Attaining PCI certification for an organization, for the first time, is not a small undertaking, whatever path you take. But PCI compliance is one of the most impactful things you can do to better protect your card data and ultimately your business. PCI compliance helps you to secure your environment, benchmark standards, and serves as a reputation booster to say, “We are a reliable partner.”
Getting the certificate isn’t fast, but it doesn’t have to be torturous either. With the right approach and proper planning, any company can make a smooth journey to PCI compliance, with the sanity of all parties still intact.
How long does it take to get PCI Certified? Most of a year.
That’s a rough benchmark, with a lot of caveats that we’ll explain below, but for most first-time certifications, budgeting that amount of time is safe.
Below we’ve provided a detailed timeline, with each step broken down, including the time it should take. We’ve also provided clues on what could delay the process and tips on cutting the time down without sacrificing security.
Here is our detailed breakdown of how long it takes to get PCI certified.
- From 0 to PCI Compliance: The Timeline
- Step #1: Answer the “Why?” (> 2 Weeks)
- Step #2: Calculate Your Budget (1 Month)
- Step #3: Find a QSA (< 1 Month)
- Step #4: Scope Your Environment (3-4 Months)
- Step #5: Determine your PCI Level (1-2 Weeks)
- Step #6: PCI Buy-In (1-2 Weeks)
- Step #7: Pre-Assessment Work (3-4 Weeks)
- Step #8: PCI Assessment Kick-Off (< 1 Hour)
- Step #9: PCI assessment (4-8 Months)
- Step #10: PCI compliance
- Step #11: Repeatable Process & Descoping
- When PCI Certification Takes Longer
- How to Get PCI Certified Faster
- Warnings About Quick Certification
- Find the Right PCI Consultant Fast
From 0 to PCI Compliance: The Timeline
Your exposure to PCI compliance – and the time it will take to get certified – relies heavily on the amount of payment data you have and how you process it.
A simple e-commerce-only business will have a smaller assessment environment compared to a larger organization that has call centers, backend apps, storage of data, and more.
For this example timeline, we are going to imagine you are a startup that has created an app.
Imagine you run an app that currently has 10,000 users that each pay a monthly subscription fee of $25 per month through a payment process within your app. Users are able to manage their payments on your website, the app, and through a customer support channel. This means that each month you are processing about 10,000 transactions at $250,000 each month. This would total 120,000 payments at $3M each year.
Your payment processor is now talking to you about becoming PCI compliant. How do you get there?
(NOTE: If you’re considering PCI Certification, our free tool below matches your firm with a top-rated PCI consultant that can meet your needs and budget.)
Step #1: Answer the “Why?” (> 2 Weeks)
The very first step before an organization decides to become PCI compliant for the first time is to answer the following question: Why do you want or need to be PCI compliant?
Some reasons why you would want or need to be PCI compliant may be:
- Request from the acquiring bank
- Request from a client
- Improve customer confidence
- Gather insight on the security of your organization
In our example, our payment processor is asking for our Attestation on Compliance (AOC). Maybe we’ve been filling out the SAQs ourselves but want to make sure we are truly PCI compliant through a QSA. Maybe we are trying to be proactive because we know that PCI compliance is on the horizon. Whatever the reason may be, this is your “Why.”
Depending on the size and complexity of your organization, this step is fairly quick and should take no longer than 2 weeks. The work involved is high-level and is done primarily via internal communication within your organization.
(Note: Our vendor directory reviews and compares PCI QSA companies to help in your decision making)
Step #2: Calculate Your Budget (1 Month)
Once an organization has answered why they want to be PCI compliant, the organization should then determine their budget for an assessment. When calculated, a PCI budget should include the cost of an assessment as well as the cost of maintenance to be PCI compliant every year.
PCI compliance can be costly based upon the environment, how many resources you need, and if you utilize an Internal Security Advisor (ISA) versus a Qualified Security Advisor (QSA). On average a PCI assessment can range anywhere from $15,000 to $40,000 for small and large organizations accordingly According to this report completed by Very Good Security, this is the assessment cost only.
Additional costs for maintaining annual compliance may include the following:
- Vulnerability Scanning Costs With an ASV ~ $100/IP Address (Note: See our list of top-rated ASVs here)
- Security Awareness Training & Education ~ $100/employee
- Penetration Testing for PCI ~ $15,000/annual test
- Security Appliances – Varies
- Security Team and Resources – Varies
- Remediation Efforts – Anywhere from a few hundred to a few thousand dollars depending on the remediation
- & More
The timeline for this step can vary between organizations. This step may include an internal discussion with potential stakeholders to get an idea of the scope, which entails the amount of IPs in your environment, the number of employees you have, and more. Ideally, this step should be completed within a month in order to push the progress of PCI compliance forward. It’s best to over-anticipate during your first assessment to ensure proper funding in order to avoid delays in gaining compliance.
