The purpose of PCI DSS is simply to ensure that all companies that accept, process, store or transmit credit card information, are careful to actively maintain a secure environment. The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five major payment card brands that formed the Payment Card Industry Security Standards Council (PCI SSC): American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
Obtaining PCI DSS certification is not impossible and usually takes companies between one day and two weeks to complete, depending on the complexity of payments within the company and the state of information security.
Larger more complex companies will usually have an internal IT infrastructure or compliance department to coordinate the PCI compliance process. Smaller companies should ideally take advantage of a compliance management software to steer them safely through the process of gaining PCI DSS for individuals or they can make use of online tools and guidance that are out there.
PCI DSS certification costs vary greatly by company, but they are generally estimated at $300 annually for a smaller company, whilst a large enterprise may be upwards of $70,000. Being smart with your compliance tools and using automation where possible may relieve you of some of that cost.
Besides being an obligatory compliance, PCI DSS is a worthwhile undertaking with many benefits. For example, PCI DSS will:
PCI compliance certification has become an essential aspect of doing business for any company that processes, stores or transmits credit card data. Meeting the standards set forth by the Payment Card Industry Data Security Standard (PCI DSS) ensures that sensitive cardholder information is properly secured. Failure to comply can result in steep fines and reputational damage.
Obtaining PCI compliance certification may seem daunting at first, but breaking the process down into manageable steps makes it much more achievable. In this guide, we’ll walk through the step-by-step process of attaining compliance, from determining your merchant level to completing your SAQ and submitting compliance validation.
Determine Your Merchant Level
The first step to getting PCI certified is determining your merchant level, which is based on your transaction volume over a 12-month period:
- Level 1: Over 6 million Visa transactions or 2.5 million Mastercard transactions
- Level 2: Between 1 and 6 million Visa transactions or 50,000 and 2.5 million Mastercard transactions
- Level 3: Between 20,000 and 1 million Visa e-commerce transactions
- Level 4: Up to 20,000 Visa e-commerce transactions or up to 1 million Visa transactions total
Your acquirer or payment processor can provide details on your processing volume to help you identify your level, Higher volume merchants have more rigorous compliance validation requirements
Understand the PCI Data Security Standard
Familiarize yourself with the PCI DSS requirements for securing cardholder data. Version 3.2.1 of the standard consists of 12 overarching requirements:
- Install and maintain firewall configurations
- Change vendor-supplied defaults
- Protect stored data
- Encrypt transmission of data
- Protect systems from malware
- Develop and maintain secure systems and software
- Restrict access to data
- Authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor access
- Test security regularly
- Maintain an information security policy
Each requirement contains several sub-requirements that provide specifics on compliance. For example, Requirement 3 on protecting stored data includes:
- 3.2: Do not store sensitive authentication data after authorization
- 3.4: Render primary account numbers unreadable
Study the standard to gain a solid grasp of what is involved in meeting each requirement. The PCI Security Standards Council offers training courses that provide in-depth explanations of the standard.
Complete the Self-Assessment Questionnaire
Once you understand the PCI requirements the next step is to validate your compliance by completing a Self-Assessment Questionnaire (SAQ). There are several types of SAQs (A A-EP, B, B-IP, C, C-VT, D, and P2PE) tailored to different merchant scenarios.
Most level 4 merchants can use SAQ A or A-EP, which is the simplest validation option. Higher volume merchants will need to complete SAQ D. Select the SAQ appropriate for your business.
Thoroughly respond to each question on your SAQ, providing detailed explanations of your security controls and procedures. Collecting evidence to support your responses upfront will help avoid delays.
Submit Compliance Validation
How you submit your compliance validation depends on your merchant level:
- Level 4: Submit your completed SAQ and Attestation of Compliance to your acquirer.
- Level 3: Submit SAQ, Attestation of Compliance and results of quarterly network scan to your acquirer.
- Level 1 and 2: Must undergo onsite assessment by a Qualifies Security Assessor (QSA). The QSA submits the Report on Compliance to the acquirer and PCI SSC.
