How to Test for PCI Compliance

PCI compliance is a complicated matter. There are a number of different steps to meet and validate your achievement of the PCI DSS standard. In this guide, we’ll break down the steps in PCI compliance testing, the different types of PCI compliance tests, and how much it costs to complete this process.

Step 1: Determine your responsibilities

There are four PCI compliance levels, each of which is unique to the card company (e.g., American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) All merchants fall into one of these four levels based on the volume of transactions that they process over a 12-month period (including credit, debit, and prepaid sales).

While each card has its own levels, there’s very little variance between the different requirements. Most merchants fall into one of these four compliance levels:

Level 1: Merchants who process more than 6 million card transactions per year.
Level 2: Merchants who process 1 – 6 million card transactions per year.
Level 3: Merchants who process 20,000 – 1 million card transactions per year.
Level 4: Merchants who process fewer than 20,000 card transactions per year.

These compliance levels determine the requirements which your business needs to meet in order to test successfully. PCI DSS specifies 12 requirements, whether you are a Level 4 business or a Level 1 business, though the specifics for compliance vary based on the level.

Step 2: Perform a self-assessment

The PCI Security Standards Council offers a self-assessment tool designed to assess security for cardholder data. This tool can help you dive into the 12 requirements of PCI DSS compliance and determine where your business may be vulnerable.

There are different self-assessments available to different types of merchants. For instance, an eCommerce business has a different set of questions than a service provider. The test you choose depends on how you accept payment cards.

There are two components to the assessment. The first is a series of questions that correspond to the 12 PCI DSS requirements. This can be accomplished as an internal exercise to see if your business is prepared for further testing. However, it can also be used as the first step toward full PCI compliance.

If you choose to make this self-assessment more official, the second component is an “Attestation of Compliance.” This certifies that you are eligible and have completed the appropriate self-assessment. You can choose to have a Qualified Security Assessor validate your compliance for additional assurance.

Step 3: Review the requirements for each brand

PCI DSS testing may vary slightly for each brand. If you want to understand the specific validation levels and steps, review the guides for each brand listed below.

Again, there’s relatively little variance between the standards for each brand. Most merchants refer to the official PCI DSS Quick Reference Guide to prepare for PCI penetration testing.

Step 4: Perform vulnerability scanning and penetration testing

PCI DSS calls for merchants to “Test security systems on a regular basis” under requirement 11. To meet this requirement, merchants should regularly test protection systems and processes, checking external and internal systems frequently.

Vulnerability scanning and penetration testing are two methods for fulfilling requirement 11. PCI compliance testing benefits from regular vulnerability scans, which are usually wholly automated and provide a report of where a system or platform may be weak. A tool like Nightfall can help scan and maintain the security of your cloud environments, helping merchants meet this requirement.

Penetration testing takes this process a step further and tries to exploit vulnerabilities using manual methods. PCI compliance penetration testing is defined in PCI DSS Requirement 11.3 and applies to both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces). For information on PCI compliance penetration testing, read this guide from the PCI Council.

Step 5: Work with a Qualified Security Assessor

A Qualified Security Assessor is a data security firm that’s been certified by the PCI Council to perform on-site PCI DSS assessments. The PCI Council maintains a list of QSAs on its website.

The QSA will specifically evaluate the following security controls:

Verify all technical information given by the merchant or service provider
Confirm the PCI DSS standard has been met
Provide support and guidance during the compliance process
Be onsite for the assessment as required
Adhere to the PCI Data Security Standard Assessment Procedures
Validate the scope of the assessment
Evaluate compensating controls
Produce the final Report on Compliance

Some businesses may also need to work with another third-party partner, an Approved Scanning Vendor. This partner is a data security firm that uses a scanning solution to determine whether or not the customer meets the external vulnerability scanning requirement, where applicable.

Step 6: Submit your official reporting

Different card brand requirements ask merchants and service providers to submit a Self-Assessment Questionnaire or a Report on Compliance for on-site assessments carried out by QSAs. Most reports are required annually, though some may need to be filed quarterly. The instructions for each assessment will provide you with the information you need to file successfully.

Note that PCI DSS compliance can be time-consuming, but the penalties for not completing these steps are steep. Fines and penalties can range from $5,000 to $100,000 per month; and, if you don’t achieve PCI compliance, not only will these fees start to add up quickly, but you’re at risk of being dropped by your credit card merchant.

Learn how Nightfall can help achieve PCI DSS compliance by setting up a demo at the link below.