For merchants, PCI DSS audit checklists are becoming more and more essential as both the list of requirements and threats continue to grow.
The team at Very Good Security has seen numerous companies struggle through the PCI DSS audit on their own.
While data breaches are on the rise, companies are struggling to meet compliance standards. 51.9% of businesses in a recent Verizon survey revealed that they unsuccessfully test their security system and processes.
Furthermore, less than half of organizations change default passwords from third-party vendors – which is one of the easier requirements to implement.
Most of the items companies miss in regards to PCI DSS compliance can be identified during a PCI audit.
If you are planning to be PCI compliant or you want to maintain your certification, you will be required to submit an audit annually.
PCI compliance in a nutshell
Merchants and service providers who process debit or credit card transactions are required to achieve some level of PCI compliance. There are four levels for merchants and two for service providers, and the primary differentiator between the levels is the number of transactions you process per year.
Short for Payment Card Industry Data Security Standard, PCI DSS compliance is meant to help you prevent fraud and data breaches. There are six main goals, which are broken up into 12 requirements. And these requirements are again subdivided into hundreds of mini requirements.
It’s pretty extensive. And that’s one of the reasons it often feels overwhelming.
What is a PCI audit and why do you need it?
To achieve your compliance certification, you will need to complete a PCI audit. The cost of your specific audit will vary based on your data environment, your PCI level, the size of your organization, and your individual auditor’s fees. The timeline, too, is dependent on the same factors, and can take anywhere from 4-6 months to complete.
However, this audit is essential to ensuring your systems are secure. An experienced and thorough auditor will be able to understand your industry and how data collection, storage, and transmission fit into your goals. They will also be able to pinpoint potential weaknesses.
And finding these weaknesses in your systems is crucial. None of the companies in Verizon’s data breach investigations were 100% PCI compliant. An audit can help you become and stay compliant – thus reducing your risk.
A PCI audit does a deep dive into your systems to monitor how you are complying with the following goals.
Build and Maintain a Secure Network and Systems
You should be employing firewalls and routers, as well as changing vendor-supplied default passwords and other data. Both inbound and outbound routes to your network need to have proper security controls.
Protect Cardholder Data
How do you protect your cardholder data when you’re collecting, transmitting, or storing it? What about when you have physical versions?
Protecting cardholder data is largely related to technology, such as employing tokenization, data aliasing, or encryption. But it’s also important to ensure that your employees understand how to handle data securely.
Maintain a Vulnerability Management Program
You should ensure that your antivirus software is up-to-date and that you have other controls set for the virus, malware, and other cyberthreats.
Implement Strong Access Control Measures
Employees or other internal staff participate in 34% of data breaches. You should have authentication and user access system to make sure that your data is safe. The list of people who have access to sensitive data should be short.
Regularly Monitor Test Networks
You should be able to monitor your systems regularly and test your systems to ensure that your controls are working properly. While a PCI audit, in a sense, is a review of your controls, it’s better not to wait until you need one to start testing your systems.
Maintain an Information Security Policy
Finally, you’ll want to train your employees on your data protection policies and ensure they understand both how and why you focus on compliance.
Your PCI audit checklist
Your PCI audit covers a wide range of security activities. To prepare for your PCI audit, you can take it one step at a time.
Map your systems
First, you’ll want to map out your systems and detail how you interact with cardholder data. This includes everything from collecting data to storing it and transmitting it. You will also want to include any third-party vendors that have access to your data.
Consider these questions.
- How many transactions do you process on a yearly basis?
- How do you process payment card transactions?
- What kind of data do you collect?
- How do you collect it?
- Where is it stored?
- Could data be stored anywhere other than the designated area?
- How is data transmitted?
- Do you have regular purges?
- Who has access to this data?
- Are you using encryption, tokenization, or another method to protect that data?
- Do you have policies in place in case of a breach?
- Does your staff know how to securely handle cardholder data in all of its forms?
Once you better understand your scope and boundaries, you’ll be able to begin preparing for your audit.
Determine your PCI level
Your specific PCI requirements will differ depending on your PCI level. There are four levels for merchants and two for service providers.
- Level 1: Merchants who process over 6 million card transactions annually or service providers who process 300,000 transactions.
- Level 2: Merchants who process 1 to 6 million transactions annually, or service providers who process less than 300,000 transactions annually.
- Level 3: Merchants who process 20,000 to 1 million transactions annually.
- Level 4: Merchants who process fewer than 20,000 transactions annually.
Understand your SAQ documentation
The next step is to understand your PCI audit requirements. While levels 2-4 are not required to prepare an external audit, all merchants and service providers are required to submit a Self-Assessment Questionnaire (SAQ).
This questionnaire is a series of yes-no questions. There are various SAQ versions depending on your PCI level and how you process payments.
- SAQ A – For merchants who outsource their entire payment process regardless of channel.
- SAQ A-EP – This form is specific for e-commerce merchants and providers who outsource their payment processing but not the website, if the website can impact the security of the payment channel.
- SAQ B – Merchants who use imprint machines with no electric data storage or standalone terminals with no data storage. This does not include e-commerce merchants.
- SAQ B-IP – Merchants who use PTS-approved payment terminals with an IP connection and no electric data storage for payments. This does not include e-commerce merchants.
- SAQ C-VT – Merchants without electronic cardholder data storage who process payments one at a time by typing them individually on a keyword into a payment portal. This is not relevant for e-commerce merchants.
- SAQ C – Merchants who process payments through the internet but do not require collect or store cardholder data. This form is not applicable to e-commerce channels.
- SAQ P2PE-HW – Merchants who use validated, PCI-SSC-listed P2PE managed hardware payment terminals. This does not apply to e-commerce channels.
- SAQ D – This form includes every merchant who has not been mentioned in the previous forms and all service providers.
Remedy any remaining issues
If you mark “no” to any question on your SAQ, it is likely you will need to fix some part of your system. Make sure to do this before bringing in an auditor.
Find an auditor
If you require Level 1 PCI compliance, you’ll need to find a qualified auditor for your external audit. Called a Qualified Security Assessor (QSA), an expert PCI auditor will be able to thoroughly go through your systems and detect any remaining issues.
For Level 1 merchants and providers, they will also be able to provide a Report on Compliance (ROC), which you need to obtain PCI certification.
When evaluating a potential auditor, you’ll want to look at the following criteria.
- Do they have experience in your specific industry?
- How long have they been a QSA?
- How many companies have they audited?
- What is their methodology?
- Do they have any references or customer reviews?
- What is their availability?
- If they are apart of a company, what is the QSA turnover rate for that company?
Don’t go at your PCI audit alone
There’s no doubt about it, PCI DSS audits are labor-intensive. You not only have to review your entire payment processing system and policies, but you also need to remedy any weak points, complete an SAQ, and potentially hire an external auditor if you need Level 1 compliance.
But things are changing.
Before, you could outsource just bits and pieces of your PCI compliance while shouldering all of the liability in case of a breach. Now you can shift all of the liability and burden to a data expert partner.
VGS not only takes on the burden of a data breach and completely secures your data collection, storage, and transmission processes, but they also can help you step-by-step through the audit process. That includes finding you an expert QSA to perform the final external audit.
The best part? Instead of spending months or even a year on PCI DSS compliance, you can get certified in weeks.
Data security is too important to skip out on. With VGS, you can get enterprise-level security and help with your PCI audit without the stress. That way, you can both enjoy the peace of mind of better data security, while focusing more on your business.