PCI Compliance Audits Don’t Have to Be Scary
Mention the word “audit” to any business owner, and chances are they will break out in a sweat. If your organization hasn’t been the subject of a PCI compliance audit, the very notion of it sounds scary. But it doesn’t have to be. HOSTING lists the steps involved in a PCI compliance audit and shares 12 high-level requirements for PCI compliance.
What is PCI Compliance?
Simply put, PCI compliance is based on a set of requirements that must be followed by all companies and merchants that accept payments from customers via credit or debit cards. If your organization accepts, processes, transmits or stores cardholder data, then you are required to comply with PCI Security Standards to ensure a secure payment card environment.
The goal of PCI compliance is to guarantee that merchants provide the maximum security when processing customer payments or handling customer data. Major payment card companies such as Visa, MasterCard and American Express were involved in developing the PCI compliance standards.
Anatomy of a PCI compliance audit
During a PCI compliance audit, your point of sale system is examined and assessed in order to identify vulnerabilities and prevent data from being compromised. This assessment is conducted by a qualified security assessor (QSA) who is approved by the PCI SSC (Payment Card Industry Security Standards Council).
- Initially, the QSA will evaluate your security infrastructure as well as your procedures, policies, networks and systems. Upon completion of the evaluation, the QSA will provide you with a risk assessment. The risk assessment will be a guide for you to follow for improving your data security and may include recommendations for security awareness training for your employees.
- Following the risk assessment review, the QSA will rank any vulnerabilities found and prioritize them according to seriousness. This provides you with the information you need to plan out your remediation activities. Your goal should be to improve your data security standards.
- Businesses that are found to be non-compliant are given a “probation” period in which to address any issues uncovered in the audit. Keep in mind that not adhering to PCI standards puts each and every credit card transaction processed by your client at risk. So avoid potential breaches and subsequent fines by addressing any outstanding items ASAP.
12 High-level requirements on the PCI compliance checklist
PCI compliance audits are a lot less scary if you adhere to smart data security practices. We’ve listed 12 components that form part of the PCI compliance checklist outlined by the PCI SSC. Following these requirements will go a long way in realizing a successful PCI compliance audit.
- Install and keep updated a firewall between the public network and the payment card data
- Change vendor-supplied passwords that come with network and payment processing equipment
- Protect any customer data stored for business purposes or regulatory purposes
- Encrypt all transmissions of customer data over any public network
- Maintain antivirus software on all of your computers
- Deploy only secure card processing applications and systems
- Limit access to the customer payment data to as few people as possible on the “need to know” basis within your business
- Use building entry authentication such as visitor and employee badges with identification to limit access to stored data
- Keep restricted physical access to business computers and customer data
- Regularly test security applications and any PCI security processes that you have in place
- Keep all employees informed about your information security policies