:

• Entities processing over six million transactions undergo an external audit by a Qualified Security Assessor (QSA).

Level 2:

• Businesses processing one to six million transactions complete an annual Self-Assessment Questionnaire (SAQ) and may need quarterly vulnerability scans.

Level 3:

• Merchants handling 20,000 to one million e-commerce transactions follow a similar process as Level 2 with potential quarterly scans.

Level 4:

• Merchants conducting fewer than 20,000 e-commerce transactions or up to one million in-person transactions undergo an annual assessment and may need quarterly vulnerability scans. This level is the commonly sought-after PCI DSS certification for individual, family-run businesses.

Self Assessment Questionnaires

Like most things in life, SAQ’s were not created equal. Whilst there is only one type of Report on Compliance for level 1 merchants, there are, in fact, 9 different SAQ’s for merchants on levels 2-4. It is important that once you have determined your merchant level, you pick the appropriate SAQ.

The SAQ is a validation tool to report the results of your PCI DSS self assessment. It measures your compliance against the appropriate requirements via a series of yes-or-no questions. If you can show compliance with a requirement, that’s simple enough! If you cannot, you will need to provide future remediation details and dates. 

Here are the types of SAQs, as per the official website:

SAQ TYPE	PAYMENT TYPE / DESCRIPTION
A	Card not present merchants, e-commerce or telephone-orders. All payments are fully outsourced with no electronic storage, processing or transmission of cardholder data on the merchants systems or premises at all.
A – EP	E-commerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website that doesn’t directly receive cardholder data but the website could impact the security of the payment transaction. Again, there can be no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises.This type is only applicable to e-commerce channels.
B	Merchants who solely use:Imprint machines with no electronic cardholder data storage and/orStandalone, dial out terminals with no electronic cardholder data storage. This is not applicable to e-commerce merchants.
B- IP	Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.Not applicable to e-commerce channels
C-VT	Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.Not applicable to e-commerce channels.
C	Merchants with payment application systems connected to the Internet, noelectronic cardholder data storage.Not applicable to e-commerce channels.
P2PE	Merchants using only hardware payment terminals that are included in andmanaged via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.Not applicable to e-commerce channels.
D – Merchants	SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.
D- Service Providers	SAQ D for Service Providers: All service providers defined by a payment card brand as eligible to complete a SAQ.

Top tips for successful compliance with PCI DSS 

• Ensure the vendors handling cardholder information on your behalf are compliant with PCI DSS! If not, your partners and vendors may be putting your systems at risk. Check whether they are PCI DSS compliant, or begin with a risk assessment to see how you can empower your vendors and third parties with tools to remediate that risk.
• Use a PCI DSS compliance checklist to ensure you have fulfilled all of your requirements. This can come in the form of a good compliance management software that will provide automated questionnaires to walk you through the 12 PCI DSS requirements, keeping you organized, suggesting remediation steps, and tracking your progress. This may be the most efficient way to undertake the journey.
• Train employees to adhere to security policies and PCI DSS requirements in order to support your compliance strategy. Anyone in the company working with cardholder data should be informed and understand their importance. This will reduce human error and help keep the transaction environment safe.
• Undertake an internal risk assessment to see where remediation is needed and regularly test systems and processes. This way you will be able to keep up the security standards needed, spread out the work over a larger period of time, and reduce stress- you will be in great shape when audit time comes around!

Centraleyes Automated Risk & Compliance Management Solution

Regardless of your payment arrangement, Centraleyes offers all you need from start to finish, including all self-assessment questionnaires (SAQ).

The Centraleyes platform delivers streamlined, automated data collection and analysis, prioritized remediation guidance, and real-time customized scoring to meet the PCI DSS requirements.

In addition, Centraleyes provides a built-in PCI DSS questionnaire and has mapped it back to its control inventory allowing it to share data across multiple frameworks through the platform, which creates time savings, money savings, and more accurate data.

Schedule a demo to see how we can pave the way to PCI DSS compliance.