PCI DSS (Payment Card Industry Data Security Standard) Certification is mandated for credit card companies to ensure the security of credit card transactions worldwide. The first version of the PCI Data Security Standard was released in 2004 by a group of leading credit card companies – Visa, MasterCard, JCB International, Discover, and American Express.

In 2006, the same credit card companies came together and formed the Payment Card Industry Security Standard Council (PCI SSC). Since then, every cloud-hosted company that processes payment card data is required to obtain PCI DSS certification as per the PCI Council regulations.

TL;DR: If your organization stores or transmits online payment information on your cloud server, Payment Card Industry (PCI) compliance is a must. PCI DSS certification is compliance aimed to protect credit card data against cyberattacks and frauds. 

In this article, we will learn about twelve PCI DSS requirements as per the PCI Council, that must be met to obtain PCI DSS certification. Depending on the volume of transactions carried out annually, your company can fall under any of the four compliance levels.

What is PCI DSS Certification?

The PCI DSS or Payment Card Industry Data Security Standard is required as per contract for those storing or handling cardholder data, whether you are a global enterprise or a start-up. Your business must be compliant at all times, and your compliance must be validated annually.

PCI certification helps you secure card data at your business by establishing a set of requirements set by PCI SSC. PCI DSS was created to serve as a foundation for control and to recommend baseline security measures for any cloud-hosted company that handles credit card transactions. 

Put it simply, it is an online payment security standard that ensures the security of credit card data at your cloud-hosted company via a set of regulations established by PCI SSC. 

Being PCI compliant doubles up as official evidence that your cloud-hosted company is safe to transact with.

Nowadays, PCI DSS is a globally-accepted security standard, touted as one of the best ways to safeguard sensitive data and build trusting relationships with customers.

However, obtaining and maintaining PCI DSS Certification is both complex and time-consuming. But the good news is that there are certain steps you can take (as shared below) to make the entire process easier.

Who Does PCI DSS apply to?

PCI DSS compliance applies to all companies that collect, process, and transmit credit card data. If your business accepts or processes credit card payments, you’re obligated to comply with PCI DSS requirements.

How to get PCI DSS Certification in 4 simple steps

There are a total of twelve PCI DSS requirements you need to adhere to for making progress towards obtaining PCI DSS Certification for your cloud-hosted company. These twelve requirements are distributed among six different goals that are necessary for any company to become PCI compliant.

Here are the twelve PCI DSS requirements based on their control objectives:

Step 1 – Learn the 12 PCI DSS Certification Requirements

There are a total of twelve PCI DSS requirements you need to adhere to for making progress towards obtaining PCI DSS Certification for your cloud-hosted company. These twelve requirements are distributed among six different goals that are necessary for any company to become PCI compliant.

Here are the twelve PCI DSS requirements based on their control objectives.

1. Install a Security Firewall

The first PCI DSS requirement requires all cloud-hosted companies that process credit card data to maintain a secure network using a strong firewall configuration and also routers if applicable. 

Remember, properly configured firewalls not only protect your credit card data environment but also monitor incoming and outgoing network traffic based on different criteria and rules established by your cloud-hosted company.

Furthermore, It is recommended to review the firewall configuration rules bi-annually to ensure there is no unsafe access rule that could make your credit card environment vulnerable.

2. Don’t Use Vendor-Supplied Default Passwords & Other Security Parameters

The second PCI DSS requirement aims to strengthen your cloud-hosted company’s systems including servers, firewalls, network devices, wireless access points, etc. 

Most of these systems & devices come with default settings like passwords and other security parameters. But, most of the default security settings are easy to guess, which is not allowed by the second PCI DSS requirement.

Furthermore, this requirement also asks all cloud-hosted companies to maintain an inventory of all systems and devices strengthening procedures. And these procedures must also be followed for every new device and/or system introduced to your cloud-hosted company’s IT infrastructure.

3. Protect Cardholders Data

The third PCI DSS requirement is the most important requirement of all. As per this requirement, your cloud-hosted company must be aware of the types of credit card data it is going to store with its location details and retention period. 

All cardholder data must be encrypted using industry-standard algorithms (RSA, AES-256, 2048) and truncated, hashed, or tokenized (SHA 256, PBKDF2). 

4. Encrypt Cardholder Data Transmission Across Open & Public Network

Just like the third PCI DSS requirement, the fourth requirement mandates that all cloud-hosted companies secure the credit card data when it is being transmitted via an open or public network. 

To encrypt credit card data, you can consider using any secure transmission protocol like TLS, SSH, etc., which can easily minimize the chances of sensitive data getting compromised by cybercriminals.

5. Install & Update Antivirus Software Regularly

The purpose of the fifth PCI DSS requirement is to protect credit card data against all types of malware that can affect your internal systems. This includes laptops, workstations, and smartphones that your employees use to access your systems locally as well as remotely.  

