What Is a PCI Compliance Audit, and How Should You Prepare for It?
The Payment Card Industry (PCI) refers to organizations that process, store, and transmit credit card and debit card information. They must follow rigorous security standards because they deal with critical and sensitive data. Stolen financial data accounts for almost 50% of all identity theft.
PCI businesses follow the PCI Data Security Standards (PCI DSS), which was developed by the PCI Security Standards Council (PCI SSC). The ultimate goal of the PCI DSS is to prevent cardholder data breaches.
The PCI SSC was established by the major payment card brands: Mastercard, Visa, Discover, American Express, and others. So, the PCI DSS is an industry framework, not a regulatory one.
The PCI DSS standards specify best-in-class security measures to enhance and assure the security of cardholder data. The standards comprise twelve technical and operational requirements. They have been designed to reduce card-related fraud and safeguard Cardholder Data (CHD) and the Cardholder Data Environment (CDE).
PCI Audit Overview
What is PCI Compliance?
The PCI SSC requires that all merchants and service providers that work with payment cards comply with the PCI DSS.
What is a PCI Compliance Audit?
A PCI Compliance Audit (also referred to as a PCI Audit or a PCI DSS Audit) checks whether the security standards adopted by the business comply with the 12 requirements mandated by the PCI DSS. It comprises a series of assessments to verify that the business is PCI compliant.
The Benefits of a PCI Audit
Cisco has found that for every dollar spent on securing data, companies receive $2.70 in benefits. Salesforce studies show that 84% of consumers are more loyal to businesses that have robust security measures in place. The average data breach costs $4.24 million.
Compliance with the PCI DSS standards helps organizations protect cardholder data. Many businesses only work with PCI compliant outfits, so proving compliance provides opportunities to expand your business. Many businesses will not work with non-compliant vendors. Non-compliance may result in fines ranging from $5000 to $500,000. Credit card companies may revoke your right to process cards. You may even go out of business.
These assorted risks should serve as a good reminder for why it important to maintain PCI Compliance and submit to audits whenever necessary.
PCI Audit Checklist
How Should a Company Prepare for a PCI Audit?
The PCI Compliance Audit requirements are pretty daunting. A PCI Audit is not a test that you can pass by cramming overnight. It requires rigorous preparation over an extended period. The more extensive your groundwork, the smoother the audit is likely to be. Here are the steps that a business should take to prepare for an audit.
Create a Dedicated Team
Security is everyone’s responsibility. However, it makes sense to create a team dedicated to achieving and maintaining PCI compliance. It helps if team members have prior PCI expertise or training. Every member of the team should have specific powers and responsibilities. The team should also have a designated leader who is ultimately accountable for the organization passing the PCI audit.
Understand Where Your Sensitive Data Lives
Start off by creating a diagram or list of your Data Inventory, showing where your CHD resides and how it flows. Ensure that you store and transmit sensitive data securely. Verify that you have protected all vulnerable points.
Determine the Scope of the Audit
The PCI DSS consists of 12 fundamental requirements, dozens of sub-requirements, and hundreds of sub-sub-requirements. Not all of them would apply to your business. You should assess which requirements are pertinent to you.
Reduce the Scope of the Audit
Clearly, complying with hundreds of requirements is difficult even for companies with abundant resources. So, try to reduce the number of requirements with which you need to be compliant. One way is by segmenting your data storage and networks such that you store CHD and non-CHD data separately. This reduces your area of vulnerability, which makes compliance and audit preparation easier.
Self-Audit To Check How Compliant You Are With Every Requirement
Before proceeding with the third-party audit, perform a self-audit to measure the extent of compliance. The PCI DSS requirements change regularly. The PCI SSC often upgrades best practices (or recommendations) to requirements. Be aware that you may not be as compliant as you think. Fix any non-compliance found.
Note that your service providers and sub-contractors, if they deal with CHD, must also be compliant with the PCI DSS requirements. You will fail your PCI audit if they are non-compliant in any way.
Test Your Controls
Make sure that the CDE is protected from breaches by actually testing it with specialized tools or test agencies. Web Application Testing, Vulnerability Scanning, Penetration Testing all may need to be done by experts in those fields. The PCI DSS contains specific requirements for each of these.
