What are the requirements for becoming PCI compliant?

In order to become PCI DSS compliant, there are 12 requirements a business must adhere to. Each requirement falls into a ‘goal’ or category that, according to the PCI SSC, “help merchants and other organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance.”

The PCI validation requirements and goals are: 

1. Build and maintain a secure network
   Install and maintain a firewall configuration to protect data
   Do not use vendor-supplied defaults for system passwords and other security parameters
    

2. Protect cardholder data
   Protect stored cardholder data
   Encrypt transmission of cardholder data across open, public networks
    

3. Create a vulnerability management program
   Use and regularly update anti-virus software or programs
   Develop and maintain secure systems and applications
    

4. Implement strong access control measures
   Restrict access to cardholder data by business need-to-know
   Assign a unique ID to each person with computer access
   Restrict physical access to cardholder data
    

5. Monitor and test networks regularly
   Track and monitor all access to network resources and cardholder data
   Regularly test security systems and processes
    

6. Develop an information security policy
   Maintain a policy that addresses information security for employees and contractors
    

These categories are intended “to provide the following benefits” for businesses:

• Roadmap to assess, address, and report on prioritised risks

• Objective and measurable indicators of progress

• Consistency among assessors

How do I get PCI DSS Certified?

Here are the below steps you should take once you are ready to become PCI DSS certified: 

• Identify your compliance ‘level’ 

• Complete a self-assessment questionnaire (SAQ) or Complete an annual Report on Compliance (ROC) 

• Complete a formal attestation of compliance (AOC)

• Complete a quarterly network scan by an Approved Scanning Vendor (ASV)

• Submit the document

Please note: When dealing with PCI DSS requirements, you can either go through the process yourself or get help from a PCI SSC Qualified Security Assessor (QSA) 

•  Identify your compliance ‘level’ 

Identify where your business sits within the compliance levels. There are varying levels depending on the size of a business, based on how they handle transactions and data, what credit cards they work with and how many transactions they process. 

Level 1 
A business that processes over six million transactions annually.

Level 2 
A business that processes one to six million transactions annually. 

Level 3  
A business which processes 20,000 to one million transactions online over 12 months. 

Level 4
A business that processes less than 20,000 transactions online annually and processes up to one million transactions annually.

For Level 2-4 merchants:

• Complete a self-assessment questionnaire (SAQ) 

The self-assessment questionnaire (SAQ) is a guidebook you can use to assess your current compliance level. It takes you through the requirements (as listed above) to help you identify your company’s payment security and if you should make changes to your business.

For Level 1 merchants:

• Complete an annual Report on Compliance (ROC) - an external audit performed by a Qualified Security Assessor (QSA)

As part of the audit the assessor will:

• Validate the scope of the assessment;

• Review documentation and technical information;

• Determine whether the PCI DSS’s requirements are being met;

• Evaluate compensating controls.

The RoC (Report on Compliance) will then be submitted to the organisation’s acquiring banks to demonstrate compliance.

• Complete a formal attestation of compliance (AOC)

Once you’ve made any changes necessary and have updated your SAQ, you can fill out a formal attestation of compliance (AOC) in which a qualified security assessor reviews your work and officially validates if your business is fully compliant with all relevant PCI standards. 

• Complete a quarterly network scan by an Approved Scanning Vendor (ASV)

An Approved Scanning Vendor (ASV) is an organisation that is qualified by the PCI SSC, to complete external vulnerability scanning services using specialist security tools find any weaknesses or holes in your systems that hackers may attempt to exploit. These must be completed every 90 days. For further information click here. 

•  Submit the documents 

Finally, you must submit your documents such as your SAQ, AOC and ASV scan report to your acquirer bank and to the relevant credit card/payment brands as requested.

PCI compliance is a vital part of your business and should not be overlooked. By being PCI DSS compliant, you will protect not only your brand but your customers. 

As a reminder, to become PCI compliant you should:

• Identify your compliance ‘level’ 

• Complete a self-assessment questionnaire (SAQ) or Complete an annual Report on Compliance (ROC) 

• Complete a formal attestation of compliance (AOC)

• Complete a quarterly network scan by an Approved Scanning Vendor (ASV)

• Submit the documents 

Although this checklist might look daunting at first it is actually fairly straightforward. However, it might be best to seek assistance from your payment service provider should you need it. 

Remember, if you fail to become PCI compliant you could incur steep fines, a loss of credibility and customers and lose the ability to accept future credit card payments. For further information about failing to comply, see our Failure to Comply with PCI article.