PCI DSS Compliance & Certification Explained: Complete Guide to Costs and Requirements

Securing your payment infrastructure is a crucial factor to enabling trust and convenience for your customers. This is why getting compliant with the Payment Card Industry Data Security Standard (PCI DSS) is crucial.

Preparing for a PCI DSS audit might seem intimidating, but breaking down the audit process into clear, actionable steps transforms a daunting task into a series of manageable projects is key to successfully navigating a PCI DSS audit.

This comprehensive guide explains every step of the process—from the initial scope assessment and gap analysis to remediation efforts, QSA (Qualified Security Assessors ) assessments, penetration testing, and ongoing compliance monitoring. 

What is PCI DSS?

PCI DSS is a global standard for protecting payment card information. It serves as a complete framework to secure cardholder data.

PCI DSS compliance is a contractual requirement for businesses that process, store, or transmit payment card data. The compliance involves adhering to security requirements, including encryption, secure storage, access control, and regular security testing.

PCI DSS has 12 key requirements grouped into six control objectives:

1. Build and maintain a secure network and systems.
2. Protect cardholder data.
3. Maintain a vulnerability management program.
4. Implement strong access control measures.
5. Regularly monitor and test networks.
6. Maintain an information security policy. 

Companies that don't meet PCI DSS requirements are at risk of a breach, which could mean that a business might lose its ability to process credit card transactions or be liable to pay higher processing fees. They might also lose sales and damage their reputation.

Can you get PCI DSS certified? What does the PCI SSC say about this?

You can’t get “PCI DSS certified”, although many sources on the internet say so.

The term "PCI DSS certification" is commonly used in the industry, but the PCI Security Standards Council (PCI SSC) does not issue any formal certification for companies that demonstrate compliance with PCI DSS. The PCI SSC only sets compliance standards and proposes assessment methods, such as the Self-Assessment Questionnaire (SAQ) and Report on Compliance (ROC), for organizations to validate their compliance with PCI DSS standards.

The Attestation of Compliance (AOC)  is the only official document that confirms PCI compliance. But do note that this is still not a certification issued by the PCI SSC. 

While the PCI SSC offers templates to create the AOC, the document is prepared by a Qualified Security Assessor (QSA) for Level 1 entities (more on this in the next section) if the merchant passes the audit requirements. For lower-level entities, the organization itself completes the AOC form, and it's typically signed by a company executive rather than a QSA.

Steps to get PCI DSS compliant

Follow these steps to become PCI DSS compliant and protect your payment systems. We have outlined each essential stage—from evaluating your current setup to ensuring ongoing compliance—so you can confidently safeguard sensitive card data.

Step 1: Understand PCI DSS requirements

Begin by reviewing the 12 core PCI DSS requirements, organized under six key goals designed to protect every aspect of cardholder data.

• Familiarize yourself with each of the 12 requirements.
• Understand how these requirements fit into six key goals.
• Regularly review updates to these requirements to ensure your compliance strategy remains current.

Step 2: Determine your compliance level

Assess your annual transaction volume to classify your business:

• Level 1: Over 6 million transactions.
• Level 2: 1 to 6 million transactions.
• Level 3: 20,000 to 1 million transactions.
• Level 4: Fewer than 20,000 transactions.

Do note that companies that process less than 6 million transactions can still be classified as Level 1. This can be due to their history of data breaches or if the nature of the business deems them to be highly susceptible to fraud and data breaches.

This classification dictates your specific validation requirements—Level 1 typically requires an external QSA audit and an annual Report on Compliance (ROC), while Levels 2–4 often involve completing a Self-Assessment Questionnaire (SAQ).

Step 3: Complete an SAQ

The SAQ is a crucial step in the PCI compliance process for most merchants, except those classified as Level 1.

• For non-Level 1 merchants, fill out the SAQ—a straightforward, yes-or-no questionnaire that evaluates your current compliance status.
• Choose the appropriate SAQ variant (e.g., SAQ A, B, C, C-VT, P2PE, or D) based on how you process payments.
• Update your SAQ as needed to reflect any changes in your payment processing methods or business operations.

Step 4: Conduct a gap analysis

A gap analysis provides a comprehensive view of your current security posture compared to PCI DSS requirements.

• Compare your existing security measures against each PCI DSS requirement to identify any vulnerabilities or missing controls.
• Document discrepancies and create a detailed report outlining the necessary steps to close each identified gap.
• Consider engaging a PCI QSA or using automation tools to perform a thorough gap analysis efficiently, ensuring no critical areas are overlooked.

Step 5: Remediate security gaps

Once these gaps are identified, the next step is to address them systematically.

• Develop a comprehensive remediation plan that outlines the following:
  
  • Specific fixes are needed for each gap.
  • Realistic timelines and task priorities based on risk and complexity.
  • Allocation of necessary resources (personnel and budget).
• Regularly review and update the remediation plan as you address vulnerabilities, ensuring continuous improvement of your security posture.

Step 6: Implement required security controls

This step involves deploying specific technical measures to protect cardholder data.

• Deploy robust security controls to protect cardholder data by:
  
  • Installing and configuring firewalls and enforcing strong encryption (e.g., TLS for data in transit, AES-256 for data at rest).
  • Keeping antivirus software updated.
  • Establishing strict access controls with the principle of least privilege and multi-factor authentication.
• Work with your IT and security teams—or leverage guided sessions from trusted providers—to integrate these controls seamlessly with your existing systems.

Step 7: Perform internal vulnerability scans

Regular internal scans help identify and address potential vulnerabilities.

