What is PCI DSS Audit and How to Prepare Your Business for PCI DSS Audit
For many businesses today, it is out of the question not to offer a card payment option while ensuring the security of their customers’ most sensitive information. The Payment Card Industry Security Standards Council (PCI SSC) has developed the Payment Card Industry Data Security Standard (PCI DSS) for businesses to demonstrate data security adequacy and ensure the security of credit card transactions.
Today, all companies that store, process, or transmit sensitive cardholder information must meet PCI DSS requirements. Businesses that engage in high-volume transactions or are subject to a breach must comply with a PCI DSS audit based on the technical and operational control requirement under 12 key headings.
The primary purpose of the PCI DSS audit is to validate an organization’s ability to protect cardholder data and all systems that interact with payment transactions. PCI DSS audit is a robust audit consisting of cardholder information such as Primary Account Number (PAN) and CAV/CID/CVC2/CVV2, and systems that interact with them, with multiple controls and security measures to protect sensitive information and adherence to a merchant’s PCI DSS requirements.
Any merchant or service provider that stores, processes, or transmits cardholder information must comply with PCI DSS requirements and be subject to a PCI DSS audit to verify the current compliance status.
PCI DSS audits are designed to comprehensively examine how well your business manages PCI controls, which are security measures established to protect all systems interacting with payment card processing.
In particular, merchants and service providers must protect the following system components that contain or transmit credit card data:
- Network devices and wireless access routers
- Payment card data storage systems
- Transmission of payment card data
- Payment card data stored in paper-based records
- Online payment applications and shopping cards
- Card readers
- Point of sale systems (POS)
What Are the PCI DSS Audit Requirements and How Does PCI Audit Work?
Suppose your organization must undergo an onsite audit and provide a Compliance Report under the Payment Card Industry Data Security Standard (PCI DSS). In that case, there are specific PCI DSS requirements that you must meet.
For PCI audit, you need to do the following:
- Work with a Qualified Security Assessor (QSA) certified by the PCI Security Standards Council (PCI DSS) to perform an onsite audit of your Cardholder Data Environment (CDE) information security controls, policies, and practices.
- Optionally sponsor your organization’s internal auditor for PCI SSC training and certification as an Internal Security Assessor (ISA) so that the individual can perform annual PCI DSS audits.
- Pass PCI DSS audit so QSA or ISA can provide a Report of Compliance (ROC) to your acquiring bank.
- Maintain compliance until your next annual audit by performing frequent vulnerability scans, inspection tests, and penetration tests to ensure your systems and networks keep credit and debit card and cardholder data secure and private.
The first step in preparing for a PCI audit is determining your PCI DSS scope by identifying all components that touch credit card data. Your team should identify all locations and workflows in your cardholder data environment (CDE) that contain cardholder data.
All systems should be scoped at least once a year, always before your assessment. It is your responsibility to limit the scope of your assessment ahead of time, as auditors are trained to include all system processes unless otherwise specified by PCI DSS requirements.
Your QSA will perform a full onsite audit assessment to evaluate the security infrastructure, including all systems, policies, and procedures. The following items are the responsibility of QSA:
- Verifying all technical information provided by your company.
- Checking and approving your assessment scope.
- Following all PCI data security assessment protocols.
- Evaluate compensatory controls.
- Providing guidance and support to your organization throughout the entire audit process.
- Using the best professional judgment to verify that PCI DSS standards are met.
- Produce and transmit a Comprehensive Final Report (PCI AOC and ROC).
It should be noted that PCI DSS auditing is a year-round process because data security systems, policies, and procedures must be continuously monitored to maintain PCI DSS compliance.
How Often Should You Have a PCI DSS Audit?
Essentially, the frequency of PCI DSS audits depends on the payment card company you choose to work with, and PCI DSS does not enforce the frequency of PCI audits. For example, American Express has its inspection frequency requirements, as do Visa and MasterCard.
However, businesses identified as Level 1 (more than six million card transactions per year) or those experiencing a breach must undergo at least one annual audit to maintain PCI compliance.
What Happens If I Fail My PCI DSS Audit?
First, a PCI audit should not be viewed as a pass or fail event. Instead, it should be seen as an opportunity to discover better what is needed to meet your customers’ data security needs better. If your QSA detects a system vulnerability, it will fail simply because your organization did not address and fix the issue quickly.
On the other hand, businesses that ignore PCI audit findings, refuse to fix system deficiencies or decide that PCI DSS requirements do not apply to them will experience the unpleasant and costly consequences of non-compliance.
Credit card companies can impose fines of between $5,000 and $100,000 per month, depending on the severity of a violation. Fraudulent purchases may trigger bank cancellation fees for which the offending entity may be held liable.
Who Should Get PCI DSS Audit?
