6 Tips to Help Contact Centres Prepare for a PCI DSS Audit
Compliance with the PCI Data Security Standard (PCI DSS) is demonstrated by auditing an organisations cardholder data environment, or CDE for short, on an annual basis. The type of audit is dependent on the merchant level as defined in the PCI DSS by the payment brands. Level 1 merchants and service providers must have an external Qualified Security Assessor (QSA) perform the audit and all other levels can self-audit and submit a Self-assessment Questionnaire (SAQ).
It’s important to remember the reasons behind audits; PCI DSS compliance is vital not only to the safety of your customer’s data, but also to the security, reputation and future of your business. But without year-round preparation, the PCI audit is a challenge. This is especially true if the cardholder data environment is complex, as is often the case in the contact centre.
Here’s our need-to-know guide for on-the-ball businesses:
1. Understand the PCI DSS audit objectives
It’s all too easy to think of the annual audit as a checkbox exercise to be completed on the day. Compliance is in fact determined by whether organisations meet all twelve requirements of the PCI DSS, all the time. The PCI Security Standards Council (PCI SSC) have gone to great lengths not only to ensure this is reflected in the PCI DSS, but also to guide organisations on how to approach PCI compliance with numerous guides (available in their document library.)
2. Know and Work with Your Team
Who you work with will be decided by where cardholder data is stored and how complex that environment is as there will be some cross department collaboration. For level one merchants and service providers employing the services of a QSA, ensure they are accredited by the PCI SSC and have a good reputation and that they are available year-round should you need them. It may also be necessary to appoint an internal compliance manager who can work on clear, concise and centralised security policies and act as the ‘go to’ within your organisation.
3. Preparation is key
It cannot be emphasised enough; knowing your business inside out builds the best foundation for guaranteeing compliance. Start by creating data flow diagrams to give a visual representation of where cardholder data is stored, processed and transmitted. As a bonus, you may also find ways in which sensitive data can be processed by fewer systems, accessed by fewer people, and stored in fewer places for shorter periods of time – decreasing the scope of your audit.
4. Consider segmenting networks and conducting gap analysis
Neither of these are required by the PCI DSS, but both go a long way to reduce scope and the chances of being found non-compliant. Isolating less-secure networks not required to be in the CDE from high-security networks can ensure that a compromise in the less-secure network does not affect the security of other high-security networks, and having a QSA conduct a gap analysis as a starting point to establish what the business is currently doing against the PCI DSS allow for any areas found non-compliant being addressed ahead of the audit happening.
5. Document and Monitor Everything
Documenting audit and event logs, vulnerability scans, service providers, system changes and anything else of relevance throughout the year is crucial as it provides evidence of compliance over the course of the year. Keeping these records organised will prevent a last-minute scramble ahead of the audit.
6. Make sure you’re ready
It might sound obvious, but don’t head into your audit without first knowing you have all of the above in order. Enlisting a QSA or starting an SAQ only to find that documents are missing or that you don’t meet the requirements are a waste of time and money. If in doubt, remember the six P’s: proper preparation prevents poor PCI DSS performance!
If you’d prefer to descope your payment environment from PCI DSS, speak to our experts today. Our solutions can remove the headache of annual PCI compliance audits and let you focus on running your contact centre.