What are the Stages of PCI DSS Compliance?

Every organization’s cybersecurity needs are different, and the PCI DSS allows for considerable flexibility in achieving compliance. However, there are general stages that apply to all entities looking to achieve and maintain PCI DSS compliance:

• Understanding whether and to what extent PCI DSS applies to your organization
• Identifying gaps between PCI requirements and existing protections
• Implementing security architecture and infrastructure to meet DSS requirements
• Performing readiness assessments to identify and remediate any residual gaps
• Conducting official assessments and producing required reports for certification
• Managing PCI DSS compliance long-term, including annual recertification audits

 

Stage 1: Preliminary Scoping and Preparation for PCI DSS Compliance

The first stage is reaching an understanding of whether, why, and to what extent the Payment Card Industry Data Security Standard (PCI DSS) requirements apply to your organization.

The PCI DSS is overseen by the PCI’s Security Standards Council (SSC), which is led by the five major credit card providers: Visa, Mastercard, JCB International, American Express, and Discover. The SSC requires most merchants and service providers that collect credit card payments or otherwise process cardholder data (CHD) to comply with the PCI DSS.

To put it simply: if you process CHD, you are probably required to comply with PCI DSS.

However, not all eligible entities have the same requirements for compliance. Each founding member of the SSC has unique standards or “levels” of PCI compliance that it requires, which are typically tied to annual transaction volume across virtual and other channels. For example, Visa’s PCI levels require a stricter audit and more rigorous reporting for any merchants that process over six million transactions per year—see Stage 5 for details on the reports required.

 

 

Stage 2: Detailed Gap and Scoping Assessments

Once you understand the overall applicability of PCI controls to your organization, you’ll need to assess all in-scope systems and gauge the extent to which they’re ready for a PCI assessment.

This process requires indexing all hardware, software, networks, and other assets and systems that CHD is housed within or through which it passes. Any tool or digital location in which CHD is stored, transmitted, or processed will be in scope for a PCI assessment. You should make note of it, any protections used on it or applied across it, and index these against the PCI DSS requirements (see Stage 3 for more information on these). Any gaps will need to be addressed.

It’s also critical to note that the broader cardholder data environment (CDE), which includes all systems that are connected to those directly used to process or store CHD, is also in scope.

This stage is also a great place to take note of any mapping exercises you can conduct. This is a process of augmenting or modifying controls you already have in place for compliance with other frameworks (or for other reasons) to meet the specifications of their PCI counterparts.

Mapping minimizes costly overlap and can ensure seamless long-term compliance across multiple regulatory frameworks simultaneously—see Stage 6 for suggestions to that effect.

 

Stage 3: Targeted Implementation of PCI Controls

This is the pivotal step in which you’ll need to build, buy, or otherwise acquire protections up to PCI DSS specifications, install them, and prepare yourself for an official PCI DSS assessment.

The core PCI DSS requirements you need to account for break down as follows:

• Requirement 1 – Installing and Maintaining Network Security Controls
• Requirement 2 – Applying Secure Configurations to System Components
• Requirement 3 – Ensuring the Security of Account Data Held in Storage
• Requirement 4 – Encrypting CHD for Transmission over Public Networks
• Requirement 5 – Protecting Systems and Networks Against Malicious Software
• Requirement 6 – Developing and Maintaining Secure Systems and Software
• Requirement 7 – Restricting Access to CHD by Business Need to Know
• Requirement 8 – Identifying Users and Authenticating Access to Systems
• Requirement 9 – Restricting Physical and Proximal Access to CHD
• Requirement 10 – Logging and Monitoring Access to System Components
• Requirement 11 – Testing the Security of Systems and Networks Regularly
• Requirement 12 – Supporting Security with Organizational Policies and Programs

Note that each of these requirements breaks down further into sub-requirements and specifications, which could entail dozens or more new systems and tools to cover.