In our example company, our assessment will be on the higher side due to our app, website, and call center. Since the infrastructure required to support 10,000 active monthly users is high, this will involve a large environment. We can expect to reasonably spend upwards of $100K.
While budgeting is always the hardest step, and everyone’s least favorite, it’s crucial. It might seem like it’s the end of the line here but wait! There are ways you can start to minimize your compliance environment and your overall budget (See Step #11).
Step #3: Find a QSA (< 1 Month)
The next step is to find a QSA and a QSA company. QSAs must work for a QSA company. You can search for QSAs and QSA Companies on the PCI Security Council’s website here. You want to ultimately make sure they are qualified to sign off on your reports and their credentials are valid.
A QSA is a person, designated by the QSA company, who will perform the PCI assessment on your organization. The QSA will be able to provide guidance on the PCI assessment process and what evidence will need to be gathered. It is important to find the best QSA or QSA company as your organization will work closely with them. Shop around with a few QSA companies either from the PCI Council’s website or through a local Google search of security companies in your city.
Outside of the PCI assessment itself, the QSA or QSA company can also provide consulting services to help improve the PCI posture of your organization. Regardless of if you fall into a Level 2-4 (See Step #5), it’s best to first consult a QSA or PCI Professional (PCI-P) for your first assessment to have a professional observation of your environment. After that, if you are Level 2-4 you can opt for an ISA or SAQ.
While the timeline may vary, depending on the search process and procurement process, ideally this step should be done within a month.
Step #4: Scope Your Environment (3-4 Months)
Now you need to determine your PCI DSS scope, which is crucial. PCI scoping is the responsibility of the entity being assessed, AKA you. PCI DSS includes anything that processes, stores or transmits card data, such as applications/systems, databases, locations, network devices (firewalls, routers & switches), people and servers. In PCI 4.0, the scoping exercise needs to be annual. This means that the scoping exercise needs to be recurring and built into your processes.
To find a complete list of guidance, you can find it in the PCI DSS version 4.0 under Section 4 Scope of PCI DSS Requirements.
It might be helpful to perform an internal scoping exercise to get some “quick wins” in briefly identifying your scope. Your QSA can then help you to ask deeper questions from there and fully solidify your PCI DSS scope.
For our example, we briefly talked about the scope. This includes the app, website, and call center. But we need to be more specific. Let’s say we are hosted on AWS. We have the app in scalable containers (EKS, which is AWS managed, and a smaller scope), the website is hosted on EC2 instances, and our physical call center facility. We need to scope the AWS network, active directory services, all admins, databases, DBAs, call center agents, call systems, call recording and screen recording servers, and the physical call center building. This is a very brief scoping of our example but it should give you a general idea of how deep scoping needs to be.
Since scoping is extremely important and should be done thoroughly, this step may take quite a bit of time to complete (somewhere between 3-4 months, generally speaking.) This is ultimately dependent on the complexity and size of the organization. Consult your QSA for assistance in finalizing your scope to ensure that you have the assessment and environment scoped appropriately.
Step #5: Determine your PCI Level (1-2 Weeks)
There are PCI DSS levels ranging from Levels 1 to 4. The levels are based on the number of credit card transactions per year. It’s important to note that these levels vary by card network (ie Visa, Mastercard, Discover, etc.). There are other variants per card network including the monetary amounts that are processed. In general, the merchant levels are as follows:
- Level 1 – Merchants that generally process over 6 million card transactions annually.
- Level 2 – Merchants that process 1 to 6 million transactions annually
- Level 3 – Merchants that process 20,000 to 1 million transactions annually
- Level 4 – Merchants that process fewer than 20,000 transactions annually
To determine your PCI DSS level, you can review transaction reports from your payment processor(s). When in doubt, consult your acquiring bank, acquirer, or payment processor. Your acquirer is ultimately responsible for telling you what your level is.
The PCI DSS level determines the type of assessment and report you must perform and complete. For example Level 1 merchants always require a QSA to perform the assessment and a Report On Compliance (ROC), compared to an SAQ. Merchants that are levels 2-4 may be able to perform an SAQ by an ISA instead.
In our example, we are processing about 120,000 transactions per year. This would put us into a Level 3 category. We can either perform the assessment ourselves, with an ISA and an SAQ, or still consult a QSA.
