PCI-DSS is one of the most widely used security frameworks around the world. Unlike frameworks like FedRAMP or CMMC, PCI-DSS is a global security standard, not a standard issued by the US Government. It’s the Payment Card Industry Data Security Standard, and it’s required for any business or entity that handles cardholder or authentication data. Merchants, payment providers, gateways, banks; they all need it.
If you’re an entity looking to start accepting payments, or if you’re trying to become a cloud service provider acting as a gateway or processor for payment information, you will need to make sure you’re PCI certified. Thus, for planning and development of your operation, you need to know roughly how long it will take to achieve that certification.
So, let’s talk about the process, how long each step can take, and what you need to do to make sure you achieve PCI-DSS certification with as little hassle as possible.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontPCI-DSS is a global card data security standard. Any business that stores or transmits card or authentication data; merchants, payment providers, gateways, banks; must get PCI certification. Timelines vary: simple setups can pass in weeks, most take 4–6 months, large or unprepared firms can take a year or more. Four levels depend on yearly transaction volume: Level 4 <20,000; Level 3 20,000–1M; Level 2 1M–6M; Level 1 >6M. Quarterly scans and annual recertification are required.
The Short Version
Before digging into the details, we can give you a short-ish answer to the question.
Unfortunately, that answer is “it depends.”
If you’re setting up a very simple end-to-end processing solution with very few moving parts and a small list of systems, you can go through the PCI compliance process in just a few weeks. The shortest we’ve seen is a roughly out-of-the-box system that achieved PCI compliance in just a week.
On the far opposite end of the spectrum are the larger, more complex, bespoke, and customized implementations. When you’re approaching your compliance from scratch, DIYing a solution out of whole cloth, and securing systems that have never been seen before and are not made from commercially available modules, it can take as much as a year.
Of course, there’s an even higher tier. It can take well over a year to achieve compliance, but that’s more if you’re a business that doesn’t truly have the buy-in necessary to comply in the first place. If you’re constantly running into resistance from developers or stakeholders, or no one really knows or cares what they’re doing, it can take years to get certified, if you ever do.
Most businesses are going to be able to complete the PCI certification process in a handful of months. 4-6 months is a solid average, and it can sometimes stretch as long as 8 months if you’re in a complex situation, but you’re working through it.
Make no mistake; a lot goes into PCI compliance. But, if you’re using pre-developed and commercial modules or systems, a lot of it is work that is already done for you. All you need to do is make sure the way you put the pieces together is still in compliance.
Now, let’s go through the stages in more detail and discuss how long it’s likely to take.
Phase One: Laying the Groundwork
The first phase of PCI compliance is all of the stuff you do before you even begin. This is likely going to take place in meetings with stakeholders and directors, determining the need for PCI compliance, the roadblocks and challenges that could come up, and other details.
You’ll want to do some internal analysis and determine the kinds of considerations you’re going to need to deal with during the compliance process.
One of the biggest tasks during this phase is determining how challenging your PCI compliance is going to be. If you’re a small business with mostly predeveloped modules that are, themselves, already PCI-ready, you’ll have a much easier time than if you’re a larger firm using more bespoke software.
Remember that PCI is focused on credit card and payment data. This also includes authorization data, so even if you’re acting as a middleman and never actually handle or store cardholder data, handling authorization data still means you need to be compliant.
There are a few primary tasks you want to complete during this phase.
Determining your “Why”. This is where you analyze your business operations, determine why you need PCI compliance, and figure out if it’s something you truly want or need for your business. Some brands are just on the edge, and can change how they function slightly to eliminate the need for compliance and all of the tasks and expenses that come with it. Others may decide they want to lean into it more heavily.
Determining your scope. Scoping is important with any security framework. You need to determine what systems and what operations will ever possibly handle cardholder data, and make sure they’re listed for being in scope. There’s no reason to do work to secure systems that don’t touch or interact with the ecosystem that handles cardholder data.
This also applies to employees. Employee training and authentication are part of the PCI certification process. But, there’s no reason to make employees undergo training for systems they’ll never interact with, right? Scoping is important.
Determining your level. PCI-DSS has four levels, with level 1 being the highest and most stringent standard. The level you need to adhere to depends on the volume of transactions you process.
- Level 4: less than 20,000 transactions per year.
- Level 3: between 20,000 and 1,000,000 transactions per year.
- Level 2: between 1,000,000 and 6,000,000 transactions per year.
- Level 1: over 6,000,000 transactions per year.
If you’re right on the edge, it’s generally better to aim for the higher tier.
Level 1 requires an external audit, while Level 2 requires submitting a Report of Compliance using the Self-Assessment Questionnaire. Level 3 requires using the questionnaire and submitting an Attestation of Compliance. Level 4 just requires completing the Self-Assessment Questionnaire.
All four levels require quarterly network scans and annual recertification.
Determining your budget. PCI compliance is not free, and it’s not particularly cheap. The higher the level you have to achieve, the more expensive it will be. Using an automated vulnerability scanner, utilizing employee training, building a security team, buying PCI-compliance modules or licenses, all of these add up, and some of them are ongoing or annual costs.
Knowing what you’re getting into, in terms of work and timelines as well as budget, is important for planning.
