How to Get PCI DSS Certification?

The purpose of PCI DSS is simply to ensure that all companies that accept, process, store or transmit credit card information, are careful to actively maintain a secure environment. The Payment Card Industry Data Security Standard (PCI DSS) was developed by the five major payment card brands that formed the Payment Card Industry Security Standards Council (PCI SSC): American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Obtaining PCI DSS certification is not impossible and usually takes companies between one day and two weeks to complete, depending on the complexity of payments within the company and the state of information security. 

Larger more complex companies will usually have an internal IT infrastructure or compliance department to coordinate the PCI compliance process. Smaller companies should ideally take advantage of a compliance management software to steer them safely through the process of gaining PCI DSS for individuals or they can make use of online tools and guidance that are out there. 

PCI DSS certification costs vary greatly by company, but they are generally estimated at $300 annually for a smaller company, whilst a large enterprise may be upwards of $70,000. Being smart with your compliance tools and using automation where possible may relieve you of some of that cost.

Besides being an obligatory compliance, PCI DSS is a worthwhile undertaking with many benefits. For example, PCI DSS will:

  • Help keep your data secure
  • Deter identity fraud
  • Help to avoid costly breaches
  • Protect both employees and customers
  • Enhance your company’s reputation and trustworthiness.

Here we break down for you the process and components of a PCI DSS compliance. Read on until the end for our expert insider tips for a successful process.

How to Get PCI DSS Certification?

How does PCI DSS work?

Achieving compliance with PCI DSS is a simple process that varies slightly according to the number of credit card transactions a company processes. 

The four main steps are:

  1. Scope – Determine the components and systems that should be in the scope for PCI DSS. This is also a good time to determine your merchant level (see below) and appropriate RoC or SAQ (whose meaning will become clear below).
  1. Assess- Take inventory of your IT assets, identify all the places cardholder data is found, look at your business processes, security controls and analyze whether there are any vulnerabilities in the system.
  1. Repair- Patch any vulnerabilities, secure systems and processes, and remove unnecessary storage of cardholder data.
  1. Report- An assessor and/or entity needs to submit the appropriate documentation: an SAQ or RoC (explained in detail below), ASV scanning records, pentest results and any compensating control information.

There are 12 specifications that make up the core requirements:

  • Secure your system with firewalls
  • Passwords and preferences should be configured
  • Keep cardholder information secure
  • Ensure that data about cardholders is transferred safely over public networks that are open to the public
  • Anti-virus software should be updated regularly
  • Systems should be updated regularly
  • Access to cardholder data should be limited to those who have a business need to know.
  • Each individual with computer access should be given a unique ID
  • Physical access to the workplace and cardholder data should be limited
  • Logging and log monitoring should be implemented
  • Vulnerability scans and penetration checks should be performed
  • Conduct documentation and risk assessments

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Breaking down the Levels

All merchants will fall into one of four levels, depending on the number of credit card transactions they process annually. According to the level, a merchant will either need to fill out a Self Assessment Questionnaire (SAQ), or undertake a Report of Compliance (RoC) to be approved by a Qualified Security Assessor (QSA). It is worth noting that if a merchant has suffered a breach that resulted in account data compromise, they may be asked by their acquiring bank (the financial institution that initiates and maintains the relationships with merchants that accept payment cards) to fill a higher validation level. 

Another aspect of PCI DSS certification are scans, via an Approved Scanning Vendor (ASV) and penetration test results. These requirements vary according to levels. 

A merchant can determine their PCI compliance level by consulting their merchant services provider or using their providers reporting tools. This should give a clear picture of the number of transactions that take place annually.

PCI compliance level

Level 1 – Merchants that process over 6 million credit card transactions annually.

Seeing that the purpose of the PCI process is to secure cardholder data, it seems obvious that entities processing data at this level need to be extra vigilant due to the sheer volume of transactions. 

For a level 1 merchant the PCI DSS assessment will consist of an external audit performed by a Qualified Security Assessor (QSA) (or Internal Security Assessor (ISA)). After validating the scope, reviewing documentation and measuring the PCI DSS requirements against your organization, the QSA will submit a Report on Compliance (RoC) to your acquiring bank to validate your compliance with PCI DSS.

Level 2 – Merchants that process between 1 and 6 million credit card transactions annually.