All merchants and service providers who accept, process, store, or transmit credit or debit card data must comply with PCI DSS. This information security framework includes 12 requirements and approximately 400 directives.
Only merchants that process 1 million or more than 6 million payment card transactions per year, depending on the card brands you accept, and service providers that process, store, or forward more than 300,000 card transactions per year need to be audited for PCI DSS compliance.
Completing a self-assessment questionnaire (SAQ) and submitting an Attestation of Compliance (AOC) will usually be sufficient for small merchants.
However, all merchants and service providers experiencing data breaches compromising payment card data must undergo an annual onsite audit for PCI DSS compliance.
Does My Company Have to Pass a PCI Audit to Prove PCI Compliance?
Whether you’re subject to PCI DSS onsite auditing depends on your company’s merchant status and the requirements of the payment brand you choose. PCI DSS has established four levels of PCI compliance determined by vendor type.
The four levels of PCI compliance requirements are as follows:
- PCI Merchant Level 1: This tier includes all merchants who process more than 6 million transactions per year across all channels or all merchants who experience a data breach. Tier 1 businesses must undergo annual 3rd party audits and annual network scans (ASV) conducted by an approved scan vendor to verify PCI compliance. They must also receive two official documents, the Attestation of Compliance (AoC) and the Report of Compliance (RoC).
- PCI Merchant Level 2: This level includes traders who process between 1 million and 6 million transactions per year across all channels. In addition to quarterly network scans performed by approved scan vendors, all level 2 to 4 merchants must complete a PCI DSS Self-Assessment Questionnaire (SAQ) signed by the company’s senior management team (ASV).
- PCI Merchant Level 3: Level 3 merchants handle 20,000 to 1 million online transactions per year.
- PCI Merchant Level 4: Any merchant with fewer than 20,000 online transactions per year or up to 1 million card-present transactions per year are classified as Level 4.
Because cardholder data is sensitive, only Qualified Security Assessors (QSAs) certified by the PCI Security Standards Council (PCI SSC) can perform PCI audits.
What Are the PCI DSS Audit Requirements?
The PCI Security Council (PCI SSC) has identified 12 technical and operational requirements that organizations must meet to be considered PCI compliant. In the PCI DSS audit, you are expected to meet the following requirements.
PCI DSS Requirement 1: Set up and maintain a firewall configuration to protect cardholder data.
Firewalls and routers are essential components of network architecture that control network entry and exit. They are software or hardware devices that prevent unauthorized access and manage authorized network access. Configuration standards and procedures will help ensure that your data’s first line of defense remains strong.
PCI DSS Requirement 2: Do not use provider-provided system passwords and other security parameters.
Malicious people inside and outside your organization often leverage vendor default passwords and other vendor default settings to compromise systems. Default passwords and settings are well known to hacker communities and easily determined through public information.
PCI DSS Requirement 3: Protect stored cardholder data with methods such as encryption, truncation, masking, and hashing.
If an attacker circumvents other security controls you have implemented and gains access to encrypted data without the appropriate cryptographic keys, they can access your sensitive data. However, if the cardholder data is encrypted, hacked, masked, or hash is used, the attacker cannot read and meaningfully use this data.
PCI DSS Requirement 4: Encrypt transmission of cardholder data over open, public networks.
Sensitive data like cardholder data must be encrypted during transmission over networks that malicious individuals can easily access. As we see as a general attack vector, malicious users continue to target misconfigured wi-fi networks and vulnerabilities in weak encryption and legacy authentication protocols to gain privileged access to cardholder data environments.
PCI DSS Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
Malware, including viruses, worms, and Trojans, enter the network during many business-sanctioned activities, including employee email and use of the internet, smartphones, mobile computers, and storage devices, and exploits system vulnerabilities to cause various problems.
Therefore you should use anti-virus software to protect your systems from current and emerging malware threats.
PCI DSS Requirement 6: Develop and maintain secure systems and applications.
Malicious people use vulnerabilities to gain privileged access to systems. Most of these vulnerabilities are remedied by vendor-supplied security patches installed by the organizations that manage the systems.
All systems must have the appropriate software patches available to protect cardholder data from being misused and compromised by malicious individuals and software. For applications developed in-house, you can often avoid many vulnerabilities if you use standard software development processes and secure coding techniques.
PCI DSS Requirement 7: Restrict access to cardholder data only to those who need it to perform their job.
Systems and processes must be in place to limit access to need-to-know and job responsibilities to ensure that critical data is only accessible to authorized personnel. “Need to know” grants access rights to the minimum amount of data and privileges required to perform a job task.
PCI DSS Requirement 8: Identify and verify access to system components.
Assigning a unique identity to each person with access ensures that they are held accountable for their actions individually. When this type of liability is involved, critical data and systems actions can be traced back to known and authorized users and processes.
