PCI DSS compliance doesn’t have to be complicated. Let’s break down the key information you need to know about what the PCI DSS requires, and how a certified QSA can help simplify the process.
What Does PCI DSS Mean?
PCI DSS stands for the Payment Card Industry Data Security Standard, and it is administered by the PCI Security Standards Council. It consists of a series of 12 requirements designed to ensure the security of cardholder data throughout the transaction process and to provide consisted standards for the global payment industry.
Cardholder data would include the Primary Account Number (PAN) and any of the following data points: cardholder name, expiration date, and service date. There is also additional data that must be protected under the PCI DSS: magnetic stripe data, CAV2, CVV2, CID, PIN, PIN blocks, etc.
The PCI DSS was developed by the 5 major credit card brands (Visa, MasterCard, American Express, Discover, and JCB) to help standardize payment card security across the global payment industry.
What is Included in PCI DSS?
There are 12 main requirements that make up the PCI DSS. We’ve provided a broad overview below, but an Auditwerx QSA can help provide additional context and information pertinent to your organization.
- Install and Maintain Network Security Controls.
- Apply Secure Configurations to All System Components
- Protect Stored Account Data
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Protect All Systems and Networks from Malicious Software
- Develop and Maintain Secure Systems and Software
- Restrict Access to Cardholder Data by Business Need-to-Know
- Identify Users and Authenticate Access to System Components
- Restrict Physical Access to Cardholder Data
- Log and Monitor all Access to System Components and Cardholder Data
- Test Security of Systems and Networks Regularly
- Support Information Security with Organizational Policies and Programs
What happens during a PCI audit?
Your PCI audit process may vary depending on the maturity of your security environment. If your organization is experienced in the PCI compliance process, a gap assessment may not be necessary. That being said, if this is your first PCI examination, we strongly recommend a gap assessment in order to identify any control issues that may impact your audit.
- Pre-Engagement – The first step in the process is finding an experienced QSA to work with. An experienced QSA can determine your needs and ensure services are scoped and quoted correctly.
- Gap Assessment – You’ll need to work with your QSA to understand if your organization requires a gap assessment before your formal PCI report. Your QSA will determine if you have any missing or ineffective controls in order for them to be remedied ahead of your formal PCI DSS audit.
- Evidence Gathering – Once any ineffective or missing controls have been remedied the formal audit process can begin. Auditwerx offers onsite and virtual options depending on your needs. Your PCI compliance controls will be evaluated against the PCI DSS requirements. If you elected to complete a gap assessment, your systems will be more than prepared for a successful audit. Our online PCI compliance portal makes virtual evidence gathering easy and convenient.
- Final Report – Your final report will take about 2 weeks to compile after the assessment period ends. Your Auditwerx QSA will finalize and sign off on the completed report to confirm your organization’s compliance with the PCI DSS.
- Continuous Support – Your Auditwerx QSA is here for you even after your final report is signed and delivered. We are a true partner to our clients, if a question arises about your PCI security environment between reporting periods, we are here to support your organization’s compliance goals.
Who Performs a PCI Audit?
PCI Audits are performed by certified Qualified Security Assessors (QSAs). Your QSA will analyze the nuances specific to your organization and industry to ensure proper compliance under the PCI DSS. The right QSA can provide ongoing compliance support for your organization.
You may be wondering what a QSA does during your PCI DSS audit, and it’s pretty straightforward:
- They verify technical information provided by your organization,
- They judge whether standards have been met accordingly,
- They provide support throughout the engagement period,
- They ensure the audit follows the PCI DSS requirements and testing procedures,
- They validate the scope of the assessment,
- They evaluate any custom controls and implementations,
- They produce the final report.
Is PCI Compliance Mandatory?
In a word, yes – PCI compliance is mandatory for merchants and service providers that store, transmit or process cardholder data. If you are not PCI compliant, you may face large monthly fines and the inability to perform key services. While not a law, per say, PCI compliance just makes good business sense.
A PCI DSS audit shows your current and future clients that you take the protection of payment card data seriously and that your systems have the proper controls in place to provide safe and efficient services.
Get PCI Compliance Done
If you’re ready to check PCI DSS compliance off the list, an Auditwerx QSA can help. Whether your organization needs an AOC, ROC, SAQ – or anything in between – our experienced team can help you get through each step in the process easily and accurately so you can get back to business. Contact an Auditwerx QSA today.