What you need to know about preparing for, achieving, and maintaining PCI compliance certification
You know you have a great idea and an amazing product that you and your investors can’t wait to share with the world. But then along comes compliance: If you’re a fintech company, PCI compliance certification, specifically. And while the phrase “PCI compliance” may not be music to the ears of an innovator, its tune will keep your future customers’ information safe and save you time — and possibly money — in the long run.
In this article, we’ll cover PCI DSS 3.2 compliance (the latest mandated compliance standard), go over the required steps, how much it costs, and ways to make the process easier through security automation.
What Is PCI DSS 3.2 and PCI Compliance?
PCI DSS 3.2 is the most recent required version of Payment Card Industry Security Standards — a set of technical and operational requirements to protect credit card data. (PCI DSS 4.0 is available, and we’ll cover it in more detail later, but compliance with that version is not mandatory until spring 2025.)
PCI compliance is required by major credit card companies for any entity that collects, transmits, stores, or manages credit, debit, or pre-paid debit card information. That means all businesses, from the corner store in your neighborhood to the latest fintech startup, are subject to PCI compliance if they want to process credit cards issued by the major providers. PCI standards are developed and managed by PCI Security Standards Council, a global forum of payment industry professionals.
Need to brush up on the basics of PCI Compliance? Check out The Complete Guide to PCI Compliance.
What Are the Steps for Achieving PCI Compliance Certification?
Step 1: Get to Know the 12 PCI Compliance Certification Requirements
PCI compliance certification, including PCI DSS 3.2, has 12 requirements grouped by different compliance goals, with about 125 sub-requirements. Here is a summary of the 12 main requirements organized by compliance goal:
Secure Network
- Install and maintain a firewall to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Cardholder Data Protection
- Protect stored data.
- Encrypt transmission of cardholder data across open, public networks.
Vulnerability Management
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
Access Control
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
Network Monitoring and Testing
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Information Security Policy
- Maintain a policy that addresses information security.
Your solution will need to meet all the requirements in order to earn PCI compliance certification. A more in-depth list of these requirements can be found on the PCI SSC website.
PCI compliance is complex, but there are ways to make the process easier with built-in security features. Let our free checklist walk you through each of the 12 requirements:
Step 2: Figure Out Your PCI Compliance Level
There are four PCI compliance levels. Your level, which depends on the volume of credit, debit, or prepaid debit card transactions you process per year, will determine your process for earning PCI compliance certification.
- Level 1: Organizations that process more than 6 million transactions of Visa or Mastercard per year; or more than 2.5 million American Express transactions per year; or had a data breach; or were deemed “Level 1” by a major credit card issuer.
- Level 2: Organizations that process between 1 million and 6 million card transactions per year.
- Level 3: Organizations that process 20,000 to 1 million card transactions per year online; organizations that process fewer than 1 million card transactions total per year.
- Level 4: Organizations that process fewer than 20,000 online transactions annually; or organizations that process up to 1 million total transactions per year.
If you’re not sure which level your business falls into, ask your bank or payment processing company.
Step 3: Prepare for PCI Certification
Before you can start completing the various forms and assessments required for your level, go through the 12 steps and ensure your systems are meeting requirements. Here are a few ways to do that.
Run a Risk Assessment
Conduct an in-depth security audit of your current systems and processes. You’ll need to know about any vulnerabilities in your environment before beginning the formal certification process.
Work Through Any Remediation Plans
Once you’ve done a risk assessment, you’ll need to come up with and execute any fixes for areas that don’t meet one of the 12 PCI compliance certification requirements.
Conduct a Gap Analysis
When the remediation process is completed, run a gap analysis to test for any further security threats and issues that cannot be immediately resolved and may have to be worked through during the compliance process.
Develop and Refine Your Policies and Procedures
Get your documentation in order for the certification process. Make sure that you’re capturing all policies and procedures relating to credit card information and security, as well as any changes you’ve made as a result of the remediation process.
Step 4: Assessment
You’re ready for your PCI DSS 3.2 compliance assessment process. As mentioned in Step 2, the required documentation will vary depending on your level of compliance.
Here are the different processes for staying compliant based on your level:
| Level 1 | Annual audit performed by a PCI Qualified Security Assessor Annual Report on Compliance (ROC)Quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)Complete Attestation of Compliance (AOC) form |
| Level 2 | Self-Assessment Questionnaire Quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)Complete Attestation of Compliance (AOC) form |
| Level 3 | Self-Assessment Questionnaire Quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)Complete Attestation of Compliance (AOC) form |
| Level 4 | Self-Assessment Questionnaire (not required, but recommended)Quarterly network scans via PCI Approved Scanning Vendor (PCI ASV)Complete Attestation of Compliance (AOC) form |
Let’s go through what these requirements mean.
Requirements for Level 1 Companies
Audit with a PCI Qualified Security Assessor
Level 1 companies need to go through an audit process with a PCI Qualified Security Assessor. PCI QSAs are trained and licensed by the PCI DSS and will do a thorough, technical, configuration-level assessment of your security systems. The timeline may vary widely, from a year to a couple of weeks, depending on how prepared you are and whether or not this is your first assessment. The audit process needs to be repeated every year.
Report on Compliance
An ROC is issued by the PCI QSA at the end of the audit for Level 1 companies. It will contain the details of the audit and is sent to your bank or another financial institution that helps you process payments. After reviewing, the bank will then pass on the ROC for verification to the payment brands.
Requirements for Level 2, 3, and 4 Companies
Self-Assessment Questionnaire
A SAQ is required for Level 2 and 3 companies and is optional for Level 4. There are nine different types of SAQs for different security environments. Your team will go through the self-assessment to attest you are meeting requirements. Most SAQs consist of yes or no questions. If you answer “No” on any of the questions you will need to provide a remediation plan and timeline.
Requirements for All Levels
Attestation of Compliance (AOC) Form
An AOC is required for all compliance levels. A PCI QSA will fill out and sign the form after an audit (for Level 1 companies) or after reviewing a SAQ (for all other levels). You can use the AOC form as proof of compliance.
Quarterly Network Scans
You will need to perform a quarterly scan with a PCI Approved Scanning Vendor to monitor for any new or previously undetected vulnerabilities. A full list of PCI-approved vendors can be found on the council’s website.
The road to PCI compliance certification has many twists and turns, and there is no single document or stamp of approval that will cement your compliance. Instead, it is a fluid and continuous process achieved through annual audits/SAQs and quarterly scans.
PCI DSS 4.0: Here’s What to Expect
PCI DSS 4.0 was released in March 2022, but compliance is not required until 2025. Some changes include a more stringent approach to mutli-factor authentication, new password requirements, protections against e-commerce-related phishing, and requirements for matching information on the ROC/SAQ and the AOC form. You can review the changes in full here.
DuploCloud and PCI Compliance
PCI DSS compliance certification is a necessary part of doing business, but it doesn’t have to be a massive time sink. DuploCloud’s platform auto-generates PCI DSS controls, which means the compliance process begins as soon as you start working in the DuploCloud DevSecOps platform. We’ll even give you a sample auditor and customer-facing documentation that you can customize to your PCI-DSS policies — that’s hours spent not making PDFs. Learn more about how DuploCloud can help you save time on PCI compliance.
