What is a PCI Audit? How to Get Your Business Ready

Today, payment card fraud is a booming business with no signs of slowing—out of every hundred dollars spent with a bank card, roughly six dollars, and change is stolen, according to Nilson Report numbers. Gross losses from fraudulent card transactions are expected to hit 40 billion by 2027. Ouch – those stats don’t exactly inspire faith in the payment card industry, right? For many customers, turning over highly sensitive personal and financial information requires an increasingly difficult leap of faith. Consider this -American consumers worried more about having personal or financial information stolen by hackers than being murdered in 2019.

For modern businesses, offering a card payment option while ensuring the safety of their customer’s most sensitive information is non-negotiable. It’s become so important the Payment Card Industry Security Standards Council created the Payment Card Industry Data Security Standard (PCI DSS) as a benchmark for businesses to prove data security competence. Today, all companies storing, processing, or transmitting sensitive cardholder information must meet  PCI DSS requirements. Businesses handling high volumes of transactions or suffering a breach must demonstrate compliance by passing a PCI audit which verifies an organization’s ability to safeguard cardholder data and all systems interacting with payment processing based on 12 technical and operational control requirements.  

Does your business need to pass a PCI audit? Would your business pass a PCI audit today? Is your organization ready to prove the effectiveness of your security systems, policies, and procedures in protecting your customer’s most private information? In this article, you will learn about PCI audits and how your team can become audit-ready with our helpful PCI DSS checklist and seven tips for achieving and maintaining PCI compliance.

What is a PCI audit?

A PCI audit is a vigorous inspection of a merchant’s adherence to PCI DSS requirements, consisting of numerous individual controls or safeguards for protecting cardholder information (e.g., Primary Account Number, CAV/CID/CVC2/CVV2, etc.) and systems that interact with payment processing, which we will discuss later. 

A merchant is defined by the Payment Card Industry Security Standard Council as “an entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods and/or services.” PCI DSS provides a baseline of technological and operational requirements designed to safeguard cardholder information. Any merchant or service provider storing, handling, or transmitting cardholder information must comply with PCI DSS requirements and may be subject to a PCI audit to verify standing. 

PCI audits are designed to thoroughly inspect how well your business manages PCI controls, which are safeguards installed to protect all systems interacting with payment card processing. Specifically, merchants and service providers should protect:

• Card readers 
• Point of sale systems
• Store network and wireless access routers
• Payment card data storage and transmission
• Payment card data stored in paper-based records
• Online payment applications and shopping cards 

PCI DSS requirements 

The PCI Security Council set out the following 12 broad technical and operational requirements organizations must meet to be considered PCI compliant: 

Build and maintain secure network systems 

Requirement 1: Installing and maintaining a firewall configuration to protect cardholder data.

Why this matters: Firewalls and routers are key components of the architecture that controls entry to and exit from the network. These devices are software or hardware devices that block unwanted access and manage authorized access into and out of the network. Configuration standards and procedures will help ensure that the organization’s first line of defense in the protection of its data remains strong. 

Requirement 2: Do not use vendor-supplied system passwords and other security parameters 

Why this matters: Malicious actors (external and internal to an organization) often take advantage of vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known by hacker communities and are easily determined through public information.  

Protect cardholder data

Requirement 3: Protect stored cardholder data with methods such as encryption, truncation, masking, and hashing. 

Why this matters: If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered too. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, or not sending unprotected PANs using end-user messaging technologies, such as email and instant messaging. 

Requirement 4: Encrypt transmission of cardholder data across open, public networks 

Why this matters: Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. 

Maintain a vulnerability management system 

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs. 

Why this matters: Malicious software, commonly referred to as “malware” — including viruses, worms, and Trojans — enters the network during many business-approved activities, including employee email and use of the internet, smartphones, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. Additional anti-malware solutions may be considered a supplement to the anti-virus software. Additionally, all personnel needs to be aware of and follow security policies and procedures to ensure systems are protected from malware on a continuous basis.

Requirement 6: Develop and maintain secure systems and applications. 

Why this matters: Malicious actors use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches, which must be installed by the entities that manage the systems. To protect against the exploitation and compromise of cardholder data by malicious individuals and software, all systems need to have appropriate software patches — patches that have been evaluated and sufficiently tested to verify that they don’t conflict with existing security configurations. For in-house developed applications, you can often avoid numerous vulnerabilities by using standard software development processes and secure coding techniques. 

Implement strong access control measures 

Requirement 7: Restrict access to cardholder data to only those who need it to perform their job 

Why this matters: To ensure critical data can only be accessed by authorized personnel, systems and processes need to be in place to limit access on a need-to-know basis and according to job responsibilities. “Need to know” is when access rights are granted to the least amount of data and privileges needed to perform a job duty. 

