The PCI SSC created the PCI-DSS to protect credit card data. Merchants, service providers, and organizations that handle credit card data are required to obtain PCI-DSS certification.
To follow the PCI-DSS, you need to do six main steps.
1. Identify the card brands and payment types
Identify the card brands and payment types that your organization accepts, processes, stores, or transmits.
- Identify the number of transactions your organization processes each year.
- Identify the type of network infrastructure you have in place.
- Identify the type of cardholder data you handle.
2. Review the PCI-DSS requirements
Review the PCI-DSS requirements and make sure your organization is compliant. The PCI-DSS requirements are divided into six categories:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
3. Self-assess your organization’s compliance
Conduct a self-assessment of your organisation’s PCI-DSS compliance. Use the Self-Assessment Questionnaires (SAQs) provided by PCI SSC.
4. Engage a Qualified Security Assessor (QSA)
If necessary, you may engage a Qualified Security Assessor (QSA) to assess PCI-DSS compliance. If your organisation processes more than 6 million transactions per year or if your acquiring bank requires it, you need to engage a QSA to perform an onsite PCI-DSS compliance assessment.
5. Submit a Report on Compliance (ROC)
Submit a Report on Compliance (ROC) to your acquiring bank or payment brand. The ROC is a report that details your organization’s compliance with the PCI-DSS requirements. If you have engaged a QSA to conduct an on-site assessment, the QSA will prepare the ROC on your behalf.
6. Maintain compliance with the PCI-DSS requirements
A company needs to maintain PCI-DSS Compliance at all times and to confirm it on an annual basis. This may include conducting regular self-assessments, engaging a QSA to conduct an on-site assessment, and submitting a ROC to your acquiring bank or payment brand on a regular basis.