What is the PCI DSS Audit Checklist?Published July 29, 2019 • 2 min read
What is the PCI DSS Audit Checklist?
Yearly audits to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) can be nerve-wracking and expensive. Preparing for that first audit alone can take two years and cost $50,000 or more.
Steps to Success
For Level 1 merchants and service providers, there’s no avoiding the hassle or expense of an on-site audit. You can, however, reduce your stress levels by using our PCI DSS audit checklist to prepare.
Following these simple steps can help you streamline the audit process and feel confident of a good outcome:
- Determine your scope. PCI DSS has 12 requirements and 281 directives. Do they all apply to your business? The requirements are:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
- Minimize your scope. Isolating your cardholder data environment (CDE) with firewalls, encrypting all the data that passes through the CDE, and disposing of card data as soon as possible will save your auditor time, and save you money.
- Analyze your compliance with each of the directives you deemed applicable in step 1.
- Test your CDE controls.
- Gather your evidence. Have your IT architecture, CDE diagrams, security policy, and other documentation of your compliance efforts on hand for the auditor.
And remember, passing the audit is only the first step in PCI DSS compliance. The PCI SSC mandates ongoing and continual efforts to safeguard financial information against unauthorized access and use.
Who Needs an Audit?
All merchants and service providers who accept credit cards or process, transmit, or store payment card data must comply with PCI DSS or face fines of up to $100,000 per year and even loss of credit-card privileges. The PCI Security Standards Council (PCI SSC) established PCI DSS as a framework for merchants and service providers to use in securing credit card and cardholder data from a breach.
Not everyone needs an audit, however. Recognizing that different entities have different levels of data security risk, the PCI SSC created four compliance levels for merchants and two for service providers.
Level 1 organizations must demonstrate PCI DSS compliance by procuring an on-site audit from a Qualified Security Assessor (QSA) or PCI-certified Internal Security Assessor, who will then file a Report on Compliance (ROC) with the acquiring bank.
Level 1 enterprises include:
- Merchants that process 1 million or more in-store and e-commerce payment card transactions annually, depending on which cards they accept
- Service providers that process, store, or transmit data from more than 300,000 payment cards per year
- All enterprises that have experienced a security breach that resulted in the compromise of credit card or cardholder data
Those in Levels 2, 3, and 4 may be able to complete a self-assessment questionnaire (SAQ) and Attestation of Compliance (AOC) in lieu of the audit and ROC.