Therefore, you must install antivirus software and update its anti-malware program regularly to prevent them from infecting your systems.

6. Develop & Maintain Secure Applications & Systems

The sixth PCI DSS requirement focuses on implementing a process to identify and classify all security vulnerabilities via reliable external sources. 

For this, all cloud-hosted companies must define and implement a development process that comprises security requirements in all stages of the development.

In addition to this, all cloud-hosted companies must also deploy critical patches in all systems in the credit card data environment including:

• Operating systems
• Application software
• Databases
• Firewalls, routers, and switches
• POS terminals

7. Block Access to Cardholder Data

The seventh PCI DSS requirement urges cloud-hosted companies to implement high-level access control measures to either allow or deny cardholder data access. Furthermore, the access control must be role-based which lets your cloud-based company grant access to credit card systems on a need-to-know basis.

Need-to-know is a fundamental concept of the PCI data security standard. This is why you must document all users with their designated roles who require access to the credit card environment in your cloud-hosted company.

8. Assign a Unique Identification to Every Person with Computer Access

As per the eighth PCI DSS requirement, you should restrain from using group users and passwords. Instead, you should assign unique IDs and passwords to every authorized employee. This helps to trace all activities performed and accountability can be easily maintained. 

9. Block Cardholder Data’s Physical Access

According to the ninth PCI DSS requirement, cloud-hosted companies must block all physical access to cardholder data. This, in turn, helps to restrict unauthorized access to steal, interrupt, destroy, or disable critical cardholders’ data.

To implement this, you must consider using video surveillance cameras to monitor entry and exit doors of physical locations where cardholders’ data is stored. Furthermore, you should even make an official practice to destroy all cardholders’ data once you no longer need it.

10. Track & Monitor Cardholders’ Data and Network Resources

The tenth PCI DSS requirement focuses on eliminating the vulnerabilities in network resources and physical networks to prevent cyber criminals from stealing cardholders’ data. 

The requirement strongly urges all cloud-hosted companies to set an appropriate audit policy and send the logs to a secured Syslog server. Furthermore, these logs must be reviewed daily to ensure that no anomalies or suspicious activities are happening on your cloud-hosted company’s server.

11. Test All Security Systems and Processes Regularly

Cybercriminals discover vulnerabilities when they make continuous attempts. Therefore, all security systems and processes must be tested regularly to ensure the security is intact. 

The eleventh PCI DSS requirement recommends the following activities to be carried out regularly:

• Conduct internal vulnerability scan quarterly
• Conduct application penetration and network penetration tests on all external domains & IPs every year
• Scan all external domains & IPs, specifically the ones that are exposed in CDE by a PCI-approved scanning vendor (ASV) every quarter. 
• Conduct a quarterly wireless analyzer scan to discover all authorized as well as unauthorized wireless access points

Besides this, your cloud-hosted company must consider file monitoring, which detects any changes made to sensitive files that have gone unnoticed.

12. Maintain a Policy That Upholds Information Security

The last PCI DSS requirement is devoted to implementing as well as maintaining information security for all parties involved, which is the core of PCI DSS compliance.

Cloud-hosted companies must implement and review the information security policy every year and distribute it to all parties including their employees, contractors, vendors, stakeholders, etc.

Furthermore, this requirement also recommends performing the following activities for all cloud-hosted companies that process credit card data:

• User awareness training
• Incident management
• An official risk assessment to identify essential assets, vulnerabilities, and threats
• Employee background checks

Most importantly, a qualified security assessment officer must review all these activities to verify that everything suggested by PCI DSS requirements is implemented adequately.

Step 2 – Identity What Your Company Needs For PCI DSS Compliance Certification

Now that you’re sufficiently familiar with the twelve PCI DSS requirements, the next step to obtaining PCI DSS certification is to identify your cloud-hosted company’s PCI compliance requirements.

The PCI Council has classified PCI compliance into four levels, each having a different set of requirements.

The level of PCI compliance that needs to be adhered to mostly depends on the volume of transactions processed by your cloud-hosted company annually.

Here are the four compliance levels:

• Compliance Level 1: Transactions per year > 6 million
• Compliance Level 2: Transactions per year – 1 million to 6 million
• Compliance Level 3: Transactions per year – 20,000 to 1 million
• Compliance Level 4 – Transactions per year < 20,000

Suppose your cloud-hosted company falls under compliance level 1. In that case, you need to hire a PCI-qualified security assessor (QSA) to conduct an audit that identifies your company has met the required PCI data security standard. Additionally, you also need to submit an annual report on compliance (ROC).

On the other hand, if your cloud-hosted company falls under compliance levels 2 & 3, you need to fill out a Self-Assessment Questionnaire (SAQ) to attest that your company has implemented all security measures required by the PCI Data Security Standard. 

Lastly, if your cloud-hosted company falls under compliance level 4, it is still recommended to fill out SAQ. Although, it’s not mandatory to do so. 

