The feared a-word: audits.
The one thing about security compliance is that if you can’t prove it – it doesn’t count. So, audits are an organization’s way of proving that they’re walking the walk and that when it comes to security, although it’s easier said than done – your organization’s done it, and you’ve got the receipts to prove it. So, here’s our ultimate guide on preparing for your PCI DSS audit so you can ace it the first time around.
What is PCI DSS, anyway?
PCI stands for ‘Payment Card Industry’. In 2004, all five major credit card companies joined forces and called themselves The PCI Security Standards Council (PCI SSC). Their first order of business? To create a set of security standards for companies that process payment information, specifically cardholder data. This security standard is known as the Payment Card Industry Data Security Standard (PCI DSS).
If your business meets all of the PCI DSS requirements, you’re PCI DSS compliant and have done due diligence to protect your business and customers from data theft, cyberattacks and credit card fraud.
What is a PCI DSS audit?
A PCI DSS audit runs a series of tests to determine whether or not a business is PCI DSS-compliant. If the audit reveals that your business is exposed in some areas, no worries (okay, maybe some worries); your auditor or PCI DSS partner will present you with a clear roadmap highlighting which areas you need to focus on.
Ultimately, an audit is a powerful tool to ensure compliance and to actively mitigate all risks. It’s also critical to determine your security posture and overall compliance. However, getting audit-ready(without the right tool) can be a time-consuming and resource-intensive process. Naturally, it isn’t a process you’d like to fail and repeat numerous times.
Who Must Obtain a PCI DSS Audit?
If you’re a service provider or merchant that processes, accepts, transmits or stores debit card or credit card information – tag, you’re it! If you think it’s a large scope, you’re 100% correct. PCI DSS compliance is mandatory for virtually any business accepting card payments or donations via card or digital transactions.
However, it’s essential to understand that although it’s mandatory, it’s not a law. But that’s by no means a free pass. It simply means that compliance is mandated by the contracts between merchants and card brands (Visa, MasterCard, etc.) and the relevant banks that handle the payment processing. If you’re non-compliant, you can still face heavy financial penalties, although no civil charges will apply.
So that’s compliance, but what about audits – the real crux of the matter?
The audit process may differ depending on your merchant-level status and preferred payment brand. Within PCI DSS, there are four designated levels of compliance and audit requirements:
PCI DSS Merchant Level 1:
This includes all merchants that have reached the 6 million transaction threshold per year (across all channels). This level also consists of any merchant that has experienced a data breach. Level one merchants are required to undergo annual 3rd-party audits. In addition, all level-one merchants must receive annual network scans via an approved scanning vendor. Lastly, all level-one vendors must receive an Attestation of Compliance (AoC) and a Report on Compliance (RoC).
PCI DSS Merchant Level 2:
Level two merchants include all businesses with between 1 million and 6 million annual transactions across all channels. All merchants from level two to level four must complete a PCI DSS Self Assessment Questionnaire (SAQ) that the company’s senior management team must sign off on. Additionally, quarterly network scans are required through approved scanning vendors.
PCI DSS Merchant Level 3:
This level includes all merchants with between 20,000 and 1 million online transactions annually. As mentioned above, if you classify as a level three merchant, you must complete an SAQ signed off by senior management and conduct quarterly network scans.
PCI DSS Merchant Level 4:
If you’ve got fewer than 20,000 online transactions annually, you’re a level 4 merchant! This also includes businesses processing up to 1 million in-person transactions annually. Level four merchants must complete an SAQ form (signed by senior management) and undergo quarterly network scans by approved scanning vendors.
How does a PCI DSS audit work?
Ultimately, the goal of an audit is to identify and highlight any areas of non-compliance. Moreover, audits offer guidance on restoring compliance or demonstrating that you have addressed any issues and areas of concern.
Official audits can only be conducted by an external Qualified Security Assessor (QSA). QSAs are verified by the PCI DSS council and are experts on all aspects of data security regarding the PCI DSS standard. However, you must determine your PCI DSS scope before your QSA can conduct an on-site audit. Scoping allows organizations to determine the parameters of an upcoming audit. It’s up to each organization to identify all business areas and systems that contain cardholder data within your cardholder data environment (CDE). Scoping must be done annually and before an assessment is conducted.
