How to Prepare for a PCI DSS Audit + Checklist (Free)

How Does a PCI DSS Audit Work?

A PCI DSS audit helps to determine if data storage and security management systems meet PCI DSS compliance standards. With the help of your team of Quality Security Assessors (QSAs), you must review and evaluate your organizational policies, system management, software designs, and network architecture.

Each step ensures that you are in PCI DSS compliance and have effective security measures to prevent cardholder data theft.

Which PCI DSS Self-Assessment Questionnaire Is Right for Your Organization?

9 Steps to Get Ready for a PCI Audit

As you gear up to take on your upcoming PCI DSS audit, you may wonder how to ensure compliance. The most critical step to successfully comply with the PCI DSS framework is to find and partner with a qualified security assessor. Other steps revolve around this key step.

It may help you scan the following industry tips to fill in any compliance gaps when reviewing your PCI audit notes.

Below, we give you the nine most critical steps on how to prepare for a PCI DSS audit and maintain PCI DSS compliance status.

1. Build a Tight PCI DSS Compliance Team and Work Together

To build focus on achieving compliance, you will need to create a dedicated team for PCI compliance. Your team must consist of knowledgeable members in the field of compliance.

Once you build your team—starting with your Compliance Manager—who understands the critical importance of PCI DSS compliance and all that compliance entails, you are well on your way to success. Develop a clear and well-defined program that features specific responsibilities and accountability for each team member.

2. Create and Maintain an Accurate Network Diagram

Your network diagram is crucial to compliance since it gives you a detailed representation of how your system interacts with cardholder data. Your network diagram might include how cardholder data enters your network, any systems it touches or enters as it moves through your network and the point at which it leaves your network.

You can identify compliance gaps and take corrective steps with your network diagram. An organized network diagram can be used to categorize vulnerabilities and provide insight for a better strategy.

3. Document Everything and File it for Easy Access

The PCI DSS audit will require more data than what you obtain from your network diagram, including document event logs, a list of your organization’s compliant service providers, system changes and updates, and vulnerability scans.

You don’t want to have to go through a classic fire drill scenario to gather these documents when it is time for the official audit with your QSA team. Ensure you have all the PCI audit documentation to illustrate your security controls to your auditor.

4. Choose Your QSA Carefully

A core PCI DSS requirement is selecting a qualified security assessor or QSA. Search for an auditing firm with a strong client focus and a reputation for transparency.

The right auditing team can help you move smoothly through the PCI DSS auditing process. Your QSAs can also help you iron out any unanticipated wrinkles and get you on track to compliance.

Aside from the fact that they are the only entities allowed to conduct the audit, QSAs can help you ensure that your compliance with PCI DSS requirements is tailored perfectly to your industry. They can help you perform a thorough risk analysis before the audit process.

5. Reduce the Scope Appropriately

Limiting the PCI DSS scope eases the workload for your PCI DSS team and reduces costs for your company. Your team can start by reviewing any new changes introduced by the latest version of PCI DSS.

The next step in reducing PCI scope is to separate systems that store, process, or transmit cardholder data from systems that do not. Network segmentation may involve configuring a multi-interface firewall at the perimeter of your network. From that point, you can develop one firewall interface made specifically to isolate your cardholder data from within the network. Another option is to have an air gap, which is simply another network specifically for cardholder data.

As an alternative, tokenization allows you to store card numbers in a highly secure off-site data vault. This form of re-coding replaces cardholder numbers with tokens in all other applications and databases. The beauty and growing popularity of tokenization is in the fact that you are not actually storing data anywhere, which is a great way to simplify your PCI scope.

6. Perform a Pre-Audit Assessment

If you have any doubts about your degree of compliance for your upcoming PCI DSS audit—and even if you don’t have any doubts—perform a pre-audit assessment. Some experts warn against calling in your QSAs too early in the process.

However, the right QSA team will help you work through any issues you may have if you call them in early, although it may shake your confidence and cause you to exceed your budget. A pre-audit assessment—perhaps with a QSA team member acting in a consulting capacity—gives you one more tool to use to help you sail through the audit without problems.

Readiness assessments can help you save time and avoid any non-compliance issues that may be detected during the actual audit. Include vulnerability scans to assess your external network systems.

Additionally, consider the requirements of the new PCI DSS version. In PCI v4.0, automated security measures are required.

7. Compile Implementation Information on Security Practices

All efforts toward compliance must be properly documented for a more efficient process. This step will help you present your solutions to the auditor faster.

Cybersecurity should be a basic part of your training for new employees and a clear expectation for everyone who works for your company in all departments to follow each time they log in. Security protocols should be updated periodically according to the cybersecurity industry’s latest security threats and best practices.