The timeline for this step should be within one to two weeks. The transaction reports should be requested from your treasury or finance teams, analyzed, and confirmed with your acquirer.
Step #6: PCI Buy-In (1-2 Weeks)
Since PCI DSS involves various teams throughout the organization, it is imperative that the teams are aware of the PCI DSS compliance effort. The position from the top of the organization is important in setting the tone for the rest of the organizational teams. Ultimately without the buy-in and commitment from executive management, the PCI DSS program at any organization will not be successful.
Luckily for us in our example, we are the CEO. We have effectively communicated with executive management that PCI is important. We already have drafted a PCI Charter dictating how we will support PCI efforts in the organization. Roles and responsibilities have been defined in our new PCI policy and we are committed.
The timeline for this step should be relatively quick at about one to two weeks, with the following considered: Set up a meeting with your executive management team to address the importance and commitment for PCI. Allow them to voice their concerns, ask questions, and document everything. You can opt to have the QSA involved to answer their questions. Following their verbal buy-in, you can begin drafting your PCI Charter and policies to ensure enforcement within your organization. While the meeting may be relatively quick, the documentation and policies can take a little longer to properly finalize.
Step #7: Pre-Assessment Work (3-4 Weeks)
Before the QSA or QSA company arrives on-site (or remotely) you can perform pre-assessment work. Pre-assessment work includes, but is not limited to, the following activities:
- Determining scheduling/timeline
- Setting up a system to track the assessment process
- Setting up evidence requests tasks (can be provided by the QSA)
- Sending out calendar invites for interviews (Ensure the QSA is available during the times)
- Gathering and providing evidence beforehand such as policies and procedures
Depending on how detailed your anticipated pre-assessment is, this step should take anywhere from a few weeks to a month.
Step #8: PCI Assessment Kick-Off (< 1 Hour)
An excellent exercise to perform is to have a PCI assessment kick-off meeting. This meeting should include all the PCI stakeholders and align them to the overall assessment process. The kickoff meeting should include tailored information about the assessment for the stakeholders. This information can include the following:
- The Assessment Process
- Timelines & Important Dates
- Stakeholder Roles & Responsibilities
- Contact Information
- & More
In our example, we are going to consult the call center managers, infrastructure admins, information security, system architects, database administrators, server teams, and more.
The assessment Kick-Off is a single meeting that should take no longer than half an hour with optional time for Q&A.
Step #9: PCI assessment (4-8 Months)
Once the kick-off meeting is complete, the PCI assessment should begin. A PCI assessment will consist of information and evidence-gathering, interviews, observations, and report writing. It is extremely important to stay organized and stick to the proposed timelines/due dates during an assessment. There should be constant follow-ups with stakeholders and at a minimum weekly status emails and/or bi-weekly meetings to remove barriers.
Deadlines approach quickly and teams have other work they need to perform. Things get forgotten or pushed to a lower priority. Being organized and communicating status to stakeholders can ensure that things stay on track.
In our example, we are going to begin gathering evidence from the app/website systems, performing interviews and observations with the teams supporting PCI from the kick-off meeting, and ultimately get our PCI compliance!
The timeline for this step will depend on the complexity and size of the organization. On average PCI assessments take anywhere from 4 to 8 months with 6 months being about average.
Step #10: PCI compliance
Congratulations! Your hard work has finally paid off and you’ve achieved a compliant PCI report. You are now officially PCI DSS compliant! You can now provide your PCI AOC to your acquirer and customers showing that you are compliant with PCI.
In our example app startup, we can now reassure our customers and payment processor that we are properly processing payments on our platform. Furthermore, PCI compliance can also help lower cybersecurity insurance rates among plenty of other benefits. This step is the easiest as it is simple.
As the person spearheading the PCI effort, thank your teams and employees. Celebrate with them by throwing a small office party, or at a minimum send a thorough thank-you email as a token of appreciation.
Step #11: Repeatable Process & Descoping
Now that your organization is officially PCI compliant, a review of the PCI assessment process should take place to look for areas of improvement. The PCI assessment process needs to be repeatable. Not only does this help with your annual compliance efforts, but PCI also needs to be an ongoing process and not a point-in-time assessment. This is officially documented in PCI 4.0.
The following are examples of PCI processes that need to be repeatable:
- Annual scoping exercise
- Notifying stakeholders of new PCI systems
- Maintaining an inventory of PCI scoped systems
- Maintaining and updating policies, procedures, and processes
- Security awareness training and education
- Performing targeted risk analyses
- Annual penetration testing
- Quarterly ASV scans
- Internal/external vulnerability assessments
- & More
The above list isn’t exhaustive but is a great starting point. These processes are defined by PCI but also are specific to your environment.
