Understanding PCI compliance auditing

Businesses of all sizes must undergo Payment Card Industry Data Security Standard (PCI DSS) compliance audits to ensure that their customers’ data is protected during credit or debit card transactions and while stored.

Under the Standard, Level 1 businesses – those that process more than six million credit card transactions a year – are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Other levels can fill in an annual self-assessment questionnaire and have an approved vendor conduct quarterly network scans.

The PCI DSS assessment is a detailed review of an organisation’s cardholder data environment (CDE) using a standard methodology and reporting. By completing the audit, you gain:

  • A complete review of your CDE and the risks you need to manage;
  • An accurate assessment of where you stand in relation to the requirements;
  • Evidence that your controls are in place and working effectively; and
  • Independent recommendations that will help you close any identified gaps.

Common points of failure

When reviewing what merchants are doing to protect their customers’ payment card data, auditors typically find the following problems:

  • Unnecessary storage of payment card data and a lack of network segmentation to isolate the data from less secure parts of the network.
  • Failing to implement access controls that limit which employees have access to valuable data.
  • Poor or no network activity logs, which make it nearly impossible to spot someone trying to access payment card data.
  • Inconsistent or flawed encryption across a company’s computer system, especially as it travels through one system into another.
  • No or infrequent scans for software vulnerabilities combined with poorly configured firewalls and routers.
  • Failing to establish and communicate a security incident response procedure that has been tested and updated based on the results from your annual risk assessment.

What a PCI DSS auditor wants

In an ideal world, auditors want the audit liaison or compliance officer to have:

  • A completed PCI audit checklist;
  • An understanding of the PCI DSS 3.2;
  • A printed copy of the previous year’s Report on Compliance (RoC);
  • An understanding of the PCI DSS scope;
  • Evidence of quarterly scanning and penetration testing to assess recent vulnerabilities;
  • Evidence of regular event log checks; and
  • Documentation on how third-party security risks are mitigated.

Talk to your auditor during the year

Throughout the year, businesses grow, CDEs change and PCI DSS requirements are amended. Correct documentation and updated personnel help an auditor get up to speed on the environment as quickly as possible. The quicker an auditor gets up to speed, the quicker you get through your audit.

If you want to learn more about achieving and maintaining PCI DSS compliance, you should attend PCI DSS: Audit success in nine essential steps. This webinar shows you:

  • Essential areas to help prepare for a successful PCI audit;
  • How to identify nonconformities before the audit; and
  • How to choose the right Qualified Security Assessor.

This webinar will take place on 17 January 2017, from 3:00–4:00 pm. If you can’t make it, the presentation will be available to download from our website.