Overall, this whole process happens before you do any work towards PCI compliance and generally takes 2-4 weeks. The higher your level, the longer it will take to hammer out the details and develop a plan for compliance.
Phase Two: Gap Analysis and Hiring
The second phase encompasses two main tasks.
The first task is performing a gap analysis. The gap analysis identifies all of the elements of PCI compliance that are going to be relevant to you. Usually, this involves taking the self-assessment questionnaire and figuring out how far away you are from being able to complete it successfully. For higher-level businesses, the bar is higher, and the standards are stricter.
The second task is hiring or contracting the people you need to guide and implement your compliance efforts. Usually, an external contractor, like a Qualified Security Advisor, will be the first one you find. If you are going to need an external audit, you will want to reach out to one of the auditing agencies and get the process going for scheduling that audit in the future. If you don’t need an external audit, you’ll want to find and hire skilled security experts for an internal auditing team.
Depending on who you have on your team and who you’ve managed to contract, the gap analysis may need to wait until you’ve hired the right people to perform it. This can depend on how long your hiring process is and how in-demand those experts are in your market. Usually, this will take somewhere between 2 and 4 months to complete.
Phase Three: Implementation and Documentation
The third phase is where you actually start doing the work. You have the gap analysis, which tells you what work you need to do. You have the PCI guidelines and reporting requirements, which tell you what evidence and documentation you need to have to successfully pass certification. You have your team ready to go.
So, get to work.
Implement and document the technical details. Train employees and document the results of the training. Perform interviews to validate. If necessary, hire a red team to do penetration testing. Purchase licenses and other tools that may be necessary. Implement business controls.
Implementation is critical here, but it’s also often the easier part of this process. The area where businesses tend to fail most often is in the proof. You need to have documentation of the security and training you’ve implemented, from well-documented business policies to proof of secure configurations and software modules to the results of testing.
All of this documentation needs to be well-compiled and readily available. This is where a tool like the Ignyte Assurance Platform can come in clutch; by accumulating and tracking all of your compliance efforts, as well as storing proof, all in one place, you make sure you have the easiest possible time compiling your reports and documentation when you need it.
Phase Four: Submission and Review
At this point, what action you take next depends on your level of compliance.
Level 4 businesses will fill out the self-assessment questionnaire. Generally, the authority you’ll work with won’t be PCI themselves or an auditing organization, but just your bank of choice. Your bank will validate your PCI attestation, set up the avenue for submitting quarterly validation scans, and issue your certification. Sometimes, a level 4 business may need to submit an AOC; in which case, refer to level 3 standards.
Level 3 businesses will need to fill out the self-assessment questionnaire, but you will also need to complete an Attestation of Compliance. This attestation is submitted and signed by a qualified security assessor and serves as proof that you’ve complied with PCI standards. Your QSA will basically take your questionnaire, validate the details, and sign off on your certification.
Level 2 businesses have a higher bar to clear. You’ll need an internal security team capable of performing independent auditing to validate the results of your questionnaire and the state of your security according to PCI standards. The internal audit’s results are compiled into a Report of Compliance, which is then handled the same way as an Attestation of Compliance; by being submitted to and signed off on by a QSA to earn your certification.
Level 1 businesses are the highest standard, and they require full external auditing completed by a QSA themselves. The QSA and their team come in, take your self-assessment questionnaire, and audit your company according to their standards and practices. The results are compiled and detailed in a Report on Compliance, and validated by PCI to issue the certification.
As you might imagine, the higher the bar, the longer it takes. A simple questionnaire might take a few weeks to document and complete. A RoC or AoC can take a couple of months to complete, with the level 1 audits being the longest.
Phase Five: Remediation and Monitoring
At this point, one of two things will happen. Either you pass, or you fail.
If you fail, you’ll need to identify the deficiencies in your implementation and fix them, then undergo the validation process for your level again. There’s generally no acceptable amount of deficiency and no POA&M process for PCI, though there are ways to use risk mitigation plans and compensating controls to account for gaps while they’re fixed. This is something you’ll need to work with your QSA directly to hammer out.
If you pass, you’re good to go. The key at this point is to implement continuous monitoring and improvement processes. These serve to keep your security validated, robust, and updated as the world moves and the threats change around you. This is what you’ll be doing indefinitely, for as long as you intend to maintain PCI certification.
Part of this is your quarterly reports. All levels of PCI certification require the use of an approved scanning vendor to provide automated scans that seek out gaps, unpatched software, violations in standards, and other details that can be detected with a scan. These reports need to be submitted every three months to maintain compliance.
Phase Six: Recertification
PCI is an annual certification, which means you will need to undergo the certification process once a year. That means the questionnaire, the scans, the QSA validation, and the auditing, as relevant, based on your level.
Additionally, if your business is growing and you reach a new level, you will have to comply with that new level. This is why it’s critical to know your level, know the thresholds between them, and understand when your growth would take you to a new tier and add new requirements. Otherwise, you risk losing compliance, and possibly fines and other penalties.
At Ignyte, our Platform is designed to help you keep on top of any and all security frameworks you want to adhere to. One “shortcut” for PCI, for example, is implementing SOC compliance. If you’ve done SOC already, a lot of work (and evidence) can already be available in our Dashboard, streamlining the PCI process.
To see how it can work for you, just schedule a demo today.
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.