Descoping can also be a huge relief to your organization. A good rule of thumb is the following; If you don’t need to store it, don’t. If you don’t need to process cards in your environment and you can outsource that to something like Stripe, do it. If you don’t need to store full card numbers for reporting, don’t. If you are able to segment your network into a PCI-only zone, do it.
While your first PCI assessment can be painful, that doesn’t mean the next one has to be. Use the feedback and the knowledge gained from the assessment to reduce your scope. Brainstorm with the teams to see what you absolutely need and what you absolutely don’t need. See which non-essentials can be reduced, if not outright eliminated. This could allow you to perform smaller assessments in the future which will involve less people, less systems, less networks, less time, and more importantly less money.
When you descope or reduce scope, everything reduces. It’s recommended that a descoping discussion happens following every annual assessment to make sure you are always looking at ways to reduce.
The timeline for this step should be a few months in order to thoroughly evaluate the process. This process should be documented, enforced by policies and procedures, and communicated by executive management in order to be effective. Teams should update their existing processes to include the new policies and procedures to ensure that these PCI processes are baked in.
When PCI Certification Takes Longer
There can be many factors that may negatively impact the proposed PCI compliance timeline. Some factors can include the following:
- Unexpected or unknown scope
- Complex environment
- Flat network or lack of segmentation
- Lack of support from employees
- Lack of support from upper management
- Missed deadlines or due dates
Ultimately, not knowing is going to hurt you. That’s why the scoping exercise, hiring a QSA or PCIP, and gathering the proper information before starting your assessment are paramount. Ensuring enforcement and buy-in of PCI from the top down, communication of processes and assessment information, and status updates and assessment tracking are all examples of exercises that should happen often to avoid these barriers.
How to Get PCI Certified Faster
PCI compliance doesn’t need to take a long time. If you follow the above-mentioned steps you should be well on your way. However, there are a couple of additional helpful tips that can assist in cutting down the PCI compliance timeline:
- Scope Reduction
Where possible, try to reduce the PCI scope. Methods can include segmentation, outsourcing payment processing, and limiting cardholder data storage. See Step #11 for more information.
- Pre-Assessment Evidence Gathering
Gather as much evidence as possible before the QSA or QSA company officially starts the PCI assessment. This will significantly reduce the assessment timeline as a lot of evidence can be reviewed before the official start of the assessment.
- Find a QSA or PCIP
A reliable and knowledgeable QSA or PCIP can help you be drastically more efficient. They are professionals and have been through assessments before. Utilize their knowledge and experience to eliminate trial and error.
- Deploy Strong Repeatable Processes
Following your first PCI assessment, your repeatable processes can directly make or break your next assessment. The next one should never take as long as the first unless you’ve drastically changed your environment. Focus on these processes and make them as efficient as possible.
Before, during, and after the assessment, you need to communicate with everyone. Most teams aren’t familiar with PCI or the assessment process. Communicate your expectations, their roles and responsibilities, and the PCI process. Continually keep them informed with approaching deadlines, current weekly statuses, and bi-weekly meetings. This keeps the information fresh in their minds, eliminates the risk of work being forgotten, and ensures that evidence gathering won’t be pushed to the last minute.
Warnings About Quick Certification
Being PCI compliant can be complex and does require substantial effort year over year. It also involves costs, resources, and commitment. It can be easy to perform a “tick the box” certification just to be compliant. However, that can harm you and your organization later, and at a massive scale and cost.
“Tick the box” certification might get you “compliant” in the eyes of your payment processor and customers, but If a breach occurs, your assessment will be put under the microscope. If lawsuits arise and it’s determined that your assessment wasn’t thorough, there will be a reputational loss, monetary loss, potentially losing the ability to process payments, fines from the card networks, increased cybersecurity insurance (or loss of coverage), and did I mention lawsuits?
The 2022 Verizon Payment Security Report states that none of the companies reviewed in the report were fully PCI compliant at the time of their breach.
The report also states that only 43.4% of the companies reviewed were fully compliant. This isn’t to say that PCI is the be-all end-all for cybersecurity, but the results lean in favor of the PCI DSS being effective.
What you get with a proper assessment is reassurance of your security. At a minimum, you know that you’ve demonstrated and performed your due diligence on securing your customers’ data. While breaches happen, being able to show that you worked hard and have the processes and infrastructure in place to actively secure that data can make or break your response to a breach or data loss. The amount of money saved from lawsuits, reputation loss and lost business is worth the annual investment of maintaining real compliance.