Businesses of all sizes must undergo Payment Card Industry Data Security Standard (PCI DSS) compliance audits to ensure that their customers’ data is protected during credit or debit card transactions and while stored.
Under the Standard, Level 1 businesses – those that process more than six million credit card transactions a year – are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Other levels can fill in an annual self-assessment questionnaire and have an approved vendor conduct quarterly network scans.
The PCI DSS assessment is a detailed review of an organisation’s cardholder data environment (CDE) using a standard methodology and reporting. By completing the audit, you gain:
- A complete review of your CDE and the risks you need to manage;
- An accurate assessment of where you stand in relation to the requirements;
- Evidence that your controls are in place and working effectively; and
- Independent recommendations that will help you close any identified gaps.
Common points of failure
When reviewing what merchants are doing to protect their customers’ payment card data, auditors typically find the following problems:
- Unnecessary storage of payment card data and a lack of network segmentation to isolate the data from less secure parts of the network.
- Failing to implement access controls that limit which employees have access to valuable data.
- Poor or no network activity logs, which make it nearly impossible to spot someone trying to access payment card data.
- Inconsistent or flawed encryption across a company’s computer system, especially as it travels through one system into another.
- No or infrequent scans for software vulnerabilities combined with poorly configured firewalls and routers.
- Failing to establish and communicate a security incident response procedure that has been tested and updated based on the results from your annual risk assessment.
What a PCI DSS auditor wants
In an ideal world, auditors want the audit liaison or compliance officer to have:
- A completed PCI audit checklist;
- An understanding of the PCI DSS 3.2;
- A printed copy of the previous year’s Report on Compliance (RoC);
- An understanding of the PCI DSS scope;
- Evidence of quarterly scanning and penetration testing to assess recent vulnerabilities;
- Evidence of regular event log checks; and
- Documentation on how third-party security risks are mitigated.
Talk to your auditor during the year
Throughout the year, businesses grow, CDEs change and PCI DSS requirements are amended. Correct documentation and updated personnel help an auditor get up to speed on the environment as quickly as possible. The quicker an auditor gets up to speed, the quicker you get through your audit.
If you want to learn more about achieving and maintaining PCI DSS compliance, you should download our free green paper PCI DSS: Audit success in nine essential steps. This green paper will help organisations to effectively prepare for a PCI audit and ensure a successful audit outcome.
- Nine essential tips to prepare for a successful ROC audit
- A checklist of what the auditor will be looking out for on the day
- Invaluable tips to avoid unnecessary delays and frustrations
- How to identify non-conformities before the audit takes place
- How to choose the right QSA