Compliance Process- For a merchant to become compliant they must meet all PCI DSS requirements. Because PCI compliance is a continuous process, there is no required or set plan. According to the PCI SSC the process includes three main steps of assess, remediate, and report.
Assess- identifying cardholder data, analyzing businesses process and payment applications, and searching for systems vulnerabilities.
Remediate- address systems vulnerabilities and discard cardholder data.
Report- submit required compliance and validation materials.
A company can have two designations: PCI compliance and PCI validation.
PCI Compliance- The continuous process of adhering to PCI standards. The PCI SSC recommends a six step prioritized approach for compliance including:
Remove sensitive cardholder data and reduce the system's retention of cardholder data.
Secure external, internal, and wireless networks.
Secure payment card applications in processes and servers.
Secure and monitor access to your systems.
Secure stored cardholder data.
Finalize all additional compliance efforts.
PCI Validation- Becoming certified to the PCI SSC and credit card institutions that a merchant has been checked by self-assessment, a QSA, or an ASV. Occurs in a singular point in time with an outside audit, self audit, or system scans. The PCI SSC recommends a four step approach for validation including: