This is based on recent work (March 2015) with a customer to attain Level 3 PCI Compliance.

There seems to be a grey cloud cast over PCI Compliance and there are very few companies out there willing to give the relevant information to help the n00b out.

Environment

  • Customer using remote integration (payment details taken on own website and not redirected to e.g. Paypal)
  • Cardholder details are not stored by customer or payment gateway
  • POS terminals on-site

Steps

Here are the steps I took on my journey to level 3 Compliance:

  • Host website with PCI Compliant web hosting (34sp.com)
  • Become a re-seller (scan on behalf of customer) with PCI ASV – Approved Scanning Vendor (qualys.com)
  • Scan website IP with qualys.com and return the issues report (if any) to 34sp.com to patch
  • Complete SAQ (Self Assesment Questionnaire) D form (covers taking payments on website and POS terminals) – http://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs
  • Complete SAQ D AOC (Attestation of Compliance) form
  • Return completed SAQ forms and Attestation of Compliance scan report (qualys.com) to Acquiring bank

Research

First figure out which level of compliance you require. In our case it was level 3. Your acquiring bank can provide you with this information (Number of Transactions).

If you have… then you can… to achieve
less than 20,000 online transactions per year self-assess PCI Level 4 certification
between 20,000 and 1 million online transactions per year self-assess PCI Level 3 certification
between 1 million and 6 million online transactions per year self-assess PCI Level 2 certification
over 6 million online transactions per year hire an independent assessor (QSA) PCI Level 1 certification

What have I learnt?

  • Tough process to complete when little guidance is offered
  • Website must be scanned by a third party PCI ASV
  • Host with a hosting company that provide PCI compliant hosting – they understand the pain and will fix and hosting environment issues that come back from the scans
  • Questionnaire and AOC are completed by you and not a third party
  • You don’t need to pay the extortionate fees demanded by companies to help you through the process

Questions

Any questions please do not hesitate to get in touch. I will help out as best I can.

Written by Matt Cooper
Hi, I'm Matt Cooper. I started this blog to pretty much act as a brain dump area for things I learn from day to day. You can contact me at: matt@linuxtutorial.co.uk.