Steps to get PCI DSS certification

What is PCI DSS

PCI DSS stands for the payment card industry data security standards it is a set of security standards that was formed by a few financial companies. The PCI DSS is governed by PCI SSC it stands for payment card industry security standards council. Its purpose is to aim to secure credit and debit card transactions against all types of data theft and fraud. PCI SSC’s mission Is to enhance global payment account data security by developing standards and supporting services that drive education awareness and effective implementation by stakeholders.


 The PCI council was founded in 2006 by American Express discover this international MasterCard and visa these founding members share equally in ownership governance and execution of the organization’s work it incorporates the PCI DSS as a part of the technical requirements for the respective data security compliance program founding members also recognize accessors qualified by the PCI SSC.

 PCI certification is a requirement for every business that processes creating a debit card transaction.  PCI certification is the best way to be sure about the security of sensitive data and information.  It helps businesses in building a safe and secure environment which helps them in gaining the trust of the Customers.

It answers the security of card data in your business setting up rules and policies that need to be followed. the rules and procedures are based on the guidelines of PCI SSC.

There is a list of tools requirements for PCI DSS these requirements are set by PCI SSC and it is both operational and technical. It focuses Mainly to protect cardholder data and there are twelve requirements for it.

 Currently, the latest standard of PCI DSS is version 3.2.1. It was last updated in May 2018.

Getting a PCI certification is a 4 step process


Fulfill the below requirements

Requirement 1:Install and maintain a firewall configuration to protect cardholder data

  • Firewall and Router configuration standards
  • Network change management
  • Firewall and Router rule set review (semi-annual)
  • DMZ implementation for publicly accessible services
  • Inbound and outbound traffic management in CDE as per business requirement
  • Installation of perimeter firewalls between wireless networks and CDE
  • No use of insecure services (Telnet, FTP, HTTP,  etc)
  • Implementation of anti-spoofing, stateful inspection, NAT
  • Personal firewall software installation for laptops used to access CDE network and also having direct connectivity to the internet

Requirement 2: Do not use vendor-supplied default for system passwords and other security parameters

  • Documentation of all system components hardening standards consistent with industry-accepted system hardening standards.
  • Wireless AP secure configuration
  • Non-console administrative access encryption
  • Removal of all unnecessary functionality of system component
  • One Primary function running per server / virtual system

Requirement 3: Protect stored cardholder data

  • Identification of cardholder data (PAN) locations
  • Cardholder data retention period verification on a quarterly basis
  • No storage of sensitive authentication data ( except for Issuer with valid business justification and security controls)
  • PAN masking at the display (application screens, logs, files/ reports, etc ) unless valid business justification
  • Cardholder data (PAN) encryption (files, database, backup tapes etc ) file or column level encryption or Disk encryption
  • Strong Encryption key management

Requirement 4: Encrypt transmission of cultural data across open public networks

  • Strong cryptography for open/public channel communication (Internet, GSM, Wireless, GPRS)
  • In case of Wireless network used to access CDE, ensure the secure transmission of cardholder data e.g. Use of WPA2 instead of WEP)
  • Internal and external Email communication encryption while sending cardholder information

Requirement 5: Use and regularly update antivirus software programs

  • Antivirus software installation for operating systems commonly affected by malware
  • Antivirus software configuration for automatic updates and periodic scans
  • Generating and retaining Antivirus logs

Requirement 6: Develop and maintain secure system and application

  • Patch management for all system components
  • Establishing the process to identify and assign a risk ranking to newly discovered security vulnerabilities.
  • Secure software development as per industry best practices ( e.g. OWASP, SANS, etc
  • Custom code secure review
  • Change management
  • Separation in production and development/test environment and related duties
  • No use of live PAN in development/test environment
  • Public web application security testing

Requirement 7: Restrict access to cardholder data by business need to know

  • Role base & need to know user access management for CDE
  • Implementation of automated access control on system components
  • Documented approval for user access to the system.
  • Access control systems to have default ‘deny all’

Requirement 8: Assign a unique ID to each person with computer access

  • Assigning unique ID’s
  • Remote access Two-factor authentication
  • Control addition, deletion, and modification of user IDs, credentials
  • User password and account management
  • Remove/disable inactive user accounts over 90 days

Requirement 9: Restrict physical access to cardholder data

  • Electronic Badge reader and CCTV implementation for CDE locations
  • Visitor access management for CDE locations
  • Off-site media location security
  • Media movement and inventory management
  • Electronic media and paper destruction

Requirement 10:Track and monitor all access to network resources and cardholder data

  • Audit log configuration for system components in PCI scope
  • Network Time Protocol (NTP) configuration
  • Central audit log storage and one-year log retention
  • File Integrity Monitoring on Log database
  • Daily Audit log review

Requirement 11: Regularly test security systems and processes twist up.

  • Quarterly Wireless access point scanning
  • Quarterly internal and external (ASV) vulnerability assessment
  • Annual internal and external penetration test (Network / Application)
  • Bi-Annual Segmentation testing for Service providers
  • IDS/IPS monitor traffic at the perimeter and at key points inside the CDE, rather than all traffic in the CDE.
  • File Integrity Monitoring for critical system files

Requirement 12: Maintain a policy that addresses information security for all personnel.