However, these updates need to be adopted company-wide. When best practices are updated, inform your employees about the changes and how they affect them and their activities. Then, periodic security checks on your employees should be performed to ensure the company’s security protocols are followed consistently.

The PCI auditor will be looking for evidence of these efforts. So, your team will want to record and compile information ahead of time regarding updates, how/when employees were notified, and employee security checks.

8. View Compliance as an Ongoing Effort

Avoid thinking PCI DSS compliance is only important when it comes time for an audit. One of the most effective ways to do this is to hire a third-party auditor to make unscheduled visits throughout the year.

The auditor will look at what your company is doing and let you know where security is strong and where you need to improve. The third-party auditor will also tell you how to improve in areas where security does not meet PCI standards.

This will enable the auditor to work with your organization over time to make continual improvements toward full compliance. This is a much calmer way to approach security and compliance for your organization.

9. Continuously Monitor PCI DSS Compliance

This step involves implementing a series of practices and tools to ensure that an organization’s payment processing systems remain secure and meet the required standards. This ongoing process helps detect and respond promptly to security threats, maintain a safe environment, and avoid breaches that could lead to financial and reputational damage.

Like any other framework, the benefits of PCI compliance audit can only be fully acquired if done consistently.

Which PCI Compliance Level Do You Need?

The PCI compliance levels are primarily based on the number of annual credit/debit card transactions an organization processes. The organization’s security posture will be based on the requirements of their acquiring bank and customer demands.

• PCI Level 1: Merchants that process over 6 million card transactions per year
• PCI Level 2: Merchants that process 1 to 6 million transactions per year
• PCI Level 3: Merchants that handle 20,000 to 1 million transactions per year
• PCI Level 4: Merchants that handle fewer than 20,000 transactions per year

To determine your PCI compliance level:

1. Know the transaction level criteria for each credit card company you use, as the requirements can vary slightly between providers.
2. Establish your annual transaction volumes with each relevant credit card provider. You can usually get this data from your bank or payment processor.
3. Choose the provider with the highest compliance level as your reference point. For example, if you are Level 2 for Visa but Level 1 for Amex, adopt Level 1 compliance practices.
4. Check the specific compliance requirements for the determined level.

For smaller-scale businesses, the PCI Council provides a self-assessment questionnaire. Check the questionnaire here.

How Often Do You Need to Renew PCI DSS Audit Certification?

To ensure the security of payment card data, compliance with PCI DSS requirements must be consistently maintained. Your status must be verified annually by a QSA or an Internal Security Assessor (ISA).

This yearly certification review was implemented to protect sensitive data adequately and maintain a safe cardholder data environment. Failure to recertify annually can result in fines, increased transaction fees, and even the inability to process credit card payments.

Who Are Qualified to Perform a PCI DSS Audit?

PCI DSS audits can only be performed and certified by individuals and entities verified by the PCI Security Standards Council (PCI SSC). These primary professionals are categorized as follows:

Qualified Security Assessor (QSA)

• These individuals come from independent security organizations certified by the PCI SSC. They are typically hired by more mature organizations. QSAs undergo rigorous training and have expertise in information security. They particularly use methodologies set by the council for the PCI DSS onsite audit process.

Internal Security Assessor (ISA)

• ISAs are employees who have received formal training and certification from the PCI SSC to perform assessments. They are typically used by organizations that prefer to conduct their assessments internally rather than hire an external QSA. These professionals are equipped with deep PCI DSS audit understanding.

Choosing a QSA or an ISA depends on your organization’s size, resources, and specific needs. Ensuring that the assessor is qualified and certified by the PCI SSC is essential for a thorough and effective audit.

Make your pursuit to becoming PCI DSS compliant with the help of IS Partners. Our organization is certified as a QSA by the PCI SSC. IS Partners comprises experts in compliance frameworks who can lead your organization with efficient compliance strategies.

Maintain Compliance With PCI DSS With the Help of Qualified Security Assessors

PCI DSS compliance is a necessity for service organizations handling sensitive cardholder information. It ensures data security against breaches, which are becoming increasingly common and sophisticated. This not only protects sensitive information but also maintains customer trust.

One core step in achieving this step is employing the help and guidance of a Qualified Security Assessor. Look no further because IS Partners is the solution you need. Our expert auditors can help you achieve PCI compliance.

With over two decades of experience in the compliance industry, you can ensure that you are in good hands. Streamline risk assessment and gap analysis with our help.

Contact IS Partners so our QSAs can offer you additional PCI DSS audit preparation tips and let you know all the ways we are ready to help.

About The Author

Robert Godard

Robert is a Principal with IS Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining IS Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.