But, depending on your existing controls, not all of these requirements may require new installations. Mapping from other frameworks may allow for certain protections to cover both a PCI requirement and a requirement from, say, HIPAA, SOC 2, GDPR, or other regulations.

 

Stage 4: Readiness Assessment and Remediation

This next step is similar to Stage 2, and some organizations may integrate it into Stage 3. However, we recommend dedicating an entirely separate set of processes to assessing controls after implementation. This allows for a more precise evaluation of whether controls meet applicable PCI requirements and how to address any deficiencies.

At this stage, your organization should practice the types of tests necessary for certification.

There are two major kinds of audit that confer PCI DSS compliance, led by the organization itself or by a third party. The former requires filling out a Self-Assessment Questionnaire (SAQ) that details all controls and specifies how they meet PCI DSS requirements. The latter requires working with a vendor vetted by the PCI SSC and conducting a rigorous audit resulting in a Report on Compliance (ROC)—see Stage 5 for more information on who needs which. Both SAQs and ROCs typically need to be accompanied by an Attestation of Compliance (AOC).

Regardless of which audit you need, the controls tested will be the same. The only major difference is that the ROC is a more lengthy, rigorous test involving a qualified third party.

 

 

Stage 5: Official Auditing and Documentation

This stage is where you’ll put your implementation to the test and secure compliance with an official assessment. If you qualify for an SAQ, you can complete it on your own. However, working with an advisor can still help make the process as easy as possible. And if you require an ROC or a third-party verified AOC to comply, you’ll need to work with a third party regardless.

The specific reporting you need depends on the governing SSC member. To return to Visa’s PCI levels, mentioned above, here is the breakdown of what you’ll need to comply at each level:

• Level 1 – Merchants with over 6M annual transitions must submit an ROC and AOC.

• Level 2 – Merchants with 1M to 6M annual transactions must submit an ROC and AOC.

• Level 3 – Merchants with 20K to 1M annual transactions submit an SAQ and AOC.

• Level 4 – Merchants with less than 20K annual transactions submit just an SAQ.

For those organizations that need to submit an ROC or AOC, you’ll need to get in contact with a PCI Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV)—like RSI Security.

 

 

Stage 6: Ongoing PCI DSS Compliance Management

Compliance with the PCI data security standard is not a one-time effort. Organizations must regularly undergo audits and make necessary adjustments to ensure continued compliance. Most will need to submit an annual AOC alongside either an SAQ or a third-party ROC.

PCI as a service (PCIaaS) makes this process easier with ongoing, continuous assessments over the course of a year rather than cramming a year’s worth of remediation into a few months.

Additionally, mapping and streamlining controls across multiple frameworks is one of the best ways to simplify the management of multiple regulations simultaneously. There are frameworks made specifically for this purpose, such as the HITRUST CSF. HITRUST is a unified cybersecurity framework that incorporates controls and specifications from several widely applicable regulations, including the PCI DSS. It empowers organizations to “assess once, report many” and utilize a single audit for proof of compliance with many regulations.

If your organization is currently straddling multiple industries or business contexts with regulatory requirements, including but not limited to PCI, you should consider implementing HITRUST. Conducting a HITRUST assessment can help streamline your ongoing compliance.

 

Streamline Your PCI DSS Compliance Today

Ultimately, achieving and maintaining PCI DSS compliance starts with understanding whether and to what extent it applies, along with the various systems and assets it applies to. Then, you’ll need to assess for gaps in your existing control matrix and install or augment your protections to meet PCI specifications. Finally, you’ll prepare for and conduct an official assessment, then repeat the process annually—ideally with continuous maintenance.

RSI Security has helped numerous organizations in planning, achieving, and maintaining PCI DSS compliance. We believe that the right way is the only way to keep CHD safe. We’re committed to helping you accomplish that—rethinking cyberdefense to optimize compliance. To learn more about our PCI DSS and PCIaaS suites, contact RSI Security today!

 

Discover how RSI Security can help your organization. Request a complimentary consultation: