PCI DSS Compliance Process and Requirements

PCI 3DS 驗證 3 步驟_Max
Share on social media

This article is an introduction to the latest PCI DSS compliance standards process in 2021, as well as an explanation of PCI DSS levels of compliance and their required costs.

PCI DSS Standards

The Payment Card Industry Data Standards (referred to as PCI DSS), is a global industry standard set up by the major international credit card organisations pertaining to the security of cardholder information that flows through their networks. All organisations, whether Merchants or Service Providers, that accept payments or Store, Process and Transmit card data from the major international card organisations must adopt the PCI DSS and protect cardholder information in accordance with the Security Standards.

The PCI DSS is created and managed by the PCI SSC (Payment Industry Security Standards Council and her members consist of VISA Inc., MasterCard, JCB, American Express and Discover.

PCI DSS Compliance Levels

The way to obtain the PCI DSS compliance status is usually via a PCI DSS Assessment. Both Merchants and Service Providers have different levels, which can be seen below (using the regulations provided by VISA)

  • Merchant Levels
LevelRequired Security Certification/Scans Required Personal/Items
1
Over 6M transactions per year
On-site PCI DSS audit every year and ASV Network Scan every quarterQualified Security Assessor Internal Audit Report Authorized Scanning Vendor
2
Over 1M transactions per year
Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
3
Over 200K transactions per year
Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
4
Less than 20K transactions per year
Complete Self Assessment Questionnaire (SAQ) each year and ASV Network Scan every quarterMerchant
Approved Scan Vendor
  • Service Provider Levels
LevelRequired Certification/ScansRequired Personal/Items
1
Over 300,000 transactions a year
Onsite PCI DSS audit every year and ASV network scan every quarterQualified Security Assessor Internal Audit Report Authorized Scanning Vendor
2
Below 300,000 transactions a year
Complete Self Assessment Questionnaire D (SAQ D) every year and perform ASV network scan every quarterMerchant
Approved Scan Vendor

When a Merchant or Service Provider is deemed as Level 1, they are required to obtain the services of a QSA (Qualified Security Assessor), which is an approved PCI DSS auditor. The QSA has to perform an on-site audit for the organization and provide a report after the review.

Merchants Level 2-4 or Service Providers Level 2 must fill up a PCI DSS SAQ (Self-Assessment Questionnaire), which can also be assisted by a QSA.

In order to determine the level and you are required to obtain, and the type of SAQ you are required to use, please contact your acquirer.

PCI DSS Audit Process

In general, the PCI DSS audit can be divided into the following phases below:

PCI DSS 認證 階段 時間

The initial preparation and consultation phase may take up to 3-5 months, depending on the readiness of the organization that is undergoing the review and the complexity of their systems and their processes.

PCI DSS related costs during and after the review

  1. Systems Related Costs

As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)

Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.

PCI DSS related costs during and after the review

  1. Systems Related Costs

As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)

Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.

2. Security Equipment Costs

Additional security equipment may need to be purchased (i.e. Firewalls, IPS, IDS, WAF)

3.  Data Encryption Costs

PCI DSS requires card data encryption. Organisations will typically use HSM (Hardware Secure Module) hardware encryption to ensure the security of the cardholder data stored.

4. Training Costs

PCI DSS requires employees to undergo Awareness Training, Secure Coding Training, and IRP (Incident Response Plan) drills. In addition, to perform Vulnerability Scans and Penetration Tests, your staff may also have to undergo sufficient technical training to operate these tools.

5. Technical Audit Costs

PCI DSS mandates a number of technical audits, including:

  • Card Number Scanning
  • Code Review
  • Internal Vulnerability Scan
  • ASV, External Vulnerability Scan
  • Internal Penetration Test
  • External Penetration Test
  • Wireless Scan

There may be some additional costs here.

6. Other Costs

If your organization is designated as a Service Provider, you will be required to register yourself, such as at VISA’s VISA Registry or MasterCard’s Service Provider Registration

Let us provide an example of a small-to-medium sized Service Provider, who is undergoing the PCI DSS compliance process for the first time. These are the estimated additional expenses:

SectionExpected Extra CostsRemarks
Systems5-6 more servers, one-time expenditure of US$15,000
Security EquipmentMore WAF, IPS and other systems required, one-time expenditure of US$15,000-20,000Assuming Intermediate WAF
Data Encryption EquipmentSpend up to US$30,000 in HSM costsHSM prices vary greatly, software encryption methods can also be used
TrainingTraining costs up to US$2,500 a yearCan conduct training internally
Technical AuditsBased on the needs of the servers and number of applications may cost between US$30,000-90,000 annually
OthersRegistration fees to the card organisations are about US$3,000-5,000 per year

PCI DSS Compliance Fees

In addition to the possible costs above, the PCI DSS Compliance fees and the time required by a QSA to complete the audit depend on the following factors as well.

  • System Complexity: The number of hosts, the type of OS used by the system, the number of components installed on the system, whether there are multiple OSs used at the same time, whether there are multiple security configurations.
  • Security Devices and Network Segments: How many security devices there are, such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP etc. These security devices must be set up and updated with proper access controls and logs. We must also check and ensure that the records are kept, and the higher the number, the more complicated the network segment will be, which will increase the time required to audit.
  • The number of connected acquirers and service providers: The more acquirers there are, the more complicated the data-flows of the system.
  • Retention and encryption of database and card data: The more diverse the card data flows and the more diverse the types of card data storage, the more requirements there are for encryption and security protections, which leads to more items for auditing.
  • Number of operation units: The number of stores, number of server rooms used, and the number of offices will also increase the number of days required for review. Bank, telecommunications companies etc. will have a large number of storefronts and offices, which will lead to longer auditing periods required. Backup server rooms that store card data will also be included in the scope of review.

The costs of a PCI DSS audit will also differ by geography, as the PCI SSC has different annual costs for each region. The costs of a QSA is also different in each region. For example, a small-to-medium sized Service Provider in Southeast Asia will require around 3-5 days of on-site assessment and require about a week for the preparation of the report. Excluding transportation costs, a first-time PCI DSS certification may cost between 15,000 USD to 25,000 USD. Of course, the actual price must be estimated based on the variables mentioned above to determine the amount of time required for the audit.

Vincent Huang

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

- IT Security Management, Payment Card Industry Security, Data Center Security and Cloud Security

- Professional certification: DSS QSA, PCI 3DS Assessor, PIN Security QPA, CISSP, CEH, NSPA, ISMS LA, ITSM LA, Certified CSA STAR Auditor, Europrise Technical Expert

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.

PCI DSS v4.0
first time PCI DSS Compliance
PCI 3DS 驗證 3 步驟_Max

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.

© 2020 Copyright - Secure Vectors Information Technologies Inc.