• Schedule quarterly internal (and external) vulnerability scans using PCI Security Standards Council (PCI SSC) approved scanning tools.
• Engage qualified personnel or reputable service providers to conduct these scans, documenting any high-risk issues found.
• Follow up with additional scans after remediation to ensure that all vulnerabilities have been effectively addressed. External vulnerability scans must be conducted by an Approved Scanning Vendor (ASV), not just any tool.

Step 8: Engage a QSA

For Level 1 merchants, working with a QSA is mandatory for compliance validation.

• Engage a QSA to perform an onsite evaluation of your security systems.
• Prepare all necessary documentation, including data flow diagrams, risk assessments, and gap analysis reports.
• Collaborate closely with the QSA to verify that your security measures meet all PCI DSS requirements and receive actionable recommendations for further improvement.

Step 9: Complete the Attestation of Compliance (AoC)

The AoC confirms the implementation of required security measures.

Fill out the AoC accurately as your formal declaration that your organization meets all PCI DSS requirements.

• For Level 1 merchants, the QSA typically completes this document; for other levels, you can self-attest.
• Ensure every section of the AoC is thoroughly reviewed and correctly completed before finalizing it.

Step 10: Submit compliance documentation to the acquiring banks

After achieving compliance, documentation must be submitted to the relevant parties.

• Compile all required documents, including your SAQ (or ROC for larger merchants) and the AoC.
• Follow your acquiring bank’s specific submission guidelines and timelines to ensure timely and proper delivery.
• Confirm receipt of your documentation through the designated digital platform or submission method provided by your financial partner.

Step 11: Maintain continuous compliance

PCI compliance is an ongoing process, not a one-time achievement.

• Establish ongoing monitoring systems that regularly test your security controls and verify that all measures remain effective.
• Schedule periodic vulnerability assessments and apply security patches promptly to stay ahead of emerging threats.
• Provide regular staff training on evolving security best practices and review your security policies routinely, recognizing that PCI DSS compliance is an ongoing commitment rather than a one-time event.

By following these detailed steps, you'll build a PCI DSS compliance strategy that not only meets regulatory requirements but also protects your sensitive payment data and upholds customer trust.

How much does PCI DSS compliance cost?

PCI DSS compliant costs can vary greatly based on several factors. Large enterprises that process millions of transactions annually spend $50,000 to $200,000 on a Report on Compliance (ROC). Smaller businesses pay between $5,000 to $20,000 for Self-Assessment Questionnaires.

The amount you pay depends on your compliance level. Level 1 merchants who process over 6 million transactions yearly must meet the strictest requirements. Level 4 merchants with fewer than 20,000 transactions have easier validation procedures.

Here's what the specific requirements cost:

• Vulnerability scans: $100-$200 per IP address annually. 
• Penetration testing: $3,000-$30,000 depending on complexity. 
• Employee security training: $20-$30 per employee per session. 
• Network security implementation: $2,000-$20,000 annually.
• QSA audits (for Level 1): $15,000-$70,000. 

Organizations with strong security cultures spend less on assessments because their systems already match PCI DSS requirements. Industry experts say small-to-medium businesses might spend hundreds of thousands of dollars annually on full implementation.

Non-compliance costs are nowhere near what you'd pay to get compliant. Companies face fees of $5,000 to $100,000 per month until they fix their problems. Data breaches can lead to forensic investigations and remediation costs of up to $500,000, plus card brand penalties. Higher processing fees and possible loss of merchant accounts add to the financial strain.

Automated compliance processes can help organizations cut operational costs and improve their security stance. The original investment pays off by preventing data breaches and avoiding non-compliance penalties.

How do you demonstrate PCI DSS compliance to your customers?

Effectively demonstrating PCI DSS compliance to your customers involves providing clear, comprehensive documentation and utilizing intuitive dashboards that showcase your compliance status. Key components include:​

• Audit Reports: Detailed assessments conducted by QSAs that validate your adherence to PCI DSS standards.​
  
• Compliance Attestations: Acquiring an Attestation of Compliance (AoC), which is a formal declaration confirming your organization's compliance with PCI DSS requirements.​
  
• Security Policies and Procedures: Comprehensive documentation outlining the measures and protocols implemented to protect cardholder data.​
  
• Real-Time Compliance Dashboards: Interactive platforms that provide up-to-date insights into your security posture, facilitating transparency and trust with stakeholders.​
  

Scrut Trust Vault is a a centralized, public-facing repository that displays evidence of certifications to build trust with stakeholders. It streamlines this process by offering:​

• Website Integration: Seamlessly integrates with your website, allowing you to showcase evidence for compliance with frameworks like ISO 27001, SOC 2, PCI DSS, and HIPAA. This helps demonstrate your commitment to information security.​
  
• Compliance Reports: Displays all relevant certifications, attestations, and reports in one place, enabling customers and partners to request documents such as SOC 2, ISO 27001, HIPAA, and PCI DSS from a single location.​
  
• NDA-backed Gated Access: Restricts access to detailed reports through NDA-backed gated access, ensuring sensitive information is shared securely with authorized parties.​
  
• Real-Time Compliance Monitoring: Provides a real-time view into your organization's security posture, showcasing continuous compliance and reinforcing trust with stakeholders.​
  
• Customizable Branding: Allows customization to match your brand's visual identity, including your logo, description, key points of contact, and security controls, ensuring a consistent and professional presentation.​

By leveraging Trust Vault, you not only demonstrate PCI DSS compliance effectively, but also enhance customer confidence through transparent and proactive security management.

Ready to simplify PCI DSS compliance and secure your business? Connect with Scrut and get started today.