Also, the effectiveness of a password is primarily determined by the design and implementation of the authentication system.
PCI DSS Requirement 9: Restrict physical access to cardholder data.
Any physical access to systems hosting cardholder data should be appropriately restricted.
PCI DSS Requirement 10: All network resource and cardholder data access should be monitored.
Logging and the ability to track user activities are essential for preventing, detecting, and mitigating the impact of a data breach.
The availability of logs across all environments provides comprehensive monitoring, alerting, and analysis when something goes wrong. It is essential to have a process or system that connects user access to the accessed system components. Without system activity logs, it is challenging, if not impossible, to determine the cause of a compromise.
PCI DSS Requirement 11: Test security systems and processes regularly.
Malicious people and researchers constantly discover vulnerabilities, and new software frequently introduces them. System components, processes, and custom software must be tested regularly to ensure that security controls reflect a changing environment.
PCI DSS Requirement 12: Maintain a policy that addresses information security for all personnel.
A solid security policy establishes your company’s security posture and informs your employees of what is expected of them. All employees should be aware of the importance of data protection and their roles in it.
It should be noted that each of the PCI DSS’s 12 general requirements includes multiple sub-requirements.
A QSA will review company-supplied documentation, technical interview personnel and, in some cases, review system component samples during a PCI compliance audit to ensure that each of these specific requirements has been adequately met.
The word audit often evokes anxiety and fear, but that shouldn’t be the case with a PCI DSS audit because non-compliance with PCI DSS requirements can result in costly penalties and unpleasant consequences for your business.
However, a PCI audit provides an opportunity to work with a QSA to discover vulnerabilities and areas for improvement in your data security system. PCI audits provide a snapshot of the current state and offer the opportunity to learn about the security culture while helping your business achieve and maintain PCI DSS compliance in the future.
How Can I Prepare for PCI DSS Audit and Achieve PCI DSS Compliance?
Ensuring and maintaining PCI compliance is an ongoing process that requires continued care and commitment. Beginning with security awareness training and basic security guidelines for all employees, QSA companies can provide a wealth of valuable information and resources.
PCI compliance checklists can be a helpful resource in preparing for an upcoming PCI audit. Here are some considerations to increase compliance while helping your team ready for PCI auditing:
- Inform your employees about PCI compliance requirements and ensure management understands these requirements.
- Complete the self-assessment questionnaire about your business and fill in any compliance gaps you find.
- Document all internal security policies and procedures for protecting cardholder data.
- Use only PIN-certified point-of-sale (POS) input devices and verified payment software.
- Use firewalls to partition your CDE from the rest of your system to narrow the scope of auditor inspection.
- Reduce your environment’s PCI scope for control by separating and segmenting your networks.
- Only deal with PCI-compliant third parties.
- Document all security controls and identify data flows throughout your organization.
- Test the checks on your CDE, even if you’ve done it before. Gather evidence that they are working as they should be up to date.
- Create a workflow and data flow map for all card transactions.
- Have your security policy, IT architecture diagrams, CDE card data flow charts, and other relevant documents available for the auditor.
- Perform vulnerability scans as often and early as possible.
- Encrypt all cardholder data regardless of location.
- Use network segmentation.
- Focus on protecting cardholder data during transfer and not transferring data without encryption.
- Monitor vulnerable code and apply fixes immediately.
- Use strong access controls and incident response plans to mitigate the vulnerability quickly.
- Focus on overall system security, not just PCI DSS compliance.
- Continuously monitor all environmental changes and adjust security systems accordingly.
Here are tips for achieving and maintaining PCI compliance:
- Limit the cardholder data you store and retain only essential cardholder data.
- After authorization, do not store sensitive authentication data. Make sure to remove all authentication information when it is no longer needed. Sensitive authentication data includes magnetic stripe and chip data, card verification codes, and PIN.
- Ensure the security of your POS vendor. Inquire with your POS vendors about how they handle common control errors such as default settings and passwords.
- Isolate and consolidate essential cardholder information. Remember to keep sensitive data in a centralized location and separate it with network segmentation. Consolidation will simplify access and help limit your PCI DSS assessment scope.
- Use compensatory controls. Remember to document and use all compensatory controls to replace PCI DSS controls whenever possible.
- Contact your QSA for assistance and training. Use this valuable resource frequently, as the QSA’s role includes providing support and guidance throughout your PCI compliance process.
- Maintain PCI DSS checks over time. PCI compliance is not a race to pass an annual audit but rather a marathon of continuous monitoring, evaluation, and enforcement of PCI DSS controls over time. Auditing is the control of your business, so it does not replace the day-to-day actions required to maintain PCI compliance throughout the year.
The ability to secure customer data is becoming critical to the survival of any business today. But achieving PCI DSS compliance is only a safe first step for organizations looking to compete in a digital economy.