Are You Ready for Your PCI DSS Audit This Year?
Any organisation which stores, processes and transmits credit card data is required to prove compliance with the PCI Data Security Standard (PCI DSS). Compliance is demonstrated by auditing the Cardholder Data Environment (CDE).
How this is done will depend on criteria set collectively by the major credit card brands (Visa, Mastercard, JCB, American Express and Discover). It is managed by the PCI Security Standards Council.
As the audit itself is an annual event, it’s all too easy to forget the reason behind it. Compliance is vital not only for the safety of your customers’ data, but also for the security, reputation and future of your organisation.
To complete your audit, you can employ the services of an external Qualified Security Assessor (QSA) or self-audit by submitting a Self-Assessment Questionnaire (SAQ). Either way, if you fail to prepare year-round, your organisation will find audit season particularly challenging. This is especially true if your CDE is complex.
Born out of the contact centre space, the team at PCI Pal understands the obstacles faced when PCI DSS audit season rolls around. Our team of experts offer their advice to avoid a last-minute scramble for meeting the requirements of the PCI DSS.
1. Get Ready
It is imperative that organisations prepare year-round for the audit. To quote Abraham Lincoln,
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe.”
Further, everyone has a role to play in securing payment card data, from your infosec team through to your contact centre agents.
Start by introducing staff to the basics of the PCI DSS. Our eBook Starting Your PCI Compliance Journey is helpful for this. It offers a high-level overview of the PCI DSS and key terminology and factors that staff need to be aware of.
From here you can branch out into more specific training. For contact centre agents, our Human Firewall infographic helps build your agents into a ‘human firewall.’ For your infosec team, it may be worthwhile training them as an internal security assessor (ISA). This allows them to act as the main point of contact for everyone involved or facilitate interaction with your QSA.
The PCI Security Standards Council have several training courses available depending on your organisational needs.
2. Get Set
Once everyone knows what the PCI DSS is and what part they must play in maintaining compliance, it’s time to prove it.
Start by mapping out your CDE (Cardholder Data Environment). From here you can start to gather relevant audit logs, vulnerability scans and other related documents to prove compliance throughout the year.
Enlist and engage with your QSA ahead of your audit to ensure you have all you need. Or, for those evidencing compliance via a SAQ, ensure well ahead of time that you make use of the guides and documents relevant to your organisation. These are available from the PCI SSC website.
Plus, our 6 Tips to Help Contact Centres Prepare for a PCI DSS Audit offer more details.
By treating PCI compliance as a year-round process rather than an annual checkbox exercise, you’ve got yourself a simple and effective approach.
Moreover, every organisation that’s suffered a breach of cardholder data has been found non-compliant with the PCI DSS at the time the breach occurred.
Through making PCI compliance and data security a key part of training for your contact centre staff, engaging with your teams early and providing documented evidence, you will prove compliance.
Not only this, but through mapping your CDE you may find ways in which sensitive data can be processed by fewer systems, accessed by fewer people, and stored in fewer places for shorter periods of time. This decreases the scope of your audit.
Not only will achieving and maintaining PCI compliance allow you to continue processing credit card payments. It will also show to your customers a commitment to data security.
The latest IBM report found that a data breach costs around $4m to fix. This is before taking into consideration fines and subsequent reputational damage.
Could you afford a breach?
Get in touch with us to discuss how PCI Pal’s cloud-based solutions can simplify your PCI DSS audit without impacting on your customer’s journey.