How to Become PCI DSS Certified

The short answer to the question of achieving PCI DSS certification is: you can’t.

There is no certificate attesting to Payment Card Industry Data Security Standard (PCI DSS) compliance. There is, however, a way your organization can stand apart as being especially committed to credit card security.

Instead of submitting the self-assessment questionnaire (SAQ) and Attestation of Compliance to your acquiring bank, you may choose to pass an on-site audit by a PCI Security Standards Council-certified Qualified Security Assessor (QSA) or your own Internal Security Assessor, and have them file a Report on Compliance (ROC).

The difference between these two alternatives is vast. With an SAQ and AOC, your enterprise is assessing itself. An ROC, however, attests that a qualified professional auditor has thoroughly examined your cardholder data environment (CDE) and, if necessary, your entire network and all your systems. The ROC will indicate whether the auditor found your organization to be PCI DSS compliant.

 

ROC vs. AOC: Which Do You Need?

The PCI Security Standards Council (PCI SSC), a consortium of five major credit card brands (Visa, Mastercard, American Express, Discover, and JCB) created PCI DSS to govern the security of payment card and cardholder data. The framework comprises 12 requirements and 281 directives that spell out precisely what merchants and service providers that accept, process, store, or transmit credit or debit card data must do to comply.

But security risks differ from enterprise to enterprise. Large entities that process millions of card transactions per year face a much greater chance of data breach than mom-and-pop shops. Recognizing this difference, the PCI SSC established four compliance levels for merchants and two for service providers.

In both categories, only those qualifying as Level One must pass an on-site audit and submit a Report on Compliance. Those in Levels 2, 3, and 4 may self-assess and submit an Attestation of Compliance.

Which level your organization qualifies for depends partly on the number of transactions processed, and partly on which payment cards you accept. Each credit card company defines the compliance levels slightly differently.

Generally speaking, if you’re a merchant processing more than 1 million transactions e-commerce and in-store per year, you may be considered Level 1. If you’re a service provider handling the credit card data of more than 300,000 cards per year, you qualify in all instances as Level 1.

If your enterprise has experienced a data breach that resulted in the compromise of credit card or cardholder data, however, you must meet Level 1 requirements no matter what your organization’s size.

 

Why Should You Choose an ROC? 

An ROC will almost certainly be more costly to procure than an AOC, especially if you need to hire a QSA to audit your systems and networks. The price varies depending on several factors including the size of your organization and how many IP addresses it maintains.

But the larger your enterprise, the more likely your acquiring bank will be to require you to meet Level 1 requirements. Even if it doesn’t, however, you might still want to pursue an ROC to outshine your competitors. It isn’t certification, per se, but it’s the PCI DSS equivalent of getting certified.

Admittedly, the price of an audit—as much as $50,000 for larger entities—can be prohibitive, especially if you’re using old-fashioned, clunky spreadsheets to track your organization’s PCI DSS compliance efforts and trying to gather documentation from a variety of sources.

 

Cheaper, easier PCI compliance 

There are things you can do to reduce those costs. Our handy PCI audit ebook provides tips for streamlining your PCI DSS compliance efforts to make the job much easier for the SAQ or internal assessor, and much more cost effective for you.

But the number-one way to sail through a PCI DSS audit with ease is to ditch your spreadsheets. A quality governance, risk and compliance tool can make PCI compliance a snap. What’s not to like?

ZenGRC provides PCI DSS compliance assistance to some of the world’s leading companies. Our fast and easy deployment, “single source of truth” dashboards, vendor monitoring, document collection and storage, in-a-click internal audits and other features will take you all the way to PCI DSS compliance and keep you there, year after year.

Your PCI DSS success assured, you’ll be free to relax and focus on the task at hand: keeping your customers and clients happy, and growing your profits. Worry-free compliance is the Zen way. Why not contact a Reciprocity specialist today?