Keep proof of submission. Your acquirer will validate that you have satisfied your compliance validation requirements.
Achieve PCI Certification
Once you have submitted your completed validation documents, you have officially achieved PCI compliance certification! This certification is valid for one year, after which you must revalidate annually.
To stay compliant, you must:
- Continue following all PCI DSS requirements
- Complete scans and submit compliance validation yearly
- Update your compliance any time changes are made that impact your PCI scope
Leverage PCI Resources
The PCI Security Standards Council offers many resources to assist with your compliance efforts:
- Document library – Includes PCI standards, guidance docs, SAQ templates, and more
- Blog – Up-to-date PCI news and best practices
- Threat Center – Details on emerging threats and vulnerabilities
- Merchant resources – Guides, videos, and tools for merchants
- Assessor listings – Find Qualified Security Assessors (QSAs)
- Training – Courses for PCI awareness to advanced qualifications
Be sure to stay on top of new PCI requirements and understand changes that may impact your compliance obligations. Sign up for update emails and industry newsletters.
Consider Getting Professional Certification
While not required for PCI compliance, getting personally certified by the PCI Security Standards Council demonstrates your expertise.
Earning a certificate like PCI Professional (PCIP) or Qualified Security Assessor (QSA) can give you greater credibility and opportunities in the field.
The PCIP credential provides foundational PCI knowledge for those starting out. QSAs perform merchant PCI assessments. Other role-based certifications are also available.
Check the qualification requirements and enroll in training courses to prepare for the exams. Certification can enhance your ability to support and lead PCI programs.
Maintain Your Compliance Long-Term
Achieving that initial PCI certification is just the first step. Effective security requires ongoing vigilance and improvement.
Stay on top of emerging threats and vulnerabilities. Monitor compliance controls and address any gaps. Keep staff trained on PCI protocols and assess retention. Update security as business needs evolve.
Leverage scanning and monitoring technologies to better identify risks and threats. Promote security as an ongoing company priority rather than a checkbox.
With the proper discipline, PCI compliance can become a sustainable business practice rather than an annual scramble. A continuous security focus ultimately reduces risk exposure and protects sensitive cardholder data.
Key Takeaways on Getting PCI Certified
- Know your merchant level and validation requirements
- Understand all PCI DSS requirements for securing card data
- Complete your SAQ truthfully with detailed explanations
- Submit SAQ and required validation per your merchant level
- Maintain compliance with mandatory annual revalidation
- Leverage PCI Council resources like training and assessments
- Consider getting professionally certified in PCI standards
- Focus on continuous security monitoring and improvement
Achieving and maintaining PCI compliance certifcation requires an ongoing commitment, but following this step-by-step guide will put you on the path to success. The investment will pay dividends in improved security, risk reduction, and customer trust and confidence.
Level 4 – Merchants that process less than 20k credit card transactions annually.
As before, merchants at level 4 will also complete an annual Self Assessment Questionnaire (SAQ). No need for an external audit. In addition, merchants at this level will need to present a quarterly network scan by an Approved Scanning Vendor (ASV) and an attestation of compliance (AoC) form.
Maintain an Information Security Policy:
- support information security with organizational policies and programs.
PCI Compliance 101 – What is PCI Compliance, and How to Become PCI Compliant
How do I get a PCI Compliance Certification?
If you’re interested in getting your PCI compliance certification, here are some steps you can take: 1. Determine your certification level The different PCI compliance levels can affect the requirements necessary to meet to fulfill PCI policies. Research guidelines to determine which level applies best to the company.
Who is PCI compliant?
Any merchant involved in processing, storing or transmitting credit card data is required to be PCI compliant, according to the PCI Compliance Security Standard Council. There are four different levels of compliance and your level is determined by the number of card transactions your business processes in a 12-month period.
How long does it take to get PCI certification?
Candidates have up to one (1) year from the date of the PCI certification examination to provide PCI with proof of attainment of the required qualification (s). More information regarding additional skills, knowledge, qualifications, and certification requirements can be found under the Certification Program Overview.