The PCI DSS certification process in 4+1 steps

The PCI Council is responsible for managing security standards, while enforcement of compliance with PCI Security Standards is imposed by credit card companies. The specifications apply to all organizations that store, process, or transmit credit card data. These specifications also apply to software developers and manufacturers of applications and devices used in such transactions.

If you are a merchant who accepts credit cards, you are required to comply with the PCI Data Security Standard. You can learn your exact compliance requirements by booking an appointment with our specialized consultant. The creators of the standard divide those subject to certification into three categories, based on which the final specifications, and therefore the process, are determined.

How much does PCI DSS certification cost?

To find out which type of certification your business belongs to and how much it costs, simply use the online SAQ selection tool.
01

ENVIRONMENT IDENTIFICATION

The most important step in the PCI process is understanding and defining the in-scope environment and minimizing it (scope minification). This step is the most critical stage, as it will determine the necessary specifications. Failure to properly complete this step may render your certification invalid.
02

GAP ASSESSMENT

During this process, compliance with each PCI DSS requirement corresponding to your business is checked. Additionally, the completeness/correctness of the security policies of the organization to be certified is verified. The GAP Assessment will determine the actions that need to be taken for the business to fully comply with the PCI standard.
03

ON-SITE Audit

Merchants who process more than 6,000,000 credit card transactions annually, as well as service providers who process more than 300,000 transactions, are required to undergo annual on-site audits by Qualified Security Assessors (QSA) to validate their compliance. Additionally, this step is required for Payment Service Providers and for businesses that have fallen victim to data theft, regardless of the number of transactions.
04

ASV Scans Penetration Testing

Perhaps the most well-known stage of the entire process, mainly because many businesses are misguided, primarily by their IT partners (programmers, system administrators, etc.), and believe that completing this stage alone means compliance with the standard. At this stage, Authorized Scanning Vendors conduct external scans on the organization's infrastructure perimeter to identify technical security gaps. Additionally, depending on the type of certification, the business may need to perform penetration testing and risk assessment with a partner of their choice, or even with internal resources.
05

PCI DSS Certification

Once all the above steps have been successfully completed, Innotech will issue you the necessary AOC (Attestation of Compliance) or ROC (Report of Compliance) depending on your certification level.
TOP