PCI Compliance Checklist for Audits

The PCI Security Standards Council (PCI SSC) established PCI DSS as a framework for merchants and service providers to use in securing credit card and cardholder data from a breach.

Annual audits to document your compliance with the Payment Card Industry Data Security Standard (PCI DSS), however, can be nerve-wracking and expensive. Preparing for that first audit alone can take two years and cost $50,000 or more. 

Avoid headaches and costly remediation: Follow these steps to prepare for your PCI DSS audits, by creating a PCI Compliance Checklist that fits your business operations and demonstrates your compliance.

Take these steps toward successfully creating a PCI Compliance Checklist tailored to your business

For Level 1 merchants and service providers, there’s no avoiding the hassle or expense of an on-site audit. You can, however, reduce your stress levels by using our PCI DSS audit checklist to prepare.

These steps can help you streamline the audit process and feel confident that you’re taking the right steps to protect sensitive data against data breaches, and achieve a good auditing outcome.

Step 1: Determine your scope.  

PCI DSS has 12 major requirements and 281 smaller, more precise directives. Not all of them apply to every business, but many of them can — so it will save you time and money first to determine which ones actually do apply to your business. The requirements are:

• Install and maintain a firewall configuration to protect cardholder data.
• Do not use vendor-supplied defaults for system passwords and other security parameters.
• Protect stored cardholder data.
• Encrypt transmission of cardholder data across open, public networks.
• Use and regularly update antivirus software.
• Develop and maintain secure systems and applications.
• Restrict access to cardholder data by business need-to-know. 
• Assign a unique ID to each person with computer access.
• Restrict physical access to cardholder data.
• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes, for instance by conducting your own penetration testing.
• Maintain a policy that addresses information security and enforce security requirements such as  default passwords 

Step 2: Minimize your scope. 

Isolating your cardholder data environment (CDE) with firewalls, encrypting all the data that passes through the CDE, and disposing of card data as soon as possible will save on an auditor’s time, and therefore save you money.

1. Analyze existing compliance with each of the directives you deemed applicable in Step 1.
2. Test your CDE controls and identify security vulnerabilities. 
3. Gather your evidence by collecting your IT architecture, CDE diagrams, security policy, and other documentation of your compliance efforts. Have it on hand for the auditor.

Remember: passing the audit is only the first step toward PCI DSS compliance. 

PCI standards also mandate ongoing efforts to safeguard financial information against unauthorized access and use. Once you’ve established the compliance requirements that apply to your business, you can create a PCI compliance checklist that specifically fits your business needs.

Who Needs an Audit?

All merchants and service providers who accept credit cards or process, transmit, or credit card data must comply with PCI DSS or face fines of up to $100,000 per year. In some egregious cases, you can even lose credit-card processing privileges. 

Not everyone needs an audit, however. Recognizing that different entities have different levels of data security risk, the PCI SSC created four compliance levels for merchants and two for service providers who handle credit card transactions. 

Level 1 organizations must demonstrate PCI DSS compliance by procuring an on-site audit from a Qualified Security Assessor (QSA) or PCI-certified Internal Security Assessor, who will then file a Report on Compliance (ROC) with the acquiring bank.

Level 1 enterprises include:

• Merchants that process 1 million or more in-store and e-commerce payment card transactions annually, depending on which cards they accept
• Service providers that process, store, or transmit data from more than 300,000 payment cards per year
• All enterprises that have experienced a security breach that resulted in the compromise of credit card or cardholder data

Those in Levels 2, 3, and 4 may be able to complete a self-assessment questionnaire (SAQ) and Attestation of Compliance (AOC) in lieu of the audit and ROC.

Cybersecurity and PCI compliance management tools

As you forge a path for your business through the pandemic and our highly regulated, highly interdependent world, many tools can help keep your business stay competitive while keeping cybersecurity and compliance top priorities. 

ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before those risks manifest as real threats. 

Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a demo.