  • Defining information security policy with PCI controls
  • Annual Risk assessment based on ISO27005/ NIST / OCTAVE guidelines
  • Developing technology usage policies
  • Prohibit copying, moving, or storing of cardholder data onto local hard drives and
  • removable electronic media when accessing such data via remote access technologies.
  • Human resources control (Joining, termination, Background checks etc
  • Implement a formal security awareness program
  • Service Provider PCI compliance
  • Defining Incident response procedure and testing

STEP 2: Understanding Requirements


There are various categories of businesses and each one of them has a different set of requirements.

We need to determine our business requirements based on the number of transactions processed by our organization in any year.

  • Level 1: transactions per year greater than 6 million
  • Level 2: transaction per year between 1 million to 6 million.
  • Level 3: transaction per year between 20,000 to 1 million
  • Level 4: transaction per year less than 20,000

For small companies: For merchants who fall under levels 2 and 3 you need to fill out a self-assessment questionnaire (SAQ) to verify That your organization has implemented security measures that are made essential by the PCI DSS. Sometimes level 4 merchants are also recommended to fill the SAQ . in case of understanding which questionnaire to be filled payment card vendors or the coin banks are to be asked.

A questionnaire corresponding to the PCI data security standard requirements design, especially for merchants and service providers Can be found on their official website there is also a guideline that can help you fill self-assessment questionnaire.

An attestation of your PCI DSS certification based on the eligibility and appropriate self-assessment documentation. The attestation of compliance  (AOC) is essentially a form that verifies the results of a PCI compliance auditor assessment. an appropriate attestation essentially includes the data that applies to your organization. GUIDELINES

For large merchants: Typically level 1, space you need to hire a payment card industry qualified security accessor or PCI QSA to conduct an audit identifying your organization meets the security standards as specially trained and certified cybersecurity professionals who are deeply knowledgeable about the security standards required for our nation to become PCI certified. The merchants who fall under level one of PCI DSS compliant also need to complete an annual report on compliance (ROC) A report on compliance is also completed by the PCI QSA after he or she has completed your annual PCI compliant audit

STEP 3: Preparation


  • Risk Assessment/Audit/Security Assessment: This needs to be performed before starting anything as well as on regular intervals, mostly twice a year. This gives an idea about how it things be done, what are the associated risks and their impact as well as if they can be mitigated or not.
  • Policies and Procedures: The risk assessment will help you develop a well-defined set of policies and procedures that serve as the foundation for a large percentage of the PCI-DSS certification requirements. Policies and procedures need to be designed as per the requirements but they also need to be tailored to business processes and security controls within the organization. Remember, if you focus on good cybersecurity, compliance typically follows.
  • Gap Analysis: After all the background tasks take a close look at any potential compliance gaps. If you find these gaps, then you need to establish a remediation plan for closing them. Once you have the remediation plan, it is a good idea to have a PCI QSA perform an independent gap analysis as well. This review will be much like a full PCI-DSS assessment but, in reality, more of a “practice run” that will ensure that a missed requirement will not be a hindrance on your way to obtaining the PCI compliance certification.

Step 4: Complete a Self-Assessment Questionnaire or Hire a PCI QSA

Self-Assessment Questionnaire and Attestation of Compliance (AOC): It is to be filled by the organization of level 2,3,4. Think of the SAQ as a self-validation tool to assess security for cardholder data. It includes a set of yes-no questions for each PCI-DSS requirement applicable to your organization. Go through the guidelines on how to fill out a SAQ and then fill it out yourself or obtain the assistance of a certified QSA. Once you’re done with the SAQ, you need to fill out an Attestation of Compliance (AOC). The AOC is essentially a form that attests to the results of a PCI compliance assessment.

Report On Compliance (ROC) and Attestation of Compliance: If you are a Level 1 merchant or service provider, a Report on Compliance (ROC) is the final step on your path to getting the PCI-DSS certification for your organization. The ROC is mandatory only for all level 1 merchants undergoing a PCI-DSS compliance audit. To recap, a level 1 merchant is one who processes over 6 million transactions in a year. Both an AOC and ROC need to be completed by a certified PCI QSA after s/he has completed your annual PCI compliance audit. Think of it as a report card of sorts for your PCI-DSS certification compliance.

NOTE: Level 3 merchants require quarterly external vulnerability scans by an ASV (Approved Scan Vendor). Smaller merchants have an option of doing internal assessment. Large merchants have to hire a PCI certified QSA.


There are many best practices to be followed by companies who want to get PCI DSS certified.

The list is: –

  • Buy and use only approved pin entry devices at your point of sales.
  • Buy and use only validated payment software at your POS or website shopping cart.
  • Do not store any sensitive cardholder data in computers or on paper.
  • Use a firewall on your network and PC’s.
  • Make sure your wireless router is password protected and uses encryption first up
  • Use strong passwords be sure to change default passwords on hardware and software most are unsafe.
  • Regularly check pin entry devices and PCs to make sure no one has installed rogue software skimming devices
  • Teach your employees about security and protecting cardholder data.
  • Follow the PCI DSS data security standard

We have a team of experts with expertise in this field, Hire us

If you have any doubt Contact us

About Author

Satyam Jha

Leave a Reply

Your email address will not be published. Required fields are marked *