Understanding PCI compliance auditing
- 09 September, 2011 15:05
Businesses of all sizes must undertake PCI compliance auditing to ensure that their customers' data is protected during credit or debit card transactions and if stored within any internal business databases.
A classification system based on the number of transactions that a business processes each year sorts businesses into levels. Established businesses with a large number of transactions will fall into the higher levels and are most likely well versed in this audit process; a business classified as Level 1 (having more than 6 million credit card transactions per year) will probably have participated in the annual audit as part of the PCI (Payment Card Industry) Data Security Standards. However, a Level 4 business (having less than 1 million credit card transactions per year) preparing to participate in their first audit may find it a little daunting.
If you're feeling that PCI auditing is complicated and you're a little overwhelmed with it, then getting to grips with what this type of audit is may be the first step toward putting your mind at ease.
In the simplest terms, PCI auditing is a process carried out by a qualified auditor to establish whether or not a business is compliant with security standards relating to the processing of transactions made via a credit or debit card (payment card).
PCI compliance auditing is a process whereby your business point of sale system is assessed. The purpose of this is threefold: (1) to examine your system, (2) to identify vulnerabilities, and (3) to prevent data from being compromised.
The following list is a step-by-step outline of what a compliance audit involves:
- All credit card data are sensitive in nature, so when you intend to build a compliance audit program, it is important that you find a qualified security assessor (QSA), who is approved by the PCI SSC (Payment Card Industry Security Standards Council), to conduct the audit.
The initial work of the QSA involves evaluating your security infrastructure and procedures, policies, networks and systems. When done, the QSA will submit to you a risk assessment.
- The risk assessment will be the foundation for improving your data security. The QSA will give advice on conducting staff to training on security awareness, so that all your employees have the knowledge and skills needed to meet current PCI standards and regulations.
- Following a risk assessment review, any vulnerabilities found will be ranked and prioritised according to seriousness, so you will know which areas need to be addressed first. The focus of this is to improve your data security standards.
- Any problems identified in the audit should be addressed, and the QSA who conducted the audit can manage this process, or act as a consultant giving advice on improving your PCI compliance. If you have a high level of compliance already, then you may not need to do much to prepare for the audit. If you've never been audited, then addressing any issues that have arisen will ensure that the audit goes smoothly. If your organisation has previously been exposed to a breach, then an audit will give you guidelines to follow to avoid future security breaches.
PCI compliance auditing helps businesses to ensure they are providing the most secure environment for their customers to process payments and ensures that transactions don't result in a compromise in the customers' data.
Ensuring that you have PCI compliance and a solid infrastructure for managing data security will increase customer confidence in your business and ensure that you're not exposed to security breaches that could have been avoided.