Are You Prepared for a PCI DSS Audit?

The Payment Card Industry Data Security Standard, or PCI DSS, applies to any business that accepts branded credit cards. These additional security requirements are responsible for the secure use of these cards, and as such, are evolving all the time. Here, we’ll discuss some recent and upcoming changes to this standard that businesses should be ready for - as well as how to (and how not to) prepare for an audit.

Recent and Upcoming Changes

In an April 2019 interview, PCI SSC Chief Technology Officer Troy Leach indicated that the security standard was due for some updates - namely, in terms of speed of delivery, how diverse payment acceptance methods could be, and how dependent the technology was on third-parties. According to Leach, 2019 will see updates to a few standards, including Point-to-Point Encryption and PIN Transaction Security Point-of-Interaction (PTS POI) standards. Leach also indicated that there may be 15 total PCI security standards by the end of 2019, and the next version of PCI DSS, version 4.0, likely won’t be released before late 2020.

However, these updates won’t matter if your organization isn’t prepared for an audit.

Best Practices to Prepare for a PCI DSS Audit

A PCI DSS audit is no laughing matter, as it could impact your business’ ability to take a widely-used kind of payment. An Intuit survey suggested that 83 percent of small businesses that accepted credit cards saw increased business as a result. Therefore, it is best that you are as ready as possible for a potential audit. Here, we’ve assembled a few activities that you need to see to in order to properly prepare for an impending audit.

• Document everything and file it. Your documentation should include the following:
  • Antivirus Policy
  • Cardholder Data Policy
  • Firewall and Router Policy
  • Information Security Policy
  • Password Policy
  • Physical Security Policy
  • System Configuration Policy
  • System Monitoring and Logging Policy
  • Testing Systems and Processes Procedure
  • Information Security Incident Management Policy
  • Inventory and Ownership of Assets Policy
  • Application and System Development Software Policy
  • Managing Service Providers Policy
  • Access Control Policy
  • Information Security Awareness Program
  • Information Security Responsibilities Policy Statement
  • Individual User Agreement Template
  • Data Classification Policy
  • Data Protection Policy
  • Data Management Policy

• You should also perform a Pre-Audit Assessment (and regular assessments to boot). This will help you ensure that everything is as it should be before the official audit takes place.

• Make sure all of your software is updated. This shows that you are aware of potential cybersecurity risks.

• Minimize collected data. The more data you have, the more data that you could put at risk. If you don’t need a certain dataset, there’s no reason to have it.

• Change manufacturer passwords as soon as you can. These passwords are well-known to cybercriminals, and will often be the first they try.

• Security - not compliance - should be your goal. While compliance to PCI DSS and other standards is great, your primary motivation should be to keep your data secure.

• Perform a risk assessment to help identify weak points. The more secure your business is, the better. A risk assessment can help find weak points that refer to PCI DSS as well as other security requirements.

• Automate monitoring systems to help reduce oversights. Human error is responsible for many cybersecurity issues. Automated systems can prevent this particular kind of error from influencing your payments.

• Keep data segmented and encrypted. Payment information can very safely be called sensitive information, which means that it should be kept safely away from the rest of your data and further protected via encryption.

• You need to control access to your data. While it is important that you trust your employees, it is also important that you also don’t put the sensitive data you have collected at undue risk. Establishing role-based access controls will assist you in keeping sensitive information, such as payment information, safe and secure.

• Use SSL (Secure Sockets Layer) on your website. In order to accept online payments, you need to be sure that your website is secure enough to do so. Using SSL protects the information moving to and from your website through encryption.

• Don’t be afraid of third-parties. Third-party providers can often provide exactly the services and solutions that a PCI DSS audit is looking for. As long as you do your due diligence and find a reputable company to provide these services, you should be fine.

How to Fail a PCI DSS Audit

Of course, these audits can also be failed by a business that hasn’t prepared properly. What follows are a few ways to ensure that you aren’t prepared… just in case you want to find out how useful the ability to accept payment cards is.

Skipping A Self-Assessment and Going Without an Assessment Checklist

It is always a good idea to assess your own PCI audit preparedness before your audit takes place - this gives you the opportunity to make any possible adjustments beforehand, after all. However, many organizations take their preparedness on good faith and neglect to double-check their preparation… often to their detriment.

Almost worse, some businesses will take half-measures while running a self-assessment, and won’t prepare a checklist of items to review. This means that they are less likely to be sufficiently prepared, and are therefore more likely to fail their assessment. 

Poor Documentation and Disorganized Data 

If your processes aren’t well-documented, you’re not likely going to have a positive time during a PCI audit. Without the documentation to prove that your defenses meet the requirements set by PCI DSS, you are likely to fail your audit. To avoid this, make sure you have all of your documentation, and it is all well-organized.

Furthermore, with the descending costs of data storage space, companies have fallen into the habit of collecting and hoarding any data they can… including payment card data. One of the most effective means of protecting this data is to isolate it from any other data that a company stores. This helps keep audit processes under control, preventing runaway costs.

Underutilizing Your Staff

While the right solutions are critical to successfully completing a PCI DSS audit, it is equally important to have the staff on hand that are capable of maintaining a compliant infrastructure. All of the solutions in the world won’t do you any good if they aren’t implemented correctly. Training your staff and putting processes in place to ensure that all tasks are carried out will be a critical part of maintaining your compliance.

Expecting Your Compliance Audit Process to Ever Be Finished

That’s the thing about compliance - it’s always changing as technology does. Any changes made - like the upcoming changes reviewed above - mean that your business will no longer be compliant to PCI DSS.

Datalyst can help your business remain compliant to the requirements set by PCI DSS. Reach out to us at (774) 213-9701 for more assistance.