Requirement 8: Identify and authenticate access to system components 

Why this matters: Assigning a unique ID to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems can be traced to known and authorized users and processes. Further, the effectiveness of a password is largely determined by the design and implementation of the authentication system — particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage. 

Requirement 9: Restrict physical access to cardholder data 

Why this matters: Any physical access to data or systems that house cardholder data provides an opportunity for individuals to access devices or data and to remove systems or hardcopies and should be appropriately restricted. 

Regularly monitor and test networks 

Requirement 10: Track and monitor all access to network resources and cardholder data 

Why this matters: Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allow thorough tracking, alerting, and analysis when something goes wrong. It is critical to have a process or system that links user access to system components accessed. Without system activity logs, determining the cause of a compromise is very difficult, if not impossible. 

Requirement 11: Regularly test security systems and processes 

Why this matters: Vulnerabilities are discovered continually by malicious individuals and researchers, and often introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment. 

Maintain an information security policy 

Requirement 12: Maintain a policy that addresses the information security of all personnel 

Why this matters: A strong security policy sets the security tone for the whole company and tells personnel what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities in protecting it. 

Each of the 12 broad requirements also contains multiple sub-requirements (not shown here). 

During a PCI compliance audit, a QSA will review written, company-provided documents, interview technical staff, and in some cases examine samples of system components (e.g., files and system records) to verify that each of these specific requirements is sufficiently met. 

Often the word audit triggers concern and apprehension, but this shouldn’t be the case with a PCI audit. Make no mistake, failing to comply with PCI DSS regulations can result in costly penalties and unpleasant repercussions for your business. However, a PCI audit provides the opportunity to work with a QSA to discover vulnerabilities and areas needing improvement within your data security system. Audits provide a snapshot of the current status and allow the opportunity for learning and growth while helping your business achieve and maintain PCI DSS compliance into the future.

Does my company need to go through a PCI audit to prove compliance?

It depends on your company’s status as a merchant and the requirements of your chosen payment brand. PCI DSS created four levels of PCI compliance determined by merchant type. The four levels including compliance requirements are as follows:

PCI Merchant Level 1: This level includes all merchants with over 6 million transactions a year across all channels or any merchant that has experienced a data breach. Level 1 businesses must undergo annual 3rd-party audits to verify compliance plus annual network scans conducted by an approved scanning vendor. They must also receive two official documents–an Attestation of Compliance (AoC) and a Report on Compliance (RoC).

PCI Merchant Level 2: This level includes merchants with between 1 million and 6 million transactions annually across all channels. All merchants on Levels 2 through 4 must complete a PCI DSS Self Assessment Questionnaire that is signed off by the company’s senior management team in addition to quarterly network scans conducted by approved scanning vendors.

PCI Merchant Level 3: Level 3 includes merchants with between 20,000 and 1 million online transactions annually. 

PCI Merchant Level 4: Level 4 includes merchants with fewer than 20,000 online transactions annually or any merchant processing up to 1 million in-person transactions per year. 

Due to the sensitive nature of cardholder data, only Qualified Security Assessors (QSA) approved by the PCI Security Standards Council can conduct PCI audits. 

How does a PCI audit work?

The first step in preparing for your PCI audit is scoping, which sets the assessment parameters, or scope, of your upcoming audit. Your team must identify all locations and workflows containing cardholder data within your cardholder data environment (CDE). Scoping all systems should be done annually and always before your assessment. It falls on you to narrow the scope of your evaluation beforehand, as auditors arrive prepared to include all system processes unless otherwise noted according to PCI Security Standards Council guidelines.

Next, your QSA will conduct a full onsite audit assessment to evaluate security infrastructure, including all systems, policies, and procedures. It is the QSA’s responsibility to:

• Document and authenticate all the technical information provided by your company
• Check and approve your assessment scope
• Be present during the entire assessment
• Strictly follow all PCI data security assessment protocols
• Document and assess compensating controls
• Provide your organization with guidance and support during the entire audit process
• Use best professional judgment to confirm PCI DSS standards have been met
• Produce and submit a comprehensive Final Report 

The final audit stage is ongoing as all organizations must continually monitor data security systems, policies, and procedures to maintain PCI DSS compliance moving forward. Many businesses conduct frequent PCI scanning, pen testing, and event log monitoring to ensure all PCI data protection controls are meeting the standard.

How often do I need to get a PCI audit?

PCI DSS doesn’t mandate the frequency of PCI audits–it’s really up to the payment card company with whom you choose to work. For example, American Express has its own set of audit frequency requirements, as do Visa and MasterCard. However, it’s important to remember businesses identified as Level 1 (over six million yearly card transactions) or those who have experienced a breach must pass a minimum of one audit per year to remain PCI compliant.