Merchants at level 2 will complete an annual Self Assessment Questionnaire (SAQ). No need for an external audit. In addition, merchants at this level will need to present a quarterly network scan by an Approved Scanning Vendor (ASV) and an attestation of compliance (AoC) form. 

Level 3 – Merchants that process between 20k and 1 million credits card transactions annually.

Merchants at level 3 will also complete an annual Self Assessment Questionnaire (SAQ). No need for an external audit. In addition, merchants at this level will need to present a quarterly network scan by an Approved Scanning Vendor (ASV) and an attestation of compliance (AoC) form. 

Level 4 – Merchants that process less than 20k credit card transactions annually.

As before, merchants at level 4 will also complete an annual Self Assessment Questionnaire (SAQ). No need for an external audit. In addition, merchants at this level will need to present a quarterly network scan by an Approved Scanning Vendor (ASV) and an attestation of compliance (AoC) form. 

Self Assessment Questionnaires

Like most things in life, SAQ’s were not created equal. Whilst there is only one type of Report on Compliance for level 1 merchants, there are, in fact, 9 different SAQ’s for merchants on levels 2-4. It is important that once you have determined your merchant level, you pick the appropriate SAQ.

The SAQ is a validation tool to report the results of your PCI DSS self assessment. It measures your compliance against the appropriate requirements via a series of yes-or-no questions. If you can show compliance with a requirement, that’s simple enough! If you cannot, you will need to provide future remediation details and dates. 

Here are the types of SAQs, as per the official website:

SAQ TYPEPAYMENT TYPE / DESCRIPTION
ACard not present merchants, e-commerce or telephone-orders. All payments are fully outsourced with no electronic storage, processing or transmission of cardholder data on the merchants systems or premises at all. 
A – EPE-commerce merchants who outsource all payment processing to PCI DSS validated third parties and who have a website that doesn’t directly receive cardholder data but the website could impact the security of the payment transaction. Again, there can be no electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises.This type is only applicable to e-commerce channels.
BMerchants who solely use:Imprint machines with no electronic cardholder data storage and/orStandalone, dial out terminals with no electronic cardholder data storage. This is not applicable to e-commerce merchants.
B- IPMerchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.Not applicable to e-commerce channels
C-VTMerchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.Not applicable to e-commerce channels.
CMerchants with payment application systems connected to the Internet, noelectronic cardholder data storage.Not applicable to e-commerce channels.
P2PEMerchants using only hardware payment terminals that are included in andmanaged via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.Not applicable to e-commerce channels.
D – MerchantsSAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.
D- Service ProvidersSAQ D for Service Providers: All service providers defined by a payment card brand as eligible to complete a SAQ.

Top tips for successful compliance with PCI DSS 

  • Ensure the vendors handling cardholder information on your behalf are compliant with PCI DSS! If not, your partners and vendors may be putting your systems at risk. Check whether they are PCI DSS compliant, or begin with a risk assessment to see how you can empower your vendors and third parties with tools to remediate that risk.
  • Use a PCI DSS compliance checklist to ensure you have fulfilled all of your requirements. This can come in the form of a good compliance management software that will provide automated questionnaires to walk you through the 12 PCI DSS requirements, keeping you organized, suggesting remediation steps, and tracking your progress. This may be the most efficient way to undertake the journey.
  • Train employees to adhere to security policies and PCI DSS requirements in order to support your compliance strategy. Anyone in the company working with cardholder data should be informed and understand their importance. This will reduce human error and help keep the transaction environment safe.
  • Undertake an internal risk assessment to see where remediation is needed and regularly test systems and processes. This way you will be able to keep up the security standards needed, spread out the work over a larger period of time, and reduce stress- you will be in great shape when audit time comes around!

Centraleyes Automated Risk & Compliance Management Solution

Regardless of your payment arrangement, Centraleyes offers all you need from start to finish, including all self-assessment questionnaires (SAQ).

The Centraleyes platform delivers streamlined, automated data collection and analysis, prioritized remediation guidance, and real-time customized scoring to meet the PCI DSS requirements.

In addition, Centraleyes provides a built-in PCI DSS questionnaire and has mapped it back to its control inventory allowing it to share data across multiple frameworks through the platform, which creates time savings, money savings, and more accurate data.

Schedule a demo to see how we can pave the way to PCI DSS compliance.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days