Once you have selected an appropriate external auditor and narrowed the scope of the evaluation, your QSA will look into various areas of your organization and how you’ve implemented security controls to meet the 12 PCI DSS security requirements. But rest assured; your QSA auditor is in your corner.
Their primary responsibility is to see whether any cardholder data could potentially be compromised, not to penalize your organization. Your auditor will test your cardholder data environment, including devices, networks or applications that handle cardholder information and look at your overall security posture, including all policies and procedures.
Additional QSA responsibilities include:
- Documenting and authenticating all technical information.
- Evaluate and approve your predetermined assessment scope
- Follow all PCI data assessment protocols
- Produce and submit a comprehensive Final Report
As with all compliance and security frameworks, it’s important to remember that there is no grand finale where you get to hang up your hat and tick ‘compliance’ off your to-do list. The final audit stage is always an ongoing and continuous process monitoring all data security systems, policies and procedures. After all, it’s not about getting compliant; it’s about staying compliant. Many businesses conduct regular PCI DSS scans, penetration tests and event log monitoring to ensure that their security controls meet PCI DSS requirements and standards.
Steps to prepare for your PCI DSS audit
Understanding who needs an audit, why you need it and how it works is one thing, but how can you ensure that when it comes to your business, you’re well-prepared and ready to ‘wow’ your QSA?
Here are a few things to keep in mind to best prepare for your PCI DSS audit. You may have picked up a few valuable tips on preparing throughout the article, but in the spirit of efficiency, we’ve compiled them into six easy steps.
Quick disclaimer: We’re assuming you’ve already implemented the security controls and necessary policies and procedures needed to meet the 12 security requirements of PCI DSS compliance. If not, this is priority number one before you can start prepping for an audit. Shooting blank on the exact requirements? Take a quick detour to our article on PCI DSS compliance for a quick recap. Alternatively, if you’ve got your controls locked and loaded, here’s a general overview of what you need to do:
Step 1: Define your PCI DSS audit scope
Determining your PCI DSS assessment scope requires organizations to pinpoint all people, processes, and technologies that could impact cardholder data security. Keep in mind that you need to keep a detailed record of how your scope was determined so your auditor can double-check it.
Step 2: Complete a risk assessment
Organizations should identify their relevant security risk areas and manage it accordingly by performing a risk assessment. Effective risk analysis provides insights into the security threats and vulnerabilities of your policies, processes, people and systems.
Step 3: Find a Qualified Security Assessor (QSA)
QSAs are vetted and approved by the PCI council. Businesses can browse and select their preferred QSA on the council’s official website. Alternatively, your Internal Security Assessor (ISA) can also conduct an annual PCI audit, granted that they have received PCI Security Standards Council training and certification.
Step 4: Conduct a gap analysis
A gap analysis enables you to identify any areas of exposure and actively address any gaps.
Step 5: Complete your QSA-led assessment
After you’ve conducted and addressed your gap analysis, it’s time for the official assessment. The QSA will assess, evaluate and test all security controls and systems, including policies.
Step 6: Address security concerns
Before you receive a Report on Compliance (RoC), your QSA will guide you through missing controls, risks and vulnerabilities and how to address and resolve them. Once addressed and resolved, your QSA will review them once again. If approved, you will receive your RoC, signifying you’re PCI compliant.
Step 7: Monitor your PCI DSS controls
Staying compliant is where the real work begins. The final (and ongoing) step is to continuously monitor your security controls and undergo continuous risk management to ensure there are no areas of non-compliance. This includes mandatory annual audits to keep your compliance steady and risk-free.
Everything you need to become PCI DSS compliant 90% faster
We’ve got your back when it comes to compliance! Break down the entire PCI DSS process into one easy-to-use automated platform. At Scytale, we break the stereotype of what it means to get and stay compliant by replacing complicated with confidence. Ready to ace your audit? Our compliance superheroes will walk you through the process step-by-step, ensuring you avoid breaches or fines with shatterproof security that meets PCI DSS standards.