When the time for a PCI DSS audit rolls around it can often be viewed as a headache. However, it’s important to remember the reasons behind audits; PCI DSS compliance is vital not only to the safety of your customers, but also to the security, reputation and future of your business.
Luckily, by staying on top of things throughout the year, audits really needn’t be such a huge problem. Here’s our need-to-know guide for on-the-ball businesses:
1. Work with Your Team
Firstly, appoint a Compliance Manager who can work on a clear, concise and centralised security policy and procedures. Having a well-defined programme with clear responsibilities makes sure the build-up and preparation for an audit will run smoothly, without any confusion or passing of the buck.
2. Run a Tight Ship
The best way to guarantee compliance is to know your business inside out. Creating a comprehensive network diagram will not only help you identify vulnerabilities, but can also help you work out ways in which sensitive data can be processed by fewer systems, accessed by fewer people, and stored in fewer places for shorter periods of time – decreasing the scope of your audit.
3. Document Everything
Data flow diagrams are not the only documentation your audit will require. Rather than an annual scramble for information, make sure you document event logs, vulnerability scans, service providers, system changes and anything else of relevance throughout the year, so it’s all to hand for your Qualified Security Assessor.
4. Don’t View Compliance as a One-Off Goal
One of the biggest mistakes businesses make is treating the audit like an exam they can cram for and then forget about. The point of PCI DSS compliance is to keep you and your customers safe all year round, so keep up-to-date with changes to the standard, perform frequent vulnerability tests, and regularly clarify that your service providers are PCI compliant themselves.
5. Choose Wisely
Remember, you can choose your own QSA, so make sure you go for someone who is experienced and solution-orientated so that any problems flagged can be resolved quickly. If possible, go for a QSA who is available year round should you have any questions or issues. That way, any compliance concerns can be resolved in time for your audit.
6. Make Sure You’re Ready
It might sound obvious, but don’t head into your audit without first knowing you have all of the above in order. Enlisting a QSA only to fail to provide proper documentation or policy is just a waste of time for everyone. If in doubt, remember the six P’s: proper preparation prevents poor PCI DSS performance!
If you’d prefer to descope your payment environment from PCI DSS with a fully hosted secure telephone payments solution, speak to our expert consultants today. Our innovative, practical solutions can remove the headache of annual PCI compliance audits and let you focus on running your contact centre.