In this guide, we explain how to prepare your organization effectively for the certification and what to expect during the audit.
What is PCI DSS and why is it important?
To obtain PCI DSS certification, it is essential to understand what this standard is and why it is highly recommended to comply with it:▪️PCI DSS is a security standard designed by the PCI Security Standards Council (PCI SSC).
▪️Its main objective is to protect credit/debit cardholder data, reducing the risk of fraud and data
breaches, and therefore minimizing potential financial losses for companies and consumers.
Its applicability and mandatory compliance extend to all companies—regardless of size or transaction volume—that work with account data (credit/debit) or may impact the security of such data. Examples of such entities include merchants, service providers, acquirers, financial institutions, and others.
Failure to comply with PCI DSS can lead to financial penalties, damage to corporate reputation, and increased risk of security incidents.
Initial steps to take
Before beginning the audit process, it is important to define certain aspects of the organization.
Compliance level
One of the first steps an entity must take to face PCI DSS certification is identifying its compliance level based on the annual transaction volume that applies to the organization. For merchants, we can distinguish four levels:
▪️Level 2: Between 1 and 6 million transactions annually.
▪️Level 3: Between 20,000 and 1 million transactions annually.
▪️Level 4: Fewer than 20,000 transactions per year.
Level 1 is required to complete a RoC (Report on Compliance) performed by a QSA as part of an external audit process. For the remaining levels, completing a SAQ (Self‑Assessment Questionnaire) is sufficient.
For service providers, we can distinguish two levels:
▪️Level 1: Service providers with more than 300,000 annual transactions.
▪️Level 2: Service providers with 300,000 or fewer annual transactions.
As with merchant Level 1, service provider Level 1 requires a RoC completed by a QSA through an external audit.
For Level 2 service providers, completing an SAQ Type D is sufficient. In many cases, organizations request that this be performed with the support of an external QSA.
It is important to note that the compliance level does not determine whether the process will be more or less restrictive. The level only defines the certification method required based on the entity’s annual transaction volume.
Determining the scope
Once the compliance level has been established, the next step is to determine the scope that will be included in the certification.
It is essential to identify which processes, systems, and networks are involved in or handle payment information. Below are several points that must be clearly defined to ensure the scope is as accurate as possible:
▪️Systems, components, or devices that store, process, or transmit cardholder data — including
any assets that may impact security or that are connected to the cardholder data
environment.
▪️All networks, including wireless networks, that are involved with the assets mentioned above
or that are related to the entity’s payment transactions.
▪️The individuals who have access to this information and these assets, as well as
those involved in the related processes.
Properly determining the scope is crucial, as an incorrect scope definition may lead to unnecessary efforts or even security breaches.
Preparation prior to certification
After completing the initial steps described in the previous section, it is important to prepare properly in order to successfully face the certification process. The following subsections outline the most significant steps:
Familiarize yourself with the standard
It greatly facilitates the process when an organization seeking PCI DSS certification is familiar with the standard and its requirements.
The PCI DSS standard, currently in version 4.0.1, contains 12 requirements, each with multiple sub‑requirements. These requirements range from protecting networks and communications to access management and continuous monitoring of the environment. Knowing and understanding these controls allows the organization to build a stronger foundation for meeting the standard.
| PCI Data Security Standard: High‑Level Overview | |
| Build and Maintain Secure Networks and Systems | 1. Install and Maintain Network Security Controls. 2. Apply Secure Configurations to All System Components. |
| Protect Cardholder Data | 3. Protect Stored Cardholder Data. 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks. |
| Maintain a Vulnerability Management Program | 5. Protect All Systems and Networks from Malicious Software. 6. Develop and Maintain Secure Systems and Software. |
| Implement Strong Access Control Measures | 7. Restrict Access to System Components and Cardholder Data Based on Business Need to Know. 8. Identify Users and Authenticate Access to System Components. 9. Restrict Physical Access to Cardholder Data. |
| Monitor and Test Networks Regularly | 10. Log and Monitor All Access to System Components and Cardholder Data. 11. Test the Security of Systems and Networks Regularly. |
| Maintain an Information Security Policy | 12. Support Information Security with Organizational Policies and Programs. |
Internal assessment of the current situation
As part of the preparation phase, an internal audit can be carried out to effectively identify weaknesses and areas for improvement in the processes, procedures, and implementations of the current environment in relation to the PCI DSS v4.0.1 standard. This audit can be performed entirely internally using the Self‑Assessment Questionnaires (SAQs), or with the support of an external specialized entity.
This internal audit will allow the organization to assess its security posture from both an organizational and technical perspective. In this way, essential aspects can be strengthened, such as:
▪️Networks and communications: Strong encryption, firewall implementation,
network segmentation, etc.
▪️Access management: Password policies, MFA, access roles, etc.
▪️Monitoring: SIEM, FIM, audit logs, NTP, etc.
▪️Governance framework: Security policy, procedures, training, etc.
▪️Hardening: Component configuration, insecure protocols, default parameters, etc.
As part of this internal audit, vulnerability scans and penetration tests may be performed (some of which are required for PCI DSS certification) to detect flaws and vulnerabilities and address them before the certification audit. It is important to use tools approved by the PCI SSC for these tests.
Staff training
Training all employees who are directly or indirectly involved in handling data on the PCI DSS v4.0.1 standard and security best practices is essential to prevent human error.
