Are You Ready for Your PCI DSS Audit This Year?

by Stacey Richards on September 2, 2020

Public Sector Any organisation which stores, processes and transmits credit card data is required to prove compliance with the PCI Data Security Standard (PCI DSS.) Compliance is demonstrated by auditing the Cardholder Data Environment (CDE) and how this is done will depend on criteria set collectively by the major credit card brands (Visa, Mastercard, JCB, American Express and Discover) and is managed by the PCI Security Standards Council. As the audit itself is an annual event it’s all too easy to forget the reason behind it; compliance is vital not only for the safety of your customer’s data, but also for the security, reputation and future of your organisation. Whether you employ the services of an external Qualified Security Assessor (QSA) or self-audit by submitting a Self-Assessment Questionnaire (SAQ) if you fail to prepare year-round, your organisation will find audit season particularly challenging, especially if your CDE is complex. Born out of the contact centre space, the team at PCI Pal understands the obstacles faced when PCI DSS audit season rolls around. Our team of experts offer their advice to avoid a last-minute scramble to meet the requirements of the PCI DSS.

Get Ready

To quote Abraham Lincoln, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” It is imperative that organisations prepare year-round for the audit. From your infosec team through to your contact centre agents, everyone has a role to play in securing payment card data. Start by introducing staff to the basics of the PCI DSS. Our eBook ‘Beginning your PCI compliance journey’ offers a high-level overview of the PCI DSS and key terminology and factors they need to be aware of. From here you branch out into more specific training. For contact centre agents PCI Pal’s Summer School offers interactive modules to help build your agents into a ‘human firewall.’ For your infosec team it may be worthwhile training them as an internal security assessor (ISA) to act as the main point of contact for everyone involved or to facilitate interaction with your QSA. The PCI Security Standards Council have several training courses available depending on your organisational needs.

Get Set

Now everyone knows what the PCI DSS is and what part they must play in maintaining compliance, it’s time to prove it. Start by mapping out your CDE (Cardholder Data Environment) and from here you can start to gather relevant audit logs, vulnerability scans and other related documents to prove compliance throughout the year. Enlist and engage with your QSA ahead of your audit to ensure you have all you need, or for those evidencing compliance via a SAQ ensure well ahead of time that you make use of the guides and documents relevant to your organisation that are available from the PCI SSC website, and our top tips on preparing for your audit go into more detail.

Go!

This approach may sound too simple, but by treating PCI compliance as a year-round process rather than an annual checkbox exercise it really is. Moreover, every organisation that’s suffered a breach of cardholder data has been found non-compliant with the PCI DSS at the time the breach occurred. Through making PCI compliance and data security a key part of training for your contact centre staff, engaging with your teams early and providing documented evidence you will prove compliance. Not only this, through mapping your CDE you may find ways in which sensitive data can be processed by fewer systems, accessed by fewer people, and stored in fewer places for shorter periods of time – decreasing the scope of your audit. Not only will being PCI compliant allow you to continue to process credit card payments but it will show to your customers a commitment to data security. The latest IBM report found that a data breach costs around $4m to just fix without taking into consideration fines and subsequent reputational damage. Could you afford a breach?