Learn the 12 PCI Certification Standards

For organizations engaged in payment card processing, securing Payment Card Industry Data Security Standard (PCI DSS) certification is paramount in their data security and compliance endeavors. PCI DSS is an information security standard tailored for entities involved in credit card transactions.

While the term "standard" may imply an optional best practice, PCI DSS is akin to a regulatory requirement,

as non-compliance can result in penalties and the loss of credit card processing privileges. This standard is upheld by major credit card companies, including Visa, MasterCard, Discover, American Express, and JCB International, who jointly formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006.

The PCI SSC continually updates the PCI Data Security Standard, with the most recent release being PCI DSS 3.2.1 in May 2018. This standard comprises 12 core requirements and numerous sub-requirements, serving as a comprehensive framework for payment card data security.

Achieving and maintaining PCI compliance is intricate and time-consuming, but these four steps simplify the process and fortify your data protection:

Step One: Familiarize Yourself with the 12 PCI Certification Standards

The foundation of PCI compliance rests on 12 core requirements that are grouped into six broader objectives. Understanding and adhering to these requirements, which encompass about 251 sub-requirements detailed in PCI DSS 3.2.1, is essential for certification.

Here is a high-level summary of the six control objectives:

1. Build and Maintain a Secure Network:

• Install and maintain a firewall configuration.
• Avoid using vendor-supplied defaults for system passwords and security parameters.

2. Protect Cardholder Data:

• Protect stored data.
• Encrypt the transmission of cardholder data over public networks.

3. Maintain a Vulnerability Management Program:

• Utilize and regularly update antivirus software.
• Develop and maintain secure systems and applications.

4. Implement Strong Access Control Measures:

• Restrict access to cardholder data based on business necessity.
• Assign a unique ID to each computer user.
• Restrict physical access to cardholder data.

5. Regularly Monitor and Test Networks:

• Track and monitor all access to network resources and cardholder data.
• Conduct regular security system and process testing.

6. Maintain an Information Security Policy:

• Establish and maintain a comprehensive information security policy.

Step Two: Determine Your Organization's Compliance Requirements

PCI DSS certification requirements vary according to your organization's transaction volume. There are different compliance levels that dictate your validation requirements:

• Level 1: Over 6 Million transactions per year
• Level 2: 1 Million – 6 Million transactions per year
• Level 3: 20,000 – 1 Million transactions per year
• Level 4: Less than 20,000 transactions per year

Smaller merchants (Levels 2, 3, and 4) typically complete a Self-Assessment Questionnaire (SAQ) designed to affirm their compliance with the PCI Data Security Standard. In contrast, large merchants (Level 1) must engage a Payment Card Industry Qualified Security Assessor (PCI QSA) to conduct a comprehensive audit, often accompanied by an annual Report on Compliance (ROC).

Step Three: Facilitate PCI Certification Through Preparation

To streamline PCI DSS certification, preparation is key. Essential steps include:

- Risk Assessment/Audit/Security Assessment: Thoroughly assess your environment's threats and vulnerabilities related to payment card data to identify potential risks and develop security measures.

- Policies and Procedures: Create and tailor policies and procedures to align with PCI DSS requirements and business processes. Good cybersecurity practices often lead to compliance.

- Gap Analysis: Examine PCI DSS requirements in detail to identify compliance gaps and establish a remediation plan. Consider enlisting a PCI QSA for an independent gap analysis.

Step Four: Complete a Self-Assessment Questionnaire or Engage a PCI QSA

Your certification process depends on your merchant level:

- Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC): Levels 2, 3, and 4 can complete an SAQ, a self-validation tool with yes-no questions aligning with PCI DSS requirements. Upon SAQ completion, submit an AOC attesting to your compliance.

- Report on Compliance (ROC) and Attestation of Compliance (AOC): Level 1 merchants require a PCI QSA to conduct an audit and complete an ROC. An AOC is submitted, verifying PCI compliance.

Certified compliance helps build customer trust and demonstrates your ability to safeguard sensitive payment card data. It also lays the foundation for robust cybersecurity practices, enhancing protection against cyber threats.

With over 15 years of experience, we are a leading PCI QSA firm proficient in payment card compliance, IT security, and data protection. Our expertise secures your payment data, protects your business, and mitigates costs and risks. Contact This email address is being protected from spambots. You need JavaScript enabled to view it. for information on how The Investigation Company's digital forensics investigators can help you.