PCI Compliance Certification Process & Requirements Checklist | 21 Things to Know
Materdei Consulting, LLC offers an in-depth PCI compliance certification process & requirements checklist with 21 things that both merchants and service providers need to know regarding the Payment Card Industry Data Security Standards (PCI DSS) mandates. With almost every type of business now required to become PCI DSS compliant, here’s what you need to know:
1. Determine the appropriate merchant and/or service provider level. Ok, so you’ve been politely informed and summoned that you’ll need to become compliant with the Payment Card Industry Data Security Standards (PCI DSS) provisions. Well, welcome to the world’s largest regulatory compliance mandate, one that’s requiring millions of businesses all throughout the globe to become PCI DSS compliant.
It’s probably not the welcome you’re wanting, but that’s business, so the first thing you’ll need to do is determine if you’re a merchant or a service provider, and then determine what “Level” you are in terms of assessing for PCI DSS compliance.
For the purposes of PCI DSS compliance, a MERCHANT is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. Common examples of MERCHANTS are the following: e-commerce sites, restaurants, grocery stores, traditional brick-and-mortar stores (i.e., dry cleaners, etc.).
For the purposes of PCI DSS compliance, a SERVICE PROVIDER is business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This would include businesses that provide services that control or could impact the security of cardholder data. Examples include managed service providers that offer managed network security and other services as well as hosting providers and other entities.
If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
2. Determine which Self-Assessment Questionnaire to use. Thankfully, the vast majority of the millions of North American merchants and service providers can actually self-assess when it comes to the Payment Card Industry Data Security Standards (PCI DSS) mandates. Sure, it’s a time-consuming task, but thank your lucky stars you don’t have to perform the much-dreaded PCI DSS Level 1 onsite assessment via a PCI-QSA; these are often very time-consuming and costly.
But the SAQ’s are not a walk in the park – not at all – as many of them can be incredibly time-consuming and operationally taxing. You may need to reach out to a PCI DSS expert in helping assess and determine which SAQ to actually use, and that’s a service we offer, so contact us today at pci@pcipolicyportal.com. You’ll need to visit pcisecuritystandards.org to obtain all the relevant documentation for PCI DSS compliance, especially the Self-Assessment Questionnaires
3. Download the official Self-Assessment Questionnaires (SAQ) and Attestation of Compliance (AoC) forms from pcisecuritystandards.org. Again, visit pcisecuritystandards.org and download the applicable SAQ documents. What’s nice about the material is the first few pages will give you a series of bullet points for ensuring you meet the stated criteria of being allowed to use the SAQ document.
If you cannot affirm to each of the bullets 100%, then you have the wrong SAQ, which means move on until you find the right one. Often times, the “right” SAQ is SAQ D, the longest and most complex of all the Self-Assessment Questionnaires. The SAQ platforms that you can assess against consist of the following:
Each of the applicable SAQ documents can be instantly downloaded at pcisecuritystandards.org today.
4. Review the applicable SAQ documentation. You’ll need to spend time actually reviewing and reading through the entire SAQ document, from page 1 to the very end, and that’s because it’s the only way to truly understand your reporting requirements. Remember, PCI DSS compliance is about putting in place necessary policies, procedures, and processes, so thinking about each mandate in terms of the three (3) P’s is highly essential, no question about it. You may need to hire an external consultant as the SAQ documents can be complex and challenging at times, so keep this in mind when working through them.
5. Purchase PCI Policies and Procedures from pcipolicyportal.com. Compliance with the Payment Card Industry Data Security Standards (PCI DSS) requires an exhaustive amount of documentation to be in place – specifically, information security and operational specific policies and procedures directly applicable to the PCI DSS standards – and our documentation is directly mapped to each of the twelve (12) PCI requirements, making the creation of all necessary PCI policies and procedures that much easier.
Forget about high-priced consultants, using our templates will save you a tremendous amount of time and money, no question about it. Visit pcipolicyportal.com to learn more about the world’s leading PCI policies and procedures.
6. Get compliant. Okay, sure getting compliant is easier said than done, but it means now’s the time for rolling up those sleeves and incorporating the necessary policies, procedures, and processes into your internal control environment. This means spending time and remediating items that were found during the scoping & readiness assessment, from missing policies and procedures to improperly functioning internal processes. This “can” be a time-consuming task, it all depends on the maturity and overall posture of your current control environment, so get help from PCI DSS experts if you need it.
7. Conduct Vulnerability Scans and Penetration Testing, if Necessary. Depending on what your exact reporting requirements are for the Payment Card Industry Data Security Standards (PCI DSS), you may have to perform vulnerability scanning and penetration testing. If so, you’ll need to not only source out a quality vendor helping set up, establish, and perform such services, you’ll also need to make necessary cultural changes internally for ensuring such scans become a fixture in your I.T. 101 best practices posture. Companies loathe compliance, and understandably so, but it’s the world we all live in, so keep this in mind with PCI.
8. Complete the Attestation of Compliance. Simply known as the “AoC”, the “Attestation of Compliance” is looked upon as the short form document signifying PCI DSS compliance. In an industry that has seen all types of plaques, certification logos and other interesting documents and materials developed showcasing PCI compliance, the only true and credible document for validating PCI compliance is the AoC. There are many pretender documents, so be careful when you start requesting PCI compliance from somebody, and when you undertake your own PCI DSS compliance efforts. The AoC can be downloaded at pcisecuritystandards.org today.
