Preparing for the PCI audit can be daunting, especially if you are new to the PCI DSS world or if your organisation has a complex data environment. The type of audit you have to provide – either a report on compliance (RoC) or a self-assessment questionnaire (SAQ) – depends on:
- Whether you are a merchant or service provider;
- Your level of merchant/service provider as defined by the payment brand;
- The compliance requirements of the payment brand.
To help you succeed in preparing for a PCI audit, IT Governance’s Qualified Security Assessors and experts compiled a list of 9 essential steps you should keep in mind.
- Find out where your data resides (and hides)
Understanding where cardholder data resides and how it is stored should be your first step of the process. A data flow diagram can help you identify all locations and the flows of data (as mandated in PCI DSS Requirement 1) you need to protect.
- Reduce the scope where possible
The data flow diagram you created in step 1 will help you understand how you can move your systems and data – in a few words change your infrastructure – to reduce the scale of the implementation and minimise the associated risks.
- Get your documentation in order
Auditors need to review processes, log files, policies, procedures and network flow diagrams in details, so having the documentation that supports your processes in order and ready-to-be-browsed is crucial.
- Conduct a review of your service providers
Even if data is stored with third-party providers, the PCI DSS states that the responsibility for compliance rests with the organisation. Consequently, you should clearly define third-party roles and responsibilities of each service provider and which party is responsible for which control.
To read the last 5 steps for PCI audit success, download the free green paper PCI Audit Success: In nine essentials steps.
By following these tips, your PCI audit is likely to be successful at the first time round. IT Governance is an approved QSA company that can help you throughout the entire process, from the early scoping steps and gap analysis to remediation support and audit.