PCI DSS audits are nothing new to big-box retailers. But the audit process can be stressful for small businesses and cash-strapped startups. And when conducting a data security audit after a breach or cyberattack, conducting an audit may feel more like a punishment.
At Very Good Security, we know that a PCI audit is the first line of defense to preventing a data breach. A recent IBM report highlights that the ability to identify threats efficiently could save your company as much as $1 million dollars.
And cyberattacks are only increasing. Despite COVID’s massive disruption of the global market, phishing attempts increased by 600% in February of 2020 alone! Nearly 1 in 4 online users will become a hacking victim.
With the line between work and personal life more blurred than ever, an attack like this on one of your employees could inadvertently affect your corporate network. When it comes to PCI compliance, the audit process is essential to protect your data.
PCI DSS audits defined
Introduced by prominent payment card brands in 2004, the Payment Card Industry Data Security Standard (PCI DSS) quickly became a data protection standard for businesses across the globe to fend off fraud and identity theft.
As technology has evolved, the PCI requirements have too. That means that PCI DSS audits are extensive, and can cover up to 281 directives.
If you are a merchant that accepts or processes payment cards, you must comply with the PCI Data Security Standards, and you must undergo a PCI audit. PCI audits test your systems to ensure you have complied with the 12 main PCI requirements (and each of their several related controls, which total hundreds of sub-requirements).
The 12 PCI DSS requirements set out by the PCI Security Council are:
1. Establish a firewall configuration
2. Replace vendor-supplied defaults for system passwords
3. Safeguard stored cardholder data
4. Encrypt cardholder data when in transit across open, public networks
5. Use and update anti-virus software and other security programs
6. Maintain secure systems and applications
7. Control access to cardholder data on a need-to-know basis
8. Assign unique IDs to each individual with system access
9. Limit physical access to cardholder data
10. Monitor access to network resources and sensitive data
11. Routinely test security systems and processes
12. Develop an information security policy for both employees and contractors
How PCI DSS audit process works
Depending on their designated level, merchants and service providers are required to complete either a PCI audit every year or a regular self-assessment audit. Level 1 businesses need to submit an annual external audit. Levels 2-4 for merchants and level 2 service providers must complete self-assessments.
To be considered a Level 1 merchant, you must process more than 6 million payment card transactions per year or Visa has determined you need Level 1 compliance. Service providers must process over 300,000 payment card transactions to be labeled Level 1. A Qualified Security Assessor (QSA) must conduct each audit.
This annual process can take 4-6 months depending on your company’s CDE, and includes several steps:
- Defining PCI scope
- Performing a GAP analysis
- Researching and hiring your QSA
- Assessing the CDE onsite
The PCI audit process, no matter what your level, will vary in time and complexity depending on your business. And each organization will have its own challenges. “When I was a QSA I saw some organizations that were extremely good at software development lifecycles (SDLC) but were still relatively immature in log management and alerting,” says Rob Faba, PCI Compliance lead for VGS. “Or the inverse can happen, usually with startups where everyone is always trying to work fast.”
You will receive a Report on Compliance (ROC) for a successful audit from your QSA. You will need to submit the ROC to your acquiring bank. The bank will process the form and send it on to Visa or your card processor for verification.
How much does a PCI audit cost?
Your actual PCI audit rate ultimately depends on your PCI level, the size of your data processing operations, the time needed to complete the audit, and the auditor’s fee. A full PCI DSS audit can take between 279-378 hours. Even if you engage the lowest-price PCI specialist at $50 an hour, that’s at least $13,950 for your PCI audit.
No matter what your audit ends up costing, it’s important to realize that a PCI audit is a drop in the bucket compared to expenses incurred from a hack. A single data breach can cost you up to $100,000 in non-compliance penalty fees alone!
Conducting an audit during COVID
What if your state or county is on lockdown? PCI DSS compliance applies regardless of the current pandemic. The good news is that it is still possible to make progress on your compliance measures during a shut down.
The key to success here is social distancing and remote work. Since April, the PCI Council has allowed remote assessment in place of an onsite one. You may also be able to get assessment extensions
“I personally think the remote assessment model is sufficient in most scenarios,” says Rob. I can’t speak for what the council will do once the pandemic is behind us, but I certainly hope they incorporate lessons learned and eliminate needless site visits for organizations that don’t deal with physical cardholder data.”
5 Common PCI audit mistakes
There are steps you can take before a PCI audit to reduce potential issues and remediations. You should always complete a Self-Assessment Questionnaire (SAQ) before your final audit, and work together with various departments to ensure compliance.
Nonetheless, it is possible to fail an audit. Here are the top 5 mistakes to avoid when preparing for your PCI audit:
1. Not researching your auditor. The easiest and fastest way to find a QSA for your audit is to choose one from the PCI website list. But that doesn’t mean you should pick the first one you see. Select the potential auditors who stick out from the batch and interview them separately. You will be giving an outside individual access to incredibly sensitive information, so it’s critical that you choose an expert with a positive reputation. Don’t focus solely on cost. Selecting an auditor who can efficiently take a look at your systems and data security procedures will save time and money down the line.
2. Not upgrading your data security practices before the audit. You may think the easiest way to get started with PCI compliance is to bring in an auditor right away. In fact, that will just end up wasting time and money, and you’ll only have to repeat the process months down the line. Before bringing in an auditor, make sure to review and act on your own internal assessment or gap analysis.
3. Lack of documentation. Once a QSA comes in, they will want documentation of all your data security processes and procedures. In your documentation, you must show that you have taken each of the requirements into account. Log files, network flow diagrams, and process update information are all preferred documentation.
4. Unorganized data storage. It’s easy to let data collection and storage get out of hand. Your cardholder data environment (CDE) should be isolated from your other networks. You’ll also want to check that you have a purge system so that you aren’t dealing with unnecessary sensitive data.
5. Failure to scope. One of the biggest problems is simply that a company does not understand its scope. “You might think, well all I have is a single web server with a single payments page that I use to accept payments. Then you contact a QSA firm to conduct an assessment and you realize you have a whole bunch of systems and people that are actually in scope,” says Rob.
Businesses should know their network segmentation inside and out. If you can define your data flows clearly and accurately, the audit will go smoothly. But if you don’t have the basics down, it’s easy to see the entire audit going downhill quickly.
How often should you audit your PCI security system?
Generally, companies should look at reviewing their overall cybersecurity practices twice a year. However, to keep your systems PCI compliant, you should audit your systems at least once a year. And with each system or process alteration or update, you will need to perform another audit to stay compliant.
Reduce your PCI audit burden
PCI audits are not just a step towards PCI certification, but they can also help you better protect your cardholder data. But it’s easy to see how the process can become overwhelming and cost-prohibitive. Ensuring 100% compliance in-house can result in delayed product launches, lost opportunities, and reduced revenue. Meanwhile, you’re still responsible in case of a cyberattack.
VGS turns this complicated audit process into a business accelerant. Once you integrate with VGS, which takes about 10 minutes, you only need to think about your scope, the onsite assessment and ROC. Through compliance as a service, it’s possible to become PCI compliant in 4 weeks or less instead of 6-12 months. The best part? We take care of most of the audit process for you.
And because there are no hidden costs, we typically save our customers up to 75% of PCI compliance costs. Instead of worrying about audit prep, data breach liability, or maintenance costs, you can focus on running your business.