pci compliance audit

PCI Compliance Audit

Credit-Card Data Security: Understanding PCI Compliance and PCI Compliance Audit

Security is always important for organizations with an online presence. A lack of security (and more recently mobile security services can create user-privacy concerns as well as leave websites vulnerable to malicious attack. But for those businesses that accept online credit-card payments the stakes are exponentially higher. Rather than merely exposing their customers' browsing histories and online habits, a security breach on site that accepts credit cards can cause a ripple effect for consumers that could take years and millions of dollars to rectify.

What is PCI Compliance

Due to extremely sensitive nature of financial payment data, the Payment Card Industry (PCI) Security Standard Council regularly updates a set of PCI Compliance requirements. PCI Compliance regulations were first established in 2004, and they govern any merchant that accepts, processes, or stores credit-card information. This means that they apply to merchants who accept both online and offline credit-card payments.

What Are the Requirements of PCI Compliance?

This standard set of security requirements is known as PCI Data Security Standard (PCI DSS), and compliance to these standards is an ongoing process for merchants. The following are the overarching goals and basic measures organizations need to enact in order to maintain compliance:

Goals PCI DSS Requirements
Build and Maintain a secure Network 1. Use a firewall
2. Do not use default parameters
Protect Card Holder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data
Maintain a Vulnerability Management Program 5. Use anti-virus software
6. Develop secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data
8. Assign a unique ID to each person
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Monitor all access to network and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a security policy

What Else Do I Need to Know About PCI Compliance?

For e-commerce organizations to be fully compliant, over 200 individual security controls must be established and inspected on an ongoing basis. In addition, stringent security policies for business and technology staff must be developed and implemented. Any organization that accepts credit-card payments must be fully compliant. However, whether you need to validate your organization's compliance as well as what specific validation actions your company will be required to take will depend on:

  1. How many transactions your organization processes each year
  2. Whether your account data has suffered any type of breach of security compromise

Depending these factors, you'll be assigned a level ranging from 1 to 4. PCI validation essentially means that your organization's adherence to the PCI compliance is validated by either a third party or by a self-assessment that's completed and submitted. While small businesses, such as those that process less than 20,000 Visa and/or Mastercard transactions per year, aren't required to validate their compliance (and thus are classed as Level 4 organizations), it's strongly recommended that you do so to avoid a costly data breach, which could easily render your organization bankrupt. Not sure what level your company is classified as? Visit https://www.pcisecuritystandards.org/pci_security/how.

If your organization falls under Levels 2 and 3, you'll be required to do yearly self-assessments and undergo quarterly scans by a qualified independent scan vendor. Level 1 organizations must undergo on-site security audits and quarterly network scans. You'll need to be evaluated by either a qualified independent security assessor (QSA) or via internal PCI compliance audit (if the audit signed by an officer of the company). Despite that Level 2 and 3 organizations aren't required to utilize an outside security assessor, many organizations do because of the peace of mind and additional protection and security it affords both these companies and their clients.

PCI Compliance Audit

If your organization is deemed uncompliant, your ability to accept credit cards could be suspended. Because many businesses rely heavily on credit cards as a form a payment, this could have serious financial implications on your organization. ICS' PCI Compliance Audit can help you avoid costly suspensions and ensure your data is fully protected.

The PCI Compliance Audit is performed prior to your PCI compliance activities using a variety of resources and tools to help your organization verify and increase its data security. When ICS is contracted to conduct PCI Compliance Audit, we do the following:

  • Inspect 200+ individual security controls
  • Perform internal vulnerability scanning
  • Verify security policies and procedures are in place and, if problems are identified, recommend solutions
  • Verify privacy and security training programs are in place and, if problems are identified, recommend solutions

By performing this PCI Compliance Audit, you'll save time and money by identifying areas that need attention before a QSA is contracted to certify your organization. After the assessment is completed by ICS, you'll be able to take proactive steps toward remediation before investing in a QSA.

Selecting a Qualified Security Assessor

ICS is not a QSA, but we can ensure the assessment process goes smoothly and help you identify and choose a QSA. A Qualified Security Assessor (QSA) is a data security firm that has been trained and is certified by the PCI Security Standards Council to perform on-site security assessments for verification of compliance with PCI DSS. ICS can help facilitate the assessment process through the following:

  • Verify all technical information given by merchant or service provider
  • Use independent judgment to confirm the standard has been met
  • Provide support and guidance during the compliance process
  • Be onsite for the validation of the assessment or duration as required
  • Review the work product that supports the PCI DSS Requirements and Security Assessment Procedures
  • Ensure adherence to the PCI DSS Security Assessment Procedures
  • Validate the scope of the assessment
  • Select systems and system components where sampling is employed
  • Evaluate compensating controls
  • Produce the final report

Companies that have been qualified by the PCI Security Standards Council to validate an entity's adherence to PCI DSS can be found here: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors

Schedule Your PCI Compliance Audit Today

Your clients rely on your organization to protect their data. A security breach is a breach of trust, one that is may not be reparable. Failing to follow the PCI compliance requirements could have far-reaching implications for your business. Call ICS today to schedule your PCI Compliance Audit to protect your clients' data and your organization's future.