6 Steps to PCI Assessment Success

6 Steps to PCI Assessment Success

6 Steps to PCI Assessment Success

Download the Guide

Need to achieve and maintain PCI compliance?

Financial information, including cardholder data, is a top target for bad actors. If your company processes payment transactions, operating without strong security measures could be catastrophic. Not only are there regulatory implications, but damage to your reputation and wallet is sure to follow.

According to IBM and the Ponemon Institute, the average data breach cost in 2022 was $4.35 million.

How can you be sure your security is properly implemented? This article will walk you through the steps required to keep your cardholder information secure through PCI compliance.

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI-DSS) is an actionable framework created to ensure a minimum level of technical and operational security for organizations that process, store, or transmit card payments. The goal of PCI-DSS is to prevent theft and fraud when using credit, debit, and cash cards.

PCI-DSS v1.0 was introduced in 2004. As payment fraud was rising, leaders in the payment industry came together to create a set of security standards to help. The founding members of PCI include American Express, Discover Financial Services, JCB International, Mastercard, and Visa.

As of March 31, 2024, v4.0 will be the only recognized version.

Why Should I Become PCI Compliant?

PCI compliance helps protect your customers' data. Implementing PCI requirements reduces the potential for data breaches and adds to the credibility of your business. For organizations that store, process or transmit payment cards, all major credit card companies require it.

If you choose not to comply, you can be fined, held liable for fraudulent charges, or your business can even have credit card processing privileges revoked. Fines differ based on the merchant agreement you have. From our experience, they can range anywhere from $5,000 - $100,000 per month of non-compliance and $50 - $90 per customer affected by a data breach.

PCI Compliance Levels

Each payment card brand has its own compliance thresholds for merchant levels. PCI has four levels based on the number of payment transactions a company processes annually. Below is an example of how Visa and MasterCard define these merchant levels:

  • Level 1 - above 6 million annual transactions, or any business that has experienced a data breach
  • Level 2 - between 1 and 6 million transactions
  • Level 3 - between 20,000 and 1 million transactions
  • Level 4 - less than 20,000 transactions

The requirements for Level 1 businesses are more rigorous than those for Levels 2-4. Level 1 businesses are required to have an annual third party PCI DSS assessment done by a Qualified Security Assessor (QSA) firm. The business is responsible for remediating any vulnerabilities that are found during the audit prior to receiving a PCI certification.

Businesses that fall into Levels 2-4 are required to complete a PCI Self Assessment Questionnaire (SAQ) on a yearly basis.

PCI-DSS Requirements

PCI-DSS consists of 12 requirements and 300 sub-requirements. These include security systems, organizational processes, testing, and policies that help protect payment transaction data. Organizations can reduce the amount of controls they must comply with by qualifying for a different SAQ. This can be accomplished by using third parties to handle portions of the payment process.

  1. Install and maintain network security controls - Properly securing your network using firewalls and proper access controls allows cardholder data to remain secure within your network.
  2. Apply secure configurations to all system components - For example, don’t use default passwords! Reduce your potential attack surface by keeping your systems lean and removing unused software.
  3. Protect stored account data - Don’t store data unless you have a business need to do so. When data must be stored, use encryption and proper key management processes.
  4. Protect cardholder data with strong cryptography during transmission over open, public networks - Encrypt cardholder data. Utilize encryption whenever possible.
  5. Protect all systems and networks from malicious software - Use and regularly update antivirus software on all systems interacting with cardholder data.
  6. Develop and maintain secure systems and software - Develop new applications using secure coding and development practices. Use change management and vulnerability scanning on all systems and software.
  7. Restrict access to system components and cardholder data- Follow the “least privilege” mindset for systems and people.
  8. Identify users and authenticate access to system components - Ensure that each person with access has a unique ID that can be traced to any action. Use multi-factor authentication (MFA) to enhance access security.
  9. Restrict physical access to cardholder data - Again, follow “least privilege.” No one should have access to physical cardholder data that doesn’t need it.
  10. Log and monitor all access to system components and cardholder data - Log and monitor all activities. This will allow for anomaly detection and be important in forensic analysis.
  11. Test security of systems and networks regularly - Frequently check for new vulnerabilities, as they’re always evolving. Run scans on a regular basis.
  12. Support information security with organizational policies and programs - A robust security policy sets the tone for an organization. Company policies and programs should make clear the importance of protecting sensitive cardholder data.

