The feared a-word: audits.
The one thing about security compliance is that if you can’t prove it – it doesn’t count. So, audits are an organization’s way of proving that they’re walking the walk and that when it comes to security, although it’s easier said than done – your organization’s done it, and you’ve got the receipts to prove it. So, here’s our ultimate guide on preparing for your PCI DSS audit so you can ace it the first time around.
What is PCI DSS, anyway?
PCI stands for ‘Payment Card Industry’. In 2004, all five major credit card companies joined forces and called themselves The PCI Security Standards Council (PCI SSC). Their first order of business? To create a set of security standards for companies that process payment information, specifically cardholder data. This security standard is known as the Payment Card Industry Data Security Standard (PCI DSS).
If your business meets all of the PCI DSS requirements, you’re PCI DSS compliant and have done due diligence to protect your business and customers from data theft, cyberattacks and credit card fraud.
What is a PCI DSS audit?
A PCI DSS audit runs a series of tests to determine whether or not a business is PCI DSS-compliant. If the audit reveals that your business is exposed in some areas, no worries (okay, maybe some worries); your auditor or PCI DSS partner will present you with a clear roadmap highlighting which areas you need to focus on.
It’s important to distinguish between the types of PCI DSS audits. Internal audits are conducted by the organization itself to prepare for external validation. External audits are performed by a Qualified Security Assessor (QSA) or by an Internal Security Assessor (ISA) for larger organizations. While a QSA provides an independent validation of compliance, an ISA, who is trained and certified by the PCI Security Standards Council, conducts internal assessments to support ongoing compliance efforts.
External audits, especially those conducted by QSAs, are more rigorous and are typically required for businesses processing a large volume of transactions. These audits involve an in-depth examination of the organization’s adherence to the PCI DSS requirements, encompassing both technical and operational aspects.
Ultimately, an audit is a powerful tool to ensure compliance and to actively mitigate all risks. It’s also critical to determine your security posture and overall compliance. However, getting audit-ready(without the right tool) can be a time-consuming and resource-intensive process. Naturally, it isn’t a process you’d like to fail and repeat numerous times.
Who must obtain a PCI DSS audit?
If you’re a service provider or merchant that processes, accepts, transmits or stores debit card or credit card information – tag, you’re it! If you think it’s a large scope, you’re 100% correct. PCI DSS compliance is mandatory for virtually any business accepting card payments or donations via card or digital transactions.
However, it’s essential to understand that although it’s mandatory, it’s not a law. But that’s by no means a free pass. It simply means that compliance is mandated by the contracts between merchants and card brands (Visa, MasterCard, etc.) and the relevant banks that handle the payment processing. If you’re non-compliant, you can still face heavy financial penalties, although no civil charges will apply. This contractual obligation underscores the critical importance of adhering to PCI DSS standards, not only to avoid penalties but also to maintain trust and credibility with card brands and customers.
So that’s compliance, but what about audits – the real crux of the matter?
The audit process may differ depending on your merchant-level status and preferred payment brand. Within PCI DSS, there are four designated levels of compliance and audit requirements:
PCI DSS Merchant Level 1:
Merchant Criteria: (1). Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year. (2). Any merchant that has had a data breach or attack that resulted in an account data compromise. (3). Any merchant identified by any card association as Level 1.
Validation Requirements: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by an officer of the company. (2). Quarterly network scan by Approved Scan Vendor (“ASV”). (3). Attestation of Compliance Form.
PCI DSS Merchant Level 2:
Merchant Criteria: 1 million – 6 million Visa or MasterCard transactions annually (all channels).
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.
PCI DSS Merchant Level 3:
Merchant Criteria: Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually.
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.
PCI DSS Merchant Level 4:
Merchant Criteria: Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.
Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.
The level of a merchant determines the rigor and frequency of the audits. Higher-level merchants, due to their high volume of transactions, face more stringent audit requirements. These audits are crucial in identifying and rectifying potential vulnerabilities in the cardholder data environment (CDE).
How does a PCI DSS audit work?
Ultimately, the goal of an audit is to identify and highlight any areas of non-compliance. Moreover, audits offer guidance on restoring compliance or demonstrating that you have addressed any issues and areas of concern. It is important to note that the audit is not just a check-box exercise but a comprehensive evaluation of your security practices and procedures, ensuring that they align with the stringent requirements of the PCI DSS.
