Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is demonstrated through audit of the cardholder data environment. The type of audit depends on the compliance requirements of the payment brand and the level of the merchant/service provider as defined by that brand (read more about that in this blog).
Preparing for the audit
Preparing for the PCI audit can be challenging, especially if your organisation has a complex data environment. Follow the suggestions below to maximise your chance of meeting your compliance requirements.
Find out where your data resides (and hides)
First things first: you need to know where cardholder data is stored and how it is processed. Create a data flow diagram to help identify all locations and flows of data (as demanded by PCI DSS Requirement 1). Doing so will make it easier to identify those systems that require protection.
Reduce the scope wherever possible
Based on an analysis of your network segmentation and data flow diagram, you should be able to move systems and data to alter your infrastructure and reduce the scale of the implementation, thereby minimising the associated risks.
Get your documentation in order
It is crucial to ensure that your documentation is complete because it provides evidence of compliance. The auditor will review your processes, log files, policies, procedures and network flow diagrams.
Conduct a review of your service providers
Even when data is stored with third-party providers, the responsibility for compliance rests with the organisation. Ensure that your partners and suppliers do not represent a risk by clearly defining their roles and responsibilities.
The results of penetration tests can be used to provide evidence of compliance and to identify areas of your network that might not be secure. Auditors look for regular and frequent penetration testing, especially after any changes to the cardholder data environment.
Ensure you have properly documented your monitoring and audit logs
Retention of evidence is critical to demonstrate that your company is compliant with the PCI DSS and fulfils its duty consistently. In the early stages of implementation, check that your storage capacity is sufficient to avoid any future problems with retention.
Choose a reputable PCI QSA
The validation of PCI compliance can be only conducted by a Qualified Security Assessor (QSA). A QSA may take any one of a number of different auditing and remediation approaches, so make sure that the QSA you select is experienced enough to work with your organisation.
Do your homework
Make sure all procedures, documentation and requirements are in place before the auditor comes to your organisation, to demonstrate that you are prepared for the audit.
Set up a pre-audit assessment
A mock audit helps you to identify potential nonconformities and areas of concern so you can take remedial action before conducting the real audit and increase the chances of success.
Download this free green paper to read more about the nine key points.
If you follow these tips, your PCI implementation project is likely to go as smoothly as planned. As an approved QSA company, we can help you throughout the entire process, from scoping and gap analysis, to remediation support and audit.