How to Get a PCI Compliance Certification
By ERMProtect Staff
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards for companies to secure credit card data. The major card companies – Visa, Mastercard, and American Express - created the standards in an effort to protect credit card data from theft. They are regularly updated with the latest version - PCI DSS 4.0 - expected to be released by mid-2021.
PCI compliance certification is required of merchants and service providers (vendors) that transmit, process or store payment-card transactions. Companies will not face criminal charges if they are not PCI DSS certified. However, if they suffer a data breach while not in full compliance, they could face steep fines or even lose their ability to process credit cards. So, it is important from an operational, reputational, and regulatory standpoint to achieve PCI DSS compliance certification.
The process of PCI compliance is a significant endeavor but, essentially, can be broken down into five logical and sequential steps:
Steps to Take Towards PCI Certification
1. Analyze your compliance level
PCI security requirements differ for businesses, based on how they handle customer transactions, how they handle data, what credit card companies and banks they utilize, and transaction volume. These factors affect compliance levels, which are set by the credit card companies. The first step is to analyze where you stand. See the table at the end of this article to understand the applicable categories.
2. Fill out a SAQ or Hire a QSA
A Self-Assessment Questionnaire (SAQ) allows qualified businesses to self-assess whether they have the appropriate PCI security standards in place. The SAQ lists the requirements, and for each, the business must answer “Yes,” “No,” or “N/A.” This process will help you identify the missing pieces of your company’s payment security.
If you are a Level 1 Merchant or Service Provider with high-volume transactions, you cannot self-assess your compliance. Instead, you must retain a Qualified Security Assessor (QSA) certified by the Payment Card Industry Council to audit your business and attest that the standards are met. Merchants are classified as Level 1 if they process at least 1 million, 2.5 million, or 6 million transactions per year, depending on which credit cards the merchant accepts. Service providers (vendors) are classified as Level 1 if they store, process, or transmit more than 300,000 credit card transactions annually.
Level 1 is the highest, and most stringent, of the PCI DSS levels. If a merchant or service provider is classified as Level 1 then the QSA must complete a more formal and comprehensive report, known as a Report on Compliance (ROC).
3. Make necessary security changes
At this point, a business may have identified gaps in its compliance with the standards and requirements. If this is the case, now is the time to make any necessary security improvements to your business. When done, you can complete the SAQ again until all requirements have been met and are in place.
It is important to remember that you can reduce your company’s compliance requirements by limiting the scope of data subject to the PCI standards. There are a number of ways to bring down your organization's PCI scope including:
- Segment the network as much as possible – Divide the network into smaller sections to better control the flow of traffic across the network and to restrict confidential data to a specific network segment.
- Use tokenization when possible - Tokenization eliminates electronic credit card data from being stored in your environment, where it can be stolen by hackers. Tokenization is the process of protecting credit card data with an algorithmically generated number called a token. The actual credit card number is not visible to a hacker. While this means businesses can worry less about the retention of customers credit card data, they still need to protect data in transmission and processing.
- Outsource all credit card information completely - Not only does this keep your customer data safer, but it also reduces PCI compliance costs and liability in the event of a data breach.
- Limit which departments can see credit card data.
- Limit the type of data departments can see.
- Limit card storage in physical stores.
4. Complete a formal attestation of compliance
Once you have closed compliance gaps and updated your SAQ, you can fill out a formal Attestation of Compliance (AOC). This is a formal document that attests that your business is fully compliant with all relevant PCI standards — and again, there are nine different types based on the nature and size of your business. It may be prudent to have a certified PCI Qualified Security Assessor (QSA) review your work and validate your findings. That way an IT security specialist with specific PCI experience can identify any gaps or inaccuracies that could lead to a breach or compliance issues.
5. File the paperwork
When everything is completed, businesses file the paperwork with their credit card companies and/or acquiring banks. You will need to submit your SAQ, your Attestation of Compliance (AOC), and any other paperwork these organizations may request. A vulnerability scan of your external networks may also be required depending on your PCI level. And, again, if you are classified as a Level 1, you will be required to submit a Report on Compliance (ROC) filled out by a certified PCI QSA.
Getting Help
PCI compliance requires a substantial amount of time, money, and expertise. For businesses required to fill out an SAQ, ERMProtect can perform a PCI DSS gap assessment and make recommendations for security improvements to ensure compliance. This is an important step because oftentimes self-assessing businesses do not fully understand the requirements and leave security gaps that are commonly exploited by hackers.
For Level 1 merchants and service providers, our certified PCI QSAs have performed thousands of assessments and will step in help. As one of the original PCI QSA firms, we are experts at payment card compliance, IT security and data protection. We leverage almost 30 years of experience to secure your payment data, protect your business and manage costs and risk.
Guide: The PCI Categories
There are different categories of businesses, as described by the Payment Card Industry Security Standards Council (PCI SSC), and each one has different requirements to meet:
- Class A (22 requirements)
- These are card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS-compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
- Class A-EP (191 requirements)
- These are e-commerce merchants who outsource all payment processing to PCI DSS-validated third parties and who have a website(s) that does not directly receive cardholder data but that could impact the security of the payment transaction. There is no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
- Class B (41 requirements)
- These are merchants using only imprint machines with no electronic cardholder data storage and/or standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
- Class B-IP (82 requirements)
- These are merchants using only standalone, Pin Transaction Security (PTS) approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
- Class C-VT (79 requirements)
- These are merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS-validated third-party service provider. No electronic cardholder data.
- Class C (160 requirements)
- These are merchants with payment application systems connected to the Internet, with no electronic cardholder data storage. Not applicable to e-commerce channels.
- Class P2PE (33 requirements)
- These are merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed Point to Point Encryption (P2PE) solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.
- Class D (329 requirements) for merchants
- For merchants: All merchants not included in descriptions for the above types. This includes:
- E-commerce websites – Merchant website accepts payments and does not use a direct post or transparent redirect service.
- Electronic storage of card data – Merchant stores credit card data electronically, e.g., e-mail, e-fax, recorded calls, etc.
- For merchants: All merchants not included in descriptions for the above types. This includes:
- Point of Sale (POS) system without tokenization or Point to Point Encryption (P2PE)
- Class D also applies to POS systems not utilizing tokenization or P2PE. Tokenization turns accounts numbers into random strings of characters that cannot be read if breached.
- Class D (370 requirements) for service providers
- For service providers: All service providers defined by a payment card brand are eligible to complete a self-assessment questionnaire attesting to their compliance with the standards, as opposed to hiring an outside auditor.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights