Understanding PCI compliance auditing
- 09 September, 2011 15:05
Businesses of all sizes must undertake PCI compliance auditing to ensure that their customers' data is protected during credit or debit card transactions and if stored within any internal business databases.
A classification system based on the number of transactions that a business processes each year sorts businesses into levels. Established businesses with a large number of transactions will fall into the higher levels and are most likely well versed in this audit process; a business classified as Level 1 (having more than 6 million credit card transactions per year) will probably have participated in the annual audit as part of the PCI (Payment Card Industry) Data Security Standards. However, a Level 4 business (having less than 1 million credit card transactions per year) preparing to participate in their first audit may find it a little daunting.
If you're feeling that PCI auditing is complicated and you're a little overwhelmed with it, then getting to grips with what this type of audit is may be the first step toward putting your mind at ease.
In the simplest terms, PCI auditing is a process carried out by a qualified auditor to establish whether or not a business is compliant with security standards relating to the processing of transactions made via a credit or debit card (payment card).
PCI compliance auditing is a process whereby your business point of sale system is assessed. The purpose of this is threefold: (1) to examine your system, (2) to identify vulnerabilities, and (3) to prevent data from being compromised.
The following list is a step-by-step outline of what a compliance audit involves:
- All credit card data are sensitive in nature, so when you intend to build a compliance audit program, it is important that you find a qualified security assessor (QSA), who is approved by the PCI SSC (Payment Card Industry Security Standards Council), to conduct the audit.
The initial work of the QSA involves evaluating your security infrastructure and procedures, policies, networks and systems. When done, the QSA will submit to you a risk assessment.
- The risk assessment will be the foundation for improving your data security. The QSA will give advice on conducting staff to training on security awareness, so that all your employees have the knowledge and skills needed to meet current PCI standards and regulations.
- Following a risk assessment review, any vulnerabilities found will be ranked and prioritised according to seriousness, so you will know which areas need to be addressed first. The focus of this is to improve your data security standards.
- Any problems identified in the audit should be addressed, and the QSA who conducted the audit can manage this process, or act as a consultant giving advice on improving your PCI compliance. If you have a high level of compliance already, then you may not need to do much to prepare for the audit. If you've never been audited, then addressing any issues that have arisen will ensure that the audit goes smoothly. If your organisation has previously been exposed to a breach, then an audit will give you guidelines to follow to avoid future security breaches.
PCI compliance auditing helps businesses to ensure they are providing the most secure environment for their customers to process payments and ensures that transactions don't result in a compromise in the customers' data.
Ensuring that you have PCI compliance and a solid infrastructure for managing data security will increase customer confidence in your business and ensure that you're not exposed to security breaches that could have been avoided.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Russian Underground 101
This research paper intends to provide a brief summary of the cybercriminal underground and shed light on the basic types of hacker activity in Russia. It discusses fundamental concepts that Russian hackers follow and the information they share with their peers. It also examines prices charged for various types of services, along with how prevalent the given services are in advertisements. The primary features of each type of activity and examples of associated service offerings are discussed as well. Read this paper.
Moving to a Private Cloud? Infrastructure Really Matters!
The Cloud isn’t about locality. It is about quality of service delivery, cost, and whether the services consumed satisfy our objectives. For the enterprise, you need to select the right QoS to mitigate the inherent risks or you face the problem of losing data and the ability to execute operationally. Read on.
IDC: Delivering Customer Value with Enterprise Flash Deployments
When it comes to flash, “one size does not fit all.” IDC examines recent flash trends in enterprise storage deployments. This includes: highlighting how SSDs are filling in gaps of existing storage systems when coupled with intelligent archiving and automated tiering, the pros and cons of different SSD approaches, and tips to overcome concerns of reliability, manageability and scalability.