Official audits can only be conducted by an external Qualified Security Assessor (QSA). QSAs are verified by the PCI DSS council and are experts on all aspects of data security regarding the PCI DSS standard. However, you must determine your PCI DSS scope before your QSA can conduct an on-site audit. Scoping allows organizations to determine the parameters of an upcoming audit. It’s up to each organization to identify all business areas and systems that contain cardholder data within your cardholder data environment (CDE). Scoping must be done annually and before an assessment is conducted.
Once you have selected an appropriate external auditor and narrowed the scope of the evaluation, your QSA will look into various areas of your organization and how you’ve implemented security controls to meet the 12 PCI DSS security requirements. But rest assured; your QSA auditor is in your corner.
Their primary responsibility is to see whether any cardholder data could potentially be compromised, not to penalize your organization. Your auditor will test your cardholder data environment, including devices, networks or applications that handle cardholder information and look at your overall security posture, including all policies and procedures.
Additional QSA responsibilities include:
- Documenting and authenticating all technical information.
- Evaluate and approve your predetermined assessment scope
- Follow all PCI data assessment protocols
- Produce and submit a comprehensive Final Report
As with all compliance and security frameworks, it’s important to remember that there is no grand finale where you get to hang up your hat and tick ‘compliance’ off your to-do list. The final audit stage is always an ongoing and continuous process monitoring all data security systems, policies and procedures. After all, it’s not about getting compliant; it’s about staying compliant. Many businesses conduct regular PCI DSS scans, penetration tests and event log monitoring to ensure that their security controls meet PCI DSS requirements and standards.
Steps to prepare for your PCI DSS audit
Understanding who needs an audit, why you need it and how it works is one thing, but how can you ensure that when it comes to your business, you’re well-prepared and ready to ‘wow’ your QSA?
Here are a few things to keep in mind to best prepare for your PCI DSS audit. You may have picked up a few valuable tips on preparing throughout the article, but in the spirit of efficiency, we’ve compiled them into six easy steps.
Quick disclaimer: We’re assuming you’ve already implemented the security controls and necessary policies and procedures needed to meet the 12 security requirements of PCI DSS compliance. If not, this is priority number one before you can start prepping for an audit. Shooting blank on the exact requirements? Take a quick detour to our article on PCI DSS compliance for a quick recap. Alternatively, if you’ve got your controls locked and loaded, here’s a general overview of what you need to do:
Step 1: Define your PCI DSS audit scope
Determining your PCI DSS assessment scope requires organizations to pinpoint all people, processes, and technologies that could impact cardholder data security. Keep in mind that you need to keep a detailed record of how your scope was determined so your auditor can double-check it.
Step 2: Complete a risk assessment
Organizations should identify their relevant security risk areas and manage it accordingly by performing a risk assessment. Effective risk analysis provides insights into the security threats and vulnerabilities of your policies, processes, people and systems.
Step 3: Find a Qualified Security Assessor (QSA)
QSAs are vetted and approved by the PCI council. Businesses can browse and select their preferred QSA on the council’s official website. Alternatively, your Internal Security Assessor (ISA) can also conduct an annual PCI audit, granted that they have received PCI Security Standards Council training and certification.
Step 4: Conduct a gap analysis
A gap analysis enables you to identify any areas of exposure and actively address any gaps.
Step 5: Complete your QSA-led assessment
After you’ve conducted and addressed your gap analysis, it’s time for the official assessment. The QSA will assess, evaluate and test all security controls and systems, including policies.
Step 6: Address security concerns
Before you receive a Report on Compliance (RoC), your QSA will guide you through missing controls, risks and vulnerabilities and how to address and resolve them. Once addressed and resolved, your QSA will review them once again. If approved, you will receive your RoC, signifying you’re PCI compliant.
Step 7: Monitor your PCI DSS controls
Staying compliant is where the real work begins. The final (and ongoing) step is to continuously monitor your security controls and undergo continuous risk management to ensure there are no areas of non-compliance. This includes mandatory annual audits to keep your compliance steady and risk-free. Regular monitoring and updating your security measures are crucial to adapting to the evolving landscape of cybersecurity threats and maintaining a robust defense against potential breaches.
Everything you need to become PCI DSS compliant 90% faster
We’ve got your back when it comes to compliance! Break down the entire PCI DSS process into one easy-to-use automated platform. At Scytale, we break the stereotype of what it means to get and stay compliant by replacing complicated with confidence. Ready to ace your audit? Our compliance superheroes will walk you through the process step-by-step, ensuring you avoid breaches or fines with shatterproof security that meets PCI DSS standards.