What happens if I fail my PCI audit?

Failure is a harsh word with the unnecessary implication of finality. A PCI audit shouldn’t be viewed as a pass or fail event but as an opportunity to discover what’s needed to better serve your customers’ data security needs. If your QSA discovers a system vulnerability, your organization only fails by not quickly addressing and fixing the issue.

On the other hand, businesses ignoring PCI audit findings, refusing to fix system shortcomings, or deciding PCI DSS regulations don’t apply to them will experience the unpleasant and costly ramifications of non-compliance. Credit card companies can impose fines from $5,000 to $100,000 monthly depending on an infraction’s severity.

Fraudulent purchases can trigger bank reversal charges for which the offending organization may be held responsible. Larger companies who continue to violate PCI DSS regulations may trigger the wrath of the Federal Trade Commission (FTC), resulting in the unwanted scrutiny of an FTC investigation.

Most importantly, today’s customers don’t want to do business with companies that don’t take data security seriously. Many choose to file lawsuits when their data is compromised, and once news of such events hits the mainstream, a crippling loss of business and drop in revenue often result for the responsible party. Becoming a publicized PCI DSS offender leads to bad press and a tarnished brand image capable of sinking even the most prosperous enterprise.

How can my business be audit-ready and achieve PCI compliance?

Achieving and maintaining PCI compliance is an ongoing process requiring continued diligence and commitment, but there is help available for organizations willing to put forth the effort. QSA firms can provide a wealth of information and resources, starting with security awareness training for all employees.

PCI compliance checklists can serve as a helpful guide in preparation for an upcoming audit. Here are some considerations to boost compliance while helping your team become PCI audit-ready:

• Teach your employees about and ensure management’s understanding of PCI compliance requirements
• Document all in-house security policies and procedures for safeguarding cardholder data
• Use only PIN approved point-of-sale (POS) entry devices and validated payment software
• Reduce the PCI scope of your environment for the audit by segregating your networks 
• Only do business with PCI compliant third-parties
• Document all security controls and map data flows across your organization
• Create a workflow map for all card transactions
• Perform scans as early as possible
• Encrypt all cardholder data regardless of location
• Use network segmentation
• Focus on safeguarding cardholder data while in transit
• Watch for vulnerable code and apply fixes promptly 
• Employ strong access controls and incident response plans for swift vulnerability mitigation
• Focus on overall system security, and not just on compliance
• Continually monitor all environmental changes and adjust security systems accordingly

7 general tips for achieving and maintaining PCI compliance 

In addition to PCI compliance checklists, we recommend referencing the following 7 Tips for Achieving and Maintaining PCI Compliance listed below:

1. Limit the cardholder data you store: Only keep cardholder data that are essential – if you don’t need it, why continue to be responsible for it? 
2. Don’t store sensitive authentication data after authorization: Be sure to eliminate all authentication information after it’s no longer needed–this includes magnetic strip and chip data, card verification codes, and PINS.
3. Ensure your POS vendor’s security: Be sure to ask your POS vendors how they address common control failures like default settings and passwords. If their POS software stores sensitive authentication data, are they capable of quickly deleting it after use?
4. Isolate and consolidate essential cardholder data: Remember to store sensitive data in a consolidated, central location and isolate it with network segmentation. Consolidation will simplify access and can also help limit the scope of your PCI DSS assessment.
5. Use compensating controls: Don’t forget to document and use all compensating controls to substitute for PCI DSS controls whenever possible.
6. Contact your QSA for assistance and training: Be sure to engage this valuable resource because the QSA’s role includes providing support and guidance throughout your compliance process. 

Maintain PCI DSS controls over time: PCI compliance isn’t a sprint to pass an annual audit but rather a marathon of continuous monitoring, assessing, and enforcing the use of PCI DSS controls over time. An audit is your business’s checkup—not a substitute for the daily actions necessary to maintain PCI compliance throughout the year.

Looking forward

As the nature of commerce becomes increasingly virtual, the ability to secure customer data will become critical to the survival of every business. Achieving PCI DSS compliance is just the first step for organizations looking to compete in a digital economy.

Choosing to team with a partner like Hyperproof can make all the difference when preparing for your PCI audit and maintaining PCI DSS compliance over time. Hyperproof’s compliance operations software helps you understand the requirements of PCI, document internal controls to meet the requirements, collect evidence, and automate repetitive tasks. Hyperproof also makes it easy for you to map your existing security controls to PCI DSS requirements. 

With Hyperproof’s software solution, your team will have the advantage of analytics-driven dashboards to monitor your security controls’ effectiveness over time. To learn how Hyperproof’s compliance operations software can help your team prepare for your next PCI audit and maintain PCI DSS compliance into the future, visit us here.