Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Understanding PCI compliance auditing

A step-by-step guide of what a compliance audit entails

Businesses of all sizes must undertake PCI compliance auditing to ensure that their customers' data is protected during credit or debit card transactions and if stored within any internal business databases.

See What is PCI compliance?

A classification system based on the number of transactions that a business processes each year sorts businesses into levels. Established businesses with a large number of transactions will fall into the higher levels and are most likely well versed in this audit process; a business classified as Level 1 (having more than 6 million credit card transactions per year) will probably have participated in the annual audit as part of the PCI (Payment Card Industry) Data Security Standards. However, a Level 4 business (having less than 1 million credit card transactions per year) preparing to participate in their first audit may find it a little daunting.

If you're feeling that PCI auditing is complicated and you're a little overwhelmed with it, then getting to grips with what this type of audit is may be the first step toward putting your mind at ease.

In the simplest terms, PCI auditing is a process carried out by a qualified auditor to establish whether or not a business is compliant with security standards relating to the processing of transactions made via a credit or debit card (payment card).

PCI compliance auditing is a process whereby your business point of sale system is assessed. The purpose of this is threefold: (1) to examine your system, (2) to identify vulnerabilities, and (3) to prevent data from being compromised.

The following list is a step-by-step outline of what a compliance audit involves:

  • All credit card data are sensitive in nature, so when you intend to build a compliance audit program, it is important that you find a qualified security assessor (QSA), who is approved by the PCI SSC (Payment Card Industry Security Standards Council), to conduct the audit.

    The initial work of the QSA involves evaluating your security infrastructure and procedures, policies, networks and systems. When done, the QSA will submit to you a risk assessment.

  • The risk assessment will be the foundation for improving your data security. The QSA will give advice on conducting staff to training on security awareness, so that all your employees have the knowledge and skills needed to meet current PCI standards and regulations.

  • Following a risk assessment review, any vulnerabilities found will be ranked and prioritised according to seriousness, so you will know which areas need to be addressed first. The focus of this is to improve your data security standards.

  • Any problems identified in the audit should be addressed, and the QSA who conducted the audit can manage this process, or act as a consultant giving advice on improving your PCI compliance. If you have a high level of compliance already, then you may not need to do much to prepare for the audit. If you've never been audited, then addressing any issues that have arisen will ensure that the audit goes smoothly. If your organisation has previously been exposed to a breach, then an audit will give you guidelines to follow to avoid future security breaches.

PCI compliance auditing helps businesses to ensure they are providing the most secure environment for their customers to process payments and ensures that transactions don't result in a compromise in the customers' data.

Ensuring that you have PCI compliance and a solid infrastructure for managing data security will increase customer confidence in your business and ensure that you're not exposed to security breaches that could have been avoided.

Recommended reading:
PCI compliance checklist

PCI compliance services in Australia

PCI compliance requirements for Aussie businesses

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: credit cards, data security, Data Security Standards (DSS), Payment Card Industry (PCI), PCI auditing, PCI compliance, PCI (Payment Card Industry), security
Latest Blog Posts
Whitepapers
  • HTML5 and security on the new web
    There are lots of changes happening to the key technologies that power the web. The new version of HTML, the dominant web language, offers impressive enhancements for rich web applications. But as HTML5 comes into greater use we’ll see new security issues arise. It’s typical for a new technology to have defects and pitfalls. And although the standard is still being defined, it's already being implemented. So how does HTML5 stand up to security scrutiny?
    Learn more »
  • Oracle Exadata: Extreme Performance Lowest Cost
    As organisations contend with escalating demands for greater quantities of information, more sophisticated data analysis, and a burgeoning user population, Oracle Exadata makes database workloads faster, easier to manage, and less expensive. Oracle Exadata is the world’s first database machine to provide extreme performance for both data warehousing and online transaction processing (OLTP) applications.
    Learn more »
  • Think print, Think security - Plugging the printer security gap
    The widespread use of networked printers and multifunction peripherals (MFPs) which scan, print, fax, copy and email has increased productivity in the production of all types of business output. However, the growing sophistication of these devices has also increased security risks associated with printing. Network connectivity, along with hard disk and memory storage, means that MFPs are now susceptible to many of the same security risks as PCs and servers alongside the traditional risk of sensitive printed output getting into the wrong hands. However, all too often the security of the print environment is overlooked and little is done to mitigate these threats. Read more.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments