What Is a PCI Audit?Published July 11, 2019 by Alan Gouveia • 3 min read
What is a PCI Audit?
A PCI audit examines the security of your organization’s credit-card processing system from beginning to end.
During this process, a Qualified Security Assessor (QSA) or your own Internal Security Assessor will determine the effectiveness of your organization’s information security controls. To pass the test, your payment network must meet as many as 281 criteria spelled out in the Payment Card Industry Data Security Standard, or PCI DSS, with which all merchants and their service providers must comply.
To demonstrate PCI compliance, your organization must do one of two things:
- Have an on-site audit by a Qualified Security Assessor (QSA) or Internal Security Assessor, or
- Fill out a PCI DSS self-assessment questionnaire, which may or may not involve an internal audit.
Which scenario applies to you? The answer depends in large part on the number of credit card transactions your enterprise processes yearly. The more transactions you process, the greater the likelihood that you will need an annual audit and Record of Compliance (ROC) to satisfy the requirements of this crucial security framework.
Why PCI DSS Matters
The PCI Security Standards Council (PCI SSC), representing financial institutions, merchants, processor companies, software developers, and point-of-sale vendors, established PCI DSS to help prevent breaches of credit card and cardholder data.
The framework’s origins date to 1999, when Visa developed a Cardholder Information Security Program in response to rampant increases in credit card fraud via the (brand new) Internet. In 2004, the five major credit card brands jointly launched the first version of this framework, PCI DSS 1.0.
To accept credit-card payments today, all merchants and payment and internet service providers (ISPs) must demonstrate an ongoing and continual commitment to protecting credit card and cardholder data from unauthorized access and use.
Which Level Are You?
Recognizing that not all merchants or their service providers are created equal, the PSI SSC established four compliance levels for merchants and two for ISPs. The higher the level, the more stringent the PCI DSS requirements.
To comply with PCI DSS, Level 1 merchants and ISPs must attain the ROC, which involves an audit. Those in levels 2, 3, and 4 may self-assess by filling out PCI DSS Self-Assessment Questionnaire (SAQ) that the security standards council provides. A quality GRC software or service can make either task much easier and cost-efficient.
Which level your organization belongs to depends on:
- Which credit cards you accept, and
- How many transactions you process in a year.
Level 1 merchants process 1 to 6 million transactions yearly; Level 1 service providers process 300,000 per year.
What is a PCI DSS audit?
To attain your ROC, you must procure an on-site audit from an external Qualified Security Assessor (QSA) or your organization’s own Internal Security Assessor. With 12 objectives and 281 directives to comply with, your initial audit can take as long as two years to complete. Self-assessing, while not as time-consuming, can take one year.
The audit or assessment involves testing all your organization’s controls around the Cardholder Data Environment (CDE): point-of-sale system; access (including physical access) to the CDE; your vendors’ data security; network segmentation; the application that processes payment information, where and how card information is stored, security of the routers transmitting the information, data encryption, and more.
The good news is that PCI DSS is highly prescriptive. It tells you what you need to do to comply with each directive. And not every requirement applies to every organization, so yours might have fewer than 281 requirements to meet.
As you prepare for your audit or self-assessment, taking the following steps can speed the process and reduce your costs:
- Define your scope. Sit down with the framework and decide which directives apply.
- Minimize your scope. Simply placing firewalls around your Cardholder Data Environment , among other things, can reduce your vulnerability to cybercrime and limit the systems the auditor will need to examine.
- Determine how well you meet each applicable PCI DSS requirement. Your risk assessment document may help with this step. Where you do not comply, apply needed controls.
- Test your controls. Do this before each yearly audit or assessment. PCI DSS compliance is an ongoing process, requiring constant vigilance.
- Gather your evidence. Audits are all about documentation; have yours ready for the auditor.
With credit card fraud and data breaches always on the rise, these steps make sense for any organization wanting to make ironclad their credit card data security.
Get Help if You Need It
Complying with hundreds of requirements can be a time-consuming and frustrating task—more so if you’re using spreadsheets to track your progress.
Fortunately, there is a better way. A quality tool such as ZenGRC can make PCI DSS compliance easier, faster, and more complete. Our unique solution provides “single source of truth” dashboards with overviews of your compliance and risk posture; the documentation your auditor or self-assessor needs, easy-to-implement self-audits, and more.
Worry-free compliance and hassle-free audits are the Zen way. Contact a ZenGRC expert today and breathe easier, knowing the path to PCI DSS compliance will be smoother for your organization.