How to Prepare for and Ace Your Upcoming PCI Audit
IT leaders just like you are always diligently on the lookout for new tips to ensure compliance with the latest Payment Card Industry Data Security Standards (PCI DSS) issued by the PCI Security Standards Council (PCI SSC or the Council). You scour the latest industry journals and websites, as well as any new regulations and requirements you have received, in order to protect your valued customers and your company’s reputation.
Nasdaq recently reported on a 2016 study that, even with all the alternative payment methods available to consumers, credit has become the overall preferred payment method, replacing debit cards as the number one choice in recent years. This news means that you will stay busy in your efforts to comply with PCI DSS for years to come.
Quite simply, you never want your organization to end up on the bad end of one of the many data breaches that that cyber-criminals carry out each year. Never fear, there are many ways that you can do your best to avoid such intrusions, which compromise your customers’ personal data and your company’s reputation, by taking every possible measure to comply with PCI DSS standards.
The PCI DSS Audit Adds Value to Your Company’s Reputation
Thanks to the PCI SSC, along with your commitment to your customers and your company’s own ethical standards in performing a well-executed PCI DSS audit, you are part of the solution in maintaining data integrity in the ongoing global battle against cyber-criminals.
Your PCI DSS audit helps to determine if your data storage and security management systems meet PCI DSS compliance standards. With the help of your team of Quality Security Assessors (QSAs), it is important that you review and evaluate your organizational policies, system management, software designs and network architecture. Each of these steps ensure that you are in PCI DSS compliance, and that you have effective security measures in place to protect cardholder data.
With some key strategies in place, compliance is easily within reach.
Make Sure You Understand and Comply with the 2016 PCI V3.2 Update
Any time that the PCI SSC releases a new update, like the latest 2016 PCI v3.2 Update, it is important to review the changes carefully to make sure you address them—as opposed to adhering to the previous version—and ensure compliance, according to best practices until the June 30, 2018 deadline when the update becomes standard.
Just a few of the key changes in the PCI v3.2 Update include:
- Revised Secure Sockets Layer (SSL) and early Transport Layer Security (TLS)
- Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment.
- Added security validation measures for service providers and others.
A firm grasp of all the changes in this important update will go a long way toward preparing for the PCI DSS audit.
5 Tips to Help Prepare for Your Upcoming PCI DSS Audit
As you gear up to take on your upcoming PCI DSS audit, you may be wondering how you can ensure PCI DSS compliance. It may help you to scan the following industry tips to fill in any gaps you may have when reviewing your own PCI audit notes.
- Build a Tight PCI DSS Compliance Team and Work Together.
- Create and Maintain an Accurate Network Diagram.
- Document Everything and File it for Easy Access.
- Perform a Pre-Audit Assessment.
- View Compliance as an Ongoing Effort.
Once you build your team—starting with your Compliance Manager—that understands the critical importance of PCI DSS compliance, as well as all that compliance entails, you are well on your way to success. Develop a clear and well-defined program that features specific responsibilities and accountability for each person on the team.
Your network diagram is crucial to compliance since it gives you a detailed representation of how your system is interacting with cardholder data. Your network diagram might include the way in which cardholder data enters your network, any systems it touches or enters as it moves through your network, and the point at which it leaves your network. With your network diagram, you can identify potential issues and make corrective steps.
The PCI DSS audit will require more data than what you obtain from your network diagram, including document event logs, a list of your organization’s service providers, system changes and updates, and vulnerability scans. You don’t want to have to go through a classic fire drill scenario to gather these documents when it is time for the official audit with your QSA team.
If you have any doubts about your degree of compliance for your upcoming PCI DSS audit—and even if you don’t have any doubts—perform a pre-audit assessment. Dark Reading warns against calling in your QSAs too early in the process. However, the right QSA team will help you work through any issues you may have if you do call them in too early, although it may shake your confidence and cause you to exceed your budget. A pre-audit assessment—perhaps with the support of a QSA team member, acting in a consulting capacity—gives you one more tool to use to help you sail through the audit without problems.
Avoid thinking PCI DSS compliance is only important when it comes time for your audit. With your strong team, regularly updated network diagram and a trusted auditing firm, constant compliance is easily within your grasp, and it helps to avoid stress when auditing time rolls around.
Choose Your QSA Carefully
Perhaps most importantly, prepare for your upcoming audit by carefully choosing the best QSA for your organization. Search for an auditing firm that features a strong client focus and a reputation for transparency. The right auditing team can come in and help you move smoothly through the PCI DSS auditing process. Your QSAs can also help you iron out any unanticipated wrinkles and get you on track to compliance.
Contact I.S. Partners, LLC by sending us a message or calling us at 215-675-1400 so our QSA specialists can offer you additional PCI DSS audit preparation tips and let you know all the ways we are ready to help.