The point-of-sale terminal, the payment processing application, cardholder data storage, and network components should all be tested.
Document Your Compliance
Auditors will ask to see documentation to verify that your compliance is not just at that moment in time, but is an ongoing reality. Keep all documents readily accessible. Also, update all documentation regularly to reflect reality. Documents should not depict an idealized representation. Auditors will spot discrepancies between what you present and what actually exists.
Hire a Compliance Partner
You could consider hiring a PCI SSC-approved compliance partner to help you during your certification journey. Experienced QSAs stay on top of changing PCI DSS requirements and can offer instructive advice on resolving non-compliances.
PCI Compliance Audit Requirements
There are 12 main PCI DSS Requirements. In brief, they are:
- Install a firewall configured to protect CHD
- Change vendor-supplied passwords and security parameters before use
- Protect stored CHD
- Encrypt CHD when sending over public networks
- Deploy anti-virus programs and update them frequently
- Develop secure applications. Use secure systems.
- Restrict access to cardholder data
- Prevent any sharing of User IDs
- Restrict physical access to CHD
- Keep tabs on network and CHD accesses
- Regularly test the security of your systems, applications, and operations
- Publish and enforce an Information Security Policy
What Happens During a PCI Audit
The QSA (Qualified Security Assessor) you have hired will take the following steps to audit you.
Pre-Onsite Gap Analysis
The QSA will work with your team to understand your business, the services you provide, and how your daily operations involve PCI. They will perform a preliminary gap analysis of your PCI DSS compliance and share a feedback and remediation checklist with you. Then, they will guide you on how to close the gap.
This prefers to the actual audit. The QSA will visit your premises to assess your compliance and collect evidence. Some auditors provide an online portal for submitting information and evidence during the actual audit. This speeds up the audit because a lot of the audit process gets completed even before the auditor shows up at your location.
Remediation and Testing
If the audit throws up non-compliances, you will need to address and remedy them. An experienced QSA will advise you on how to fix the non-compliances and then repeat the audit.
Finally, the QAC issues a Report of Compliance (ROC) certifying that your organization is compliant with the PCI DSS requirements. The QAC will submit the ROC to the PCI Council on your behalf. After the PCI Council reviews the report, it may ask for clarifications or additional information. If you have hired an auditing organization, then they will typically handle the communication with the PCI Council on your behalf.
How Often Are PCI Audits Required?
The frequency and type of audit are dependent on the organization’s type and level.
Organization Types and Levels
Organizations may be of two types–merchants or service providers, and then types can then be ranked in levels from Level 1 to Level 4. In this context, Level 1 refers to the highest level of risk, with Level 4 being the lowest level of risk.
A merchant is any entity that accepts payment cards bearing the logos of its members (like Amex, Mastercard, or Visa). Merchants can be at Levels 1 through 4, depending on the annual volume of transactions.
A service provider is an entity that is involved in processing, storing, or transmitting cardholder data. AWS (Amazon Web Services), Azure, and Google Cloud are all PCI service providers. Service providers may be at Level 1 or 2, depending on the annual volume of transactions.
A merchant or service provider which has suffered any data breaches or cyberattacks that have led to the loss of cardholder data is automatically considered to be at Level 1.
More information on PCI DSS levels can be found here.
How Organization Types and Levels Affect PCI Audits
Level 1 merchants and service providers need to undergo annual onsite PCI audits performed by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA). A Report on Compliance (ROC) needs to be generated. In addition, an Approved Scan Vendor (ASV) should conduct a network security scan every quarter. They should then complete and submit an Attestation of Compliance Form.
All other merchants and service providers simply need to complete a Self-Assessment Questionnaire (SAQ) annually done by a certified Internal Security Assessor (this can be an employee), or an onsite audit by an approved Quality Security Assessor.
Besides this, all service providers should also do a Penetration Test and Internal Scan for compliance.
Remember that the purpose of being PCI compliant is to secure your Cardholder Data and Cardholder environment so that the data remains protected and safe. Being always aware of this responsibility and taking steps to be compliant will help you pass the PCI Audit easily and get re-certified every year.