Certification process
Once the organization is prepared, it is time to begin the certification process. Below are the phases that any company will encounter during this process:
Start of the process
First, it is essential to gather all documentation that can serve as evidence of compliance with the PCI DSS v4.0.1 requirements — a task that should not be excessively demanding thanks to prior familiarization with the standard. Below are some examples of documentation:
▪️Security policies, procedures, and manuals.
▪️Component configurations.
▪️Minutes, logs, or tickets generated from various security processes such as
change management.
▪️Records of recurring tasks.
▪️Audit logs, access logs, attendance logs, etc.
▪️Vulnerability reports, threat intelligence reports, etc.
Assessment
In this phase, a detailed inspection is carried out to evaluate the practices and measures adopted by the organization to comply with the standard. Depending on the organization’s compliance level (as described in section 3.1), it may complete a Self‑Assessment Questionnaire (SAQ) or undergo an external audit performed by a QSA. In either case, the ultimate goal is to validate that the organization meets all applicable requirements of the standard.
During the assessment, the following aspects will be reviewed:
▪️Configurations of components within scope, including network and security assets.
▪️Operational documents, policies, and procedures.
▪️Technical evidence and outputs resulting from the organization’s procedures.
This assessment may be conducted in several phases:
▪️Phase I: The organization is asked to provide all available documentation, policies, and procedures for review.
▪️Phase II: Procedural aspects are validated, confirming that personnel have adequate knowledge of the organization’s processes.
▪️Phase III: All technical evidence from in‑scope components is collected. This may include asset configurations, firewall rules, access controls, etc.
It is important to note that these three phases may be conducted either onsite or remotely. Regardless of the modality, there are no differences in the certification process or in the aspects to be reviewed.
Correction of Non‑Conformities
During the assessment process, it is common to identify deficiencies that prevent full compliance with one or more applicable requirements. In such cases, corrective actions must be taken immediately to resolve the issue. It is important to remember that if any applicable requirement cannot be met, PCI DSS certification cannot be obtained.
All corrective actions must be documented, effectively implemented, and re‑validated to ensure that the previously identified deficiency has been fully resolved.
Report drafting
To finalize the certification process, and once all deficiencies have been corrected, the documents that certify compliance with the standard are generated. As mentioned in previous sections, these include:
▪️Depending on the compliance level, the organization may produce:
🔹 Self‑Assessment Questionnaire (SAQ)
🔹 Detailed Report on Compliance (RoC)
▪️Attestation of Compliance (AoC), which verifies the outcome of the assessment. This document includes a summary of the results obtained during the certification process and is also the document presented to demonstrate an entity’s compliance.
Once the organization has these documents, it can be declared PCI DSS Compliant. Although it may seem that the cycle has ended, this is a common misconception among organizations — a point explained in detail in section 6.3.
Common mistakes
This section presents the three most frequent mistakes made in relation to PCI DSS certification.
Incorrect scope definition
One of the most common issues is failing to properly define the scope. Many organizations do not correctly determine which systems, applications, or processes form part of the PCI DSS‑regulated environment.
There are two main ways this mistake can occur.
The first is defining a scope that is too broad, including components and processes that could legitimately be excluded, resulting in unnecessary effort.
On the other hand, some organizations reduce the scope too much, excluding critical components that should be included, which leads to non‑compliance with the standard.
To prevent scope‑related issues, a thorough analysis of all flows involving cardholder data must be performed, and all components involved should be documented. It is recommended to rely on updated network and data‑flow diagrams.
Within the PCI SSC documentation, two guides can be found "Guidance‑PCI‑DSS‑Scoping‑and‑Segmentation_v1_1" and "PCI‑DSS‑Scoping‑and‑Segmentation‑Guidance‑for‑Modern‑Network‑Architectures" — which explain how to correctly define or appropriately limit the scope.
Underestimating the importance of documentation
Many organizations have security measures implemented, but overlook the documentation framework. Implementing controls is just as important as supporting them with policies, procedures, and manuals. The absence of clear documentation is one of the main reasons an audit may fail, resulting in the inability to obtain certification.
In reality, the solution to this issue can be relatively easy to implement. A good practice is to ensure that every time a control is implemented, it is also described in formal procedures and, depending on the control, supported with records or evidence — such as a training attendance sheet for security awareness sessions. All documentation must be kept updated and accessible.
Becoming PCI DSS certified and relaxing
To conclude the most common mistakes within the PCI DSS certification cycle, some organizations treat PCI DSS certification as a one‑time event. This means they make a concentrated effort during the evaluation period to obtain their first PCI DSS certification and, once achieved, they lower their guard and stop maintaining certain controls. This significantly increases the likelihood of non‑compliance in the next certification cycle — remember, it is an annual requirement — and exposes the company to vulnerabilities.
As we can see in the previous image, PCI DSS follows a continuous improvement model consisting of four defined phases of action. Therefore, obtaining the certification is only the starting point for the next assessment.
Conclusion
Facing PCI DSS certification for the first time may seem like a challenge, but with proper preparation and a well‑defined strategy, it is entirely achievable. The key lies in understanding the standard and its requirements, preparing processes appropriately, and maintaining security as a constant priority for the organization.
Complying with PCI DSS not only helps an organization avoid penalties, but also increases customer and partner confidence by ensuring the protection of cardholder data during transactions.
Bibliography:
🔗 Payment Card Industry (PCI) Data Security Standard, v4.0.1
🔗 Guidance PCI DSS Scoping and Segmentation, v1.1
🔗 PCI DSS Scoping and Segmentation Guidance for Modern Network Architectures
🔗 PCI DSS Quick Reference Guide
🔗 Best Practices for Maintaining PCI DSS Compliance