Step 3 – Preparation Required To Get PCI DSS Certification

Now that you have learned everything you need to know about the 12 PCI DSS requirements and different compliance levels, it’s finally time to initiate the implementation to obtain PCI DSS certification.

The process of preparation is quite complicated and overwhelming. So, to make it easier for you…

Here we’ve classified the operational requirements into the following subparts:

Risk/Audit/Security Assessment

Because the purpose of PCI DSS certification is to eliminate the risk of credit card data breaches, all cloud-hosted companies must perform a detailed risk assessment in their own credit card data environment. 

The goal of every cloud-hosted company that processes credit card data is to discover threats and vulnerabilities to credit card data and services performed.

Policies and Procedures

The result procured by performing the risk assessments will give you a complete picture of your credit card data-related threats and risks, which will help you understand the current security state of your cloud-hosted company.

As a result, it will help you in creating an appropriate set of policies and procedures which will serve as a foundation for the majority of PCI DSS certification requirements. 

Remember, the policies and procedures must not only address the PCI DSS requirements but also be customized as per security controls and processes within your cloud-hosted company.

Gap Analysis

Once the policies and procedures are in their place, the next step is to review the PCI DSS requirements to discover potential compliance gaps (if any). And if you do discover any gaps, then it is critical to formulate a remediation plan immediately to close those discovered gaps.

For this, you can even consider hiring a PCI QSA to ensure proper gap analysis is carried out and reviewed to eliminate any chances of errors.

Step 4 – Complete the Self-Assessment Questionnaire (SAQ) or Hire PCI Qualified Security Assessor (QSA)

The final step to obtaining a PCI DSS Certification for your cloud-hosted company is to fill out the SAQ or hire a PCI QSA depending on the level of compliance.

Self-Assessment Questionnaire & Attestation of Compliance

If your cloud-hosted company falls under compliance levels 2,3, or 4, you need to fill out the self-assessment questionnaire (SAQ).

SAQ is a self-validation medium that allows you to assess the overall security of cardholders’ data in your cloud-hosted company’s environment. The questionnaire consists mostly of yes-no questions. And once you’ve filled out the SAQ, you also need to fill out the Attestation of Compliance. AOC is a form that attests to the PCI compliance assessment results. 

Report on Compliance & Attestation of Compliance 

If your cloud-hosted company falls under compliance level 1, then ROC is mandatory for obtaining PCI DSS certification for your cloud-hosted company. Furthermore, both ROC and AOC must be carried out by PCI-qualified security assessors (QSA) after finishing the annual PCI compliance audit. 

How long does PCI DSS certification take?

The entire process of becoming PCI compliant could take anywhere between one day to two weeks. The actual time for compliance depends on the time period required to complete the self-assessment questionnaire. In addition, businesses are required to pass a PCI scan. 

Once the scan and questionnaire have been successfully passed, the results are shared with the company’s merchant bank. That information is then shared with the Payment Card Industry stating that the organization has met the requirements of PCI compliance.

How much does PCI DSS certification cost?

The PCI DSS certification cost for a small organization could incur between $ 5,000 to $ 20,000, whereas for a large organization, anywhere between $50,000 to $200,000. Another key factor that influences the PCI DSS certification cost is the current security culture of the organization.

For a small business, depending on your environment, PCI DSS compliance should cost starting from $300 per year.

• Vulnerability scanning: around $100 – $200 per IP address
• Self-Assessment Questionnaire: $50 – $200
• Training and policy development: roughly $70 per employee
• Remediation depending on existing security practices: anywhere from $100  to $10,000

For a very large enterprise requiring a PCI DSS assessment, depending on your environment, expect to pay $70,000+ in total costs.

• Onsite audit: around $40,000
• Penetration testing: around $15,000
• Vulnerability scans: around $1,000
• Training and policy development: around $5,000
• Remediation cost varies greatly based on existing security practices: anywhere from $10,000 to $500,000

How to Demonstrate Certification PCI DSS to Your Customers?

As soon as you’ve obtained your PCI DSS certification, you should immediately make all your customers aware of it. The demonstration helps to make your customers aware that your cloud-hosted company is capable of accepting payments from branded credit cards and can also manage the risks associated with handling highly-sensitive credit card data.

The easiest way to demonstrate your PCI compliance is by showcasing the attestation of compliance (AOC) and report on compliance (ROC), which proves that your cloud-hosted company is PCI-DSS certified. 

Conclusion

The process of obtaining PCI DSS Certification is complicated and time-consuming. But at the same time, it also gives your cloud-hosted company the ability to process branded credit card payments.

More importantly, it helps to prove the fact that your cloud-hosted company follows the required security standards, which helps to build lasting trust among your customers.

But if you’re still not sure how to get started, Sprinto can help to obtain PCI DSS Certification easily. Please visit our website to learn how we can help.