Thanks to the PCI SSC, along with your commitment to your customers and your company’s own ethical standards in performing a well-executed PCI DSS audit, you are part of the solution in maintaining data integrity in the ongoing global battle against cyber-criminals.
A PCI DSS audit helps to determine if data storage and security management systems meet PCI DSS compliance standards. With the help of your team of Quality Security Assessors (QSAs), it is important that you review and evaluate your organizational policies, system management, software designs and network architecture. Each of these steps ensure that you are in PCI DSS compliance, and that you have effective security measures in place to protect cardholder data.
8 Steps to Get Ready for a PCI Audit
As you gear up to take on your upcoming PCI DSS audit, you may be wondering how you can ensure PCI DSS compliance. It may help you to scan the following industry tips to fill in any gaps you may have when reviewing your own PCI audit notes.
1. Build a Tight PCI DSS Compliance Team and Work Together.
Once you build your team—starting with your Compliance Manager—that understands the critical importance of PCI DSS compliance, as well as all that compliance entails, you are well on your way to success. Develop a clear and well-defined program that features specific responsibilities and accountability for each person on the team.
2. Create and Maintain an Accurate Network Diagram.
Your network diagram is crucial to compliance since it gives you a detailed representation of how your system is interacting with cardholder data. Your network diagram might include the way in which cardholder data enters your network, any systems it touches or enters as it moves through your network, and the point at which it leaves your network. With your network diagram, you can identify potential issues and make corrective steps.
3. Document Everything and File it for Easy Access.
The PCI DSS audit will require more data than what you obtain from your network diagram, including document event logs, a list of your organization’s service providers, system changes and updates, and vulnerability scans. You don’t want to have to go through a classic fire drill scenario to gather these documents when it is time for the official audit with your QSA team.
4. Reduce the Scope Appropriately.
Limiting the scope eases the workload for your PCI DSS team and reduces costs for your company. Your team can start by reviewing any new changes introduced by the latest version of PCI DSS or expected changes that will be coming out soon.
The next step is to reduce PCI scope involves separating systems that store, process, or transmit cardholder data from systems that do not. Network segmentation may involve configuring a multi-interface firewall at the perimeter of your network. From that point, you can develop one firewall interface made specifically to isolate your cardholder data off to itself within the network. Another option is to have an air gap, which is simply another network, specifically for cardholder data.
As an alternative, tokenization allows you to store card numbers in a highly secure off-site data vault. This form of re-coding replaces cardholder numbers with tokens in all other applications and databases. The beauty and growing popularity of tokenization is in the fact that you are not actually storing data anywhere, which is a great way to simplify your PCI scope.
5. Perform a Pre-Audit Assessment.
If you have any doubts about your degree of compliance for your upcoming PCI DSS audit—and even if you don’t have any doubts—perform a pre-audit assessment. Some experts warn against calling in your QSAs too early in the process. However, the right QSA team will help you work through any issues you may have if you do call them in too early, although it may shake your confidence and cause you to exceed your budget. A pre-audit assessment—perhaps with the support of a QSA team member, acting in a consulting capacity—gives you one more tool to use to help you sail through the audit without problems.
6. Compile Information about How Best Security Practices Are Enforced.
Cybersecurity should be a basic part of your training for new employees, and a clear expectation for everyone who works for your company in all departments to follow each time they log in. Security protocols should be updated periodically according to the latest security threats and best practices in the cybersecurity industry.
But, these updates need to be adopted company-wide. When best practices are updated, inform your employees the changes and how it affects them and their activities. Then, periodic security checks on your employees should be performed to make sure the company’s security protocols are followed on a consistent basis.
The PCI auditor will be looking for evidence of these efforts. So, your team will want to record and compile information ahead of time regarding: updates, how/when employees were notified, and employee security checks.
7. View Compliance as an Ongoing Effort.
Avoid thinking PCI DSS compliance is only important when it comes time for an audit. One of the most effective way to do this is to hire a third-party auditor to make unscheduled visits throughout the year.
The auditor will look at what your company is doing and let you know where security is strong, and where you need to improve. The third-party auditor will also tell you exactly how to improve in areas where security does not meet PCI standards. This will enable the auditor to work with your organization over time to make continual improvements towards full compliance. For your organization, this is a much calmer way to approach security and compliance.
8. Choose Your QSA Carefully
Perhaps most importantly, prepare for your upcoming audit by carefully choosing the best QSA for your organization. Search for an auditing firm that has a strong client-focus and a reputation for transparency. The right auditing team can come in and help you move smoothly through the PCI DSS auditing process. Your QSAs can also help you iron out any unanticipated wrinkles and get you on track to compliance.
Contact the AWA division of I.S. Partners so our QSA specialists can offer you additional PCI DSS audit preparation tips and let you know all the ways we are ready to help.
Related article: Do You Know Your PCI Compliance Level?