Organizations cannot afford to neglect their PCI compliance obligations. According to its website, PCI could punish offending organizations with a monetary penalty ranging in value from $5,000 to $100,000 per month. These fines could spell the end for a small business.

Acknowledging those consequences, organizations need to make sure they’re PCI compliant. More than that, they must ensure they’re prepared for when auditors come knocking on their door. Here are some practices that organizations can use to prepare themselves for their next PCI audit.

Familiarize Yourself with the PCI Requirements

The PCI DSS is prescriptive – the requirements tell you exactly what you need to do and how an auditor will assess your compliance. The requirements are your guide, and a review will help you determine which requirements apply to you, which are not in scope, as well as the technical tools and documentation you’ll need. While going through this process, you will also be able to determine which things are already in place, which may need review, and anything you may need to complete before the next audit (e.g., an annual review of a system provider’s attestation of compliance, AOC).

Know Your Scope and Boundaries

Remember that PCI is concerned with the safe handling of cardholder data, so properly delineating the boundary of your cardholder data environment (CDE) will be key to success. The more you can limit the CDE, the easier it will be to protect and it. This will also help you focus your audit on what is most important. As you analyze your CDE, consider whether you can shrink the footprint and segment the systems storing, processing, and/or transmitting cardholder data.

Remember Your Frequency-Bound Controls

The PCI requirements have several types of controls, some are continuous, others triggered by events (e.g., (Read more...)