Obtaining PCI certification for your website or network can be a lengthy and aggravating process, or, it can be quite straight-forward. Depending on the route you take, the vender you choose , and of course, the complexity of your system, there is great range in the number of teeth you need to pull to become PCI compliant.
Put simply, the process involves two steps: (1) Taking a self-assessment survey, and (2) Successfully passing a security scan on the IP addresses (i.e. website server or network) by an approved vendor.
1. Self-Assessment Survey
The survey is long and often a little non-sequitur. In PCI's defense - devising a survey that can truly assess the security level of any system is no simple task. The questions are aimed to specifically address important and common vulnerabilities, but the survey also needs to be abstract enough accommodate a huge variety of environments. The result is a series of often redundant, awkward, and open-to-interpretation questions. That said, the survey contains a great deal of golden security checks, and going through the process is a great benefit to any organization... certification or no certification.
2. Automated Security Scan
It is actually remarkable how much an outside automated scan can determine about your system. The scans can often decode what modules and applications are installed on your server(s), down the the version number. Here is a tip: there are cheap downloadable software applications that let you scan your system yourself from a desktop computer. This is a good thing to do before requesting the official scan from the vendor. But don't get too excited if you pass the do-it-yourself test. We have found that the same system can produce very different scan results dependent on who is conducting the scan. Some PCI-approved vendors produces false positives that were irritating to disprove, while others gave a pass with no hassle at all.
It also needs to be strenuously stressed that a PCI certification does not mean your host or network is secure. In fact, many of the most common security mistakes are ones that a survey or scan cannot detect. In that way, PCI certification often gives companies a false sense of security about their, well, security. Like with most things, there is no substitute for common sense. Until they come out with a scan or survey for that, you must rely on experienced developers who have intimate understanding of your entire system and the code that is run on it.