The PCI Assessment Process in 6 Steps

  1. Scope
  2. Assess
  3. Report
  4. Remediate
  5. Submit
  6. Monitor & Maintain

1. Scope

Determine which level of compliance your company needs to achieve. Doing so will ensure you complete the correct documents and involve the proper auditing process and authorities.

The scope of PCI-DSS requirements applies to the cardholder data environment and any components, people, or software that could impact its security. Think of this as anything that has access to, touches, or sees cardholder data or systems that process cardholder data in any way. This includes all IT assets and any associated business processes.

It’s important to have a solid understanding of your environment and the systems which need to be included in your assessment. Keeping the cardholder data environment isolated and condensed will reduce the blast radius in the event of a breach and make the assessment process simpler.

If you’re using a Third Party Service Provider (TPSP), you’ll need to be conscientious of how they are doing business and ensure proper agreements are in place. If a TPSP has the ability to impact your cardholder data environment security in any way, their compliance will impact your compliance. Therefore, it’s your responsibility to monitor their compliance status.

2. Assess

After you have an inventory of all systems and processes associated with your payment processing, it’s time to assess. Here is where the PCI requirements come into play. All in-scope system components should be examined for compliance with each PCI-DSS control required by their SAQ version.

3. Report

Complete the appropriate Self-Assessment Questionnaire (SAQ). The required documentation will be different depending on the SAQ needed. This report includes all findings, remediation plans, compensating controls, and any requirements that were met using the customized approach.

4. Remediate

If there are any unmet requirements, a remediation plan should be crafted and your environment updated accordingly. This can include addressing any gaps in security controls, fixing vulnerabilities, removing any unnecessary data, and improving the security of business processes. You must be in compliance with all required controls prior to achieving PCI compliance.

5. Submit

Submit the SAQ and any other supporting documentation reports to the requestor, generally the company’s acquiring bank. For service providers, the requestor is usually the payment brand.

6. Monitor & Maintain

Although certification only happens once a year, PCI requires that the controls are properly maintained and managed throughout the year. PCI is an ongoing process and aims to create a culture of security to keep best-practice security controls in place and up to date.

Admittedly, these 12 requirements and 6 steps are highly simplified. If you’d like to take a deeper dive, the PCI Document Library has in-depth documentation breaking down the 300 sub-requirements.

If you need more personalized assistance, let us know! ScaleSec has a proven track record of helping others become PCI compliant, and we can help you too.

The information presented in this article is accurate as of February 14, 2023. Follow the ScaleSec blog for new articles and updates.

About ScaleSec

ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.

Get in touch!

How to Build an Effective & Safe Cloud Migration Strategy

Cloud migration can be a transformative move for your business — but only if you approach it with a sound strategy in mind. Here’s what you need to prepare.

Next article

ScaleSec is a Cloud Security Alliance Member.
ScaleSec is a Cloud Security Alliance Trusted Cloud Consultant.
ScaleSec is a Better Business Bureau® Accredited Business.
ScaleSec is a PCI Security Standards Council Participating Organization.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security.
ScaleSec is a certified Veteran’s Business Enterprise™ (VBE) from the National Veteran Owned Business Association.

Here for you

Have questions? Leverage our expertise to help you meet your business goals with a strong security posture.

Join us

ScaleSec is a well-connected, fully remote team. We thrive in the great undocumented beyond. We’re hiring in most US metros.

Get in touch

Considering cloud? Want to optimize and transform your existing digital portfolio?
Reach out to us.

Gap Assessment

Get perspective. Address security comprehensively.

Prepare for compliance.

San Diego, CA 92120, United States


© 2023 ScaleSec. All rights reserved. | Privacy Policy