What Does a PCI DSS Audit Look Like?
PCI compliance is a hot topic these days. While payment processing seemed like the domain of large enterprises and retailers, the expansion of cloud-based processing and online storefronts have blurred the lines between processors, merchants and secure, compliant systems.
Many organizations seek their PCI compliance certification to cover their bases with payment processing and data storage. As these enterprises collect card data, payment information, and other data types, this compliance helps them maintain good standing with the credit card companies and their customers.
Learn the basics of PCI compliance and auditing in this article.
What Is PCI Compliance?
Payment Card Industry Data Security Standard (PCI DSS) is a form of security compliance implemented by the major credit card providers (Visa, Mastercard, American Express, Discover and JCB) to govern how merchants and payment processors secure transactions against data theft and fraud.
PCI compliance isn’t mandatory per U.S. law. Instead, it is an industry-standard enforced by credit card providers. Non-compliance can lead to substantial fines, limited capacity and even revocation of processing capabilities within the major credit networks.
PCI Compliance is predicated on 12 requirements:
- Use and Maintain Firewalls: Processors must implement firewalls at the perimeter of systems and devices where cardholder data is stored and processed as a line of defense against attacks.
- Proper Password Protections: Organizations must ensure strong passwords are used on all relevant devices, updated from default password settings, and require users to update passwords regularly.
- Protect Cardholder Data: All cardholder data must be encrypted, and any encryption keys used must also be encrypted. Furthermore, systems must be scanned regularly to ensure that no cardholder data is unencrypted.
- Encrypt Transmitted Data: Any cardholder data transmitted through processing devices or within a business must also be encrypted.
- Use Antivirus Software: Any devices interacting with cardholder data and account numbers must have updated antivirus software in place, including internal servers, devices and Point of Sale (POS) systems.
- Properly Update Software: All software, security platforms, firewalls, and antivirus systems should be regularly updated with the latest patches and security measures intact.
- Restrict Data Access: Cardholder data should only undergo access by the minimum number of relevant parties needed to handle that data–on a “need-to-know” basis.
- Use Unique IDs for Access: Any individual accessing systems storing cardholder data must use unique digital identities with a unique identification (such as an ID number) to support event tracking and forensics.
- Restrict Physical Access: Systems storing and processing cardholder information must remain physically secure. This includes secured data centers, secured workstations and mobile devices, and monitored office locations (security cameras, door locks, etc.).
- Create and Maintain Access Logs: All interactions with cardholder data must include audit logging to track engagement and potential security threats. This also includes supporting capabilities to understand how data moves across a system to identify and mitigate transfers through non-compliant or unprotected systems.
- Scan and Test for Vulnerabilities: Organizations must deploy regular and thorough vulnerability scanning against technical systems, employee access and network resources.
- Document Policies: Inventories of resources, data assets, personnel and relevant policies around those items must be documented and updated for auditing purposes.
These 12 requirements form the basis of compliance, and as such, all PCI audits will revolve around adherence to these requirements. Depending on the specific systems implementation of the merchant or payment processor, these categories encompass up to 281 different criteria.
What Is a PCI DSS Audit?
A PCI audit is predicated on the size of the merchant:
- A Level 1 Merchant processes 6 million or more transactions per year.
- A Level 2 Merchant processes between 1 and 6 million transactions per year.
- A Level 3 Merchant processes 20,000 and 1 million transactions per year.
- A Level 4 Merchant processes less than 20,000 transactions per year.
Not all credit card providers have the same levels–for example, Discover and American Express do not include Level 4, and JCB doesn’t have Levels 3 or 4.
An audit will focus on what is known as your Cardholder Data Environment (CDE), which includes POS systems, card scanners, chip readers, internal servers and any network device through which data travels.
The audit will move forward based on the Merchant Level of the organization:
- Levels 4, 3 and 2 Merchants must typically complete an annual Self-Assessment Questionnaire (SAQ) regarding their security systems and compliance efforts and work with an Approved Scanning Vendor (ASV) to conduct quarterly network scans.
- Level 1 Merchants must, in lieu of a SAQ, complete a Report on Compliance (ROC) through a Qualified Security Assessor (QSA), an authorized PCI auditor, once yearly. They must also conduct quarterly scans through the ASV.
Audits through QSA are relatively straightforward because PCI DSS compliance is well-defined. However, the initial audit through the QSA could take up to two years to complete.
Automate PCI Compliance with Continuum GRC
While PCI DSS compliance is straightforward, it doesn’t mean that it is easy. Auditors will want access to documentation, reports and system inventories–and if your organization isn’t prepared, then this could take significantly longer than it has to.
Continuum GRC streamlines this process with comprehensive automation and cloud-based systems to reduce auditing times from weeks to days. All this while further reducing problems of accuracy and effectiveness that come with stone-age tools like spreadsheets and email.
Are You Preparing for PCI Audits?
Call Continuum GRC at 1-888-896-6207 or complete the form below.