9. Stay compliant. PCI compliance is never one-and-done, it’s a moving target which requires a constant effort by you for staying abreast of your policies, procedures, and processes. Call it “continuous monitoring” – the essential initiatives you need to put in place for continuing to be PCI DSS compliant. You’ll need to assign an internal champion for helping drive this mandate throughout your business, so keep this in mind.
10. Practice what you preach. It’s great if you develop all the necessary policies and procedures for PCI DSS compliance, but just make sure that whatever is in writing is also something you perform on a daily basis. Take a good, hard look at your documentation and ask yourself the following: “Are we as an organization really doing all these things and following these policies?” If not, then you have two (2) big problems.
The first being that you’re really not up to par on your information security and operational best practices, and that’s not good. The second is that you’ll most likely fail an actual PCI DSS audit by a Qualified Security Assessor (QSA) and that’s not good either. Documentation is important for compliance, but it’s more important that you actually follow and adhere to the policies and procedures.
11. Documentation is Essential for PCI Compliance. As just stated, documentation is absolutely critical for PCI DSS compliance. How critical? Let’s just say that information security policies and procedures account for approximately 25% to 40% of becoming compliant! Yes, that much, and it’s why finding a high-quality, well-written set of PCI DSS policy templates is critical – and absolutely essential – for PCI DSS compliance. com has been the world leader in PCI DSS documentation since 2009.
12. Your Policies must be Well-Written and High Quality. There’s two main reasons for this. First, auditors will inspect them to ensure they meet the overall intent and rigor of the actual Payment Card Industry Data Security Standards (PCI DSS). Second, auditors will then test to ensure that the actual policies, procedures, and processes are being followed. Well-written policies that are adhered to by employees will result in a clean bill of health from a PCI-QSA. Therefore, it’s important to spend time authoring high-quality documentation for PCI DSS compliance, no question about it.
13. Sourcing Templates is the Best Avenue to take. Why spend dozens and dozens of hours trying to author your PCI policies from scratch? It’s not needed as pcipolicyportal.com offers world-class policy templates at a fraction-of-the cost of what it would take to write them yourself. Whatever the industry, we offer the very best PCI DSS policy templates found anywhere today. Email us at pci@pcipolicyportal.com to learn more.
14. Security Awareness Documentation is Critical. Training your employees on current and emerging security threats and incidents is essential for not only meeting PCI DSS compliance, but for today’s InfoSec best practices. Think about it, you can spend all the money in the world on next-generation security tools and solutions, but they are meaningless without employees who don’t truly understand security issues. We offer a comprehensive security awareness training program that’s included in every one of our PCI policy packets. Visit pcipolicyportal.com today to learn more about our award-winning policy templates.
15. Risk Assessment Materials are Essential. Performing an annual risk assessment is absolutely critical for today’s growing compliance mandates, especially PCI DSS compliance. But it’s also a best practice that every business should be performing. Think about it, don’t you want to know what risks, threats, and other issues that can impact your organization? Sure, you do, so performing a risk assessment just makes sense.
16. Monitoring Third-Party Providers is Necessary. It’s critically important to monitor any type of external, third-party organization that’s providing essential services that could impact the safety and security of cardholder data. Think Managed Security Services (MSS) providers, data centers, software developers, independent third-party contractors, and others. We offer industry leading documentation – comprehensive, industry leading templates – for helping both merchants and service providers put in place documented policies, procedures, and processes as it relates to third-party entities
Remember, your PCI compliance initiatives often times rely on the services of third-parties, so keep this in mind. Email us at pci@pcipolicyportal.com to learn more.
17. Why choose pcipolicyportal.com documents. That’s easy. We have been the world leader since 2009 in offering the very best, high-quality templates for both merchants and service providers all throughout the world. Thousands of businesses have relied on pcipolicyportal.com and so can you. Need documentation – we are here to help, so visit pcipolicyportal.com today.
18. Continuous Monitoring is Here to Stay. Once you’ve become PCI DSS compliant, you’ve then got to ensure you STAY compliant, an initiative that’s often more time-consuming than the initial compliance achievement itself. The process of staying compliant means you’ll have to employ continuous monitoring initiatives – assessing, testing, and making necessary changes to your policies, procedures, and processes.
As the world leader for PCI DSS compliance, pcipolicyportal.com can help as we offer the very best tools, templates, and checklists for staying PCI DSS compliant. Nobody has an army of compliance officers for keeping you compliant 24/7, so think strategically in how this will work out. We can help! Email us today at pci@pcipolicyortal.com to learn more.
19. Where to Begin? Start at pcisecuritystandards.org in learning about all the relevant mandates for PCI DSS compliance. Additionally, call us anytime for a free consultation on the merits of PCI compliance.
20. What to Expect in the Future for PCI DSS compliance? More changes. More security requirements. More cybersecurity requirements. Welcome to the world of regulatory compliance where PCI DSS is now firmly entrenched into millions of businesses all throughout the world, and it’s not going away!
21. Why Policies and Procedures are so Incredibly Important. At pcipolicyportal.com, we’re often asked what’s the most demanding and time-consuming element of compliance with the Payment Card Industry Data Security Standards (PCI DSS). Surprising to many clients and prospects is what we tell them: Documentation – specifically – developing all necessary information security policies and procedures.
We’ve seen companies spend dozens upon dozens of hour writing policies and procedures, so we knew there had to be a better way – and there is – so use our documentation and save time and money! Whatever the industry or sector you’re in, pcipolicyportal.com has the very best policies, procedures, security awareness training materials, risk assessment documents – and more – for ensuring rapid PCI DSS compliance. Visit pcipolicyportal.com to learn more today.
