What is the process for getting a site certified as PCI-compliant?
See graphs for all steps here: http://www.dynamicnet.net/2012/04/pci_complance_process/
- Determine your merchant level.
- Determine your validation type.
- Complete and report an attestation of compliance and self-assessment questionnaire (SAQ) annually.
- Complete and report results of all external vulnerability assessment scans (all public-facing IP addresses used to process, view, or handle credit card data require scans) performed by an approved scan vendor (ASV) quarterly.
- Create and update an information security policy annually.
Utilize a PCI scanning tool that will provide a report on the level of compliance. If there are any failures, they will need to be addressed and resolved before a rescan is to take place.