The Payment Card Industry Data Security Standard (PCI DSS) represents an information security standard designed for organizations that store, process, or transmit credit cards and are exposed to cardholder data. The card brands themselves have advocated for the PCI standard which is administered by the Payment Card Industry Security Standards Council (PCI SSC). Given organizations are interested in compliance, many ask the question “what are the PCI DSS Security Audit Procedures”?
The PCI DSS Audit Procedures are designed for use by a qualified security assessor (QSA) conducting an audit on merchants or service providers that are required to validate compliance with the PCI data security standard. The payment card industry has outlined the requirements in the data security standard which outlines how to obtain PCI compliance. In addition to the PCI DSS, there is also the Payment Application Data Security Standard (PA-DSS). This is the standard to which all PCI-approved payment applications are assessed. Payment applications must adhere to specific security requirements including:
- Applications must not store full magnetic stripe or card data.
- Applications that require the disabling of other security countermeasures like antivirus or firewalls are not PCI DSS or PA-DSS compliant.
- Vendors that are able to use unsecured methods to connect to payment card applications are not PCI DSS or PA-DSS compliant.
PA-DSS goes hand in hand with PCI DSS requirements but has a more focused scope on applications. PA-DSS does not evaluate the operating system that the application runs on, nor does it examine the database for security countermeasures. Back office systems are also immune to the purview of data security standards. Where PA-DSS does apply is as follows:
- All payment card application functionality,
- The guidance that the payment card application provides customers and potential customers,
- Selected platforms and application versions,
- Tools used by or within the application.
When a QSA is conducting the PCI DSS Security Audit, they must prepare a report that will later prove the validation of their findings. The PCI Security Standards Council has given the QSA a sample report which outlines all components of the audit procedures that merchants or service providers can leverage as an audit plan template before an audit. The report is broken down into the following sections:
- Description of scope of the review (what is being assessed).
- The Executive Summary (The high level about the environment, applications, systems, and people).
- Findings and Observations (What did the auditor find and observe in the audit).
- Contact information and report date (Who was interviewed and when was the report finished).
The security audit procedures include a checklist created by the PCI Security Standards Council. The checklist includes columns that capture the requirement, testing procedures if the control is in place, not in place, target date, and comments.
PCI DSS compliance was designed to protect credit cardholders and credit card data. The standard represents solid information security practices, encourages security policy, and encompasses both traditional business as well as e-commerce. Organizations are seeking a Report on Compliance (RoC) that proves they have a secure network. A great way to achieve compliance is by following several cybersecurity basics such as access controls, anti-virus software, vulnerability management, and conducting risk assessments, especially when interfacing with public networks. Penetration testing can help in pre-PCI audit scenarios where merchants and service providers want visibility into potential weak spots in the PCI network. The Self-Assessment Questionnaires (SAQs) are used by lower-level merchants (with fewer transactions) to perform a self-assessment of their compliance. Merchants are classified into levels based on the number of transactions processed in a given year.
The PCI DSS audit procedures assist the QSA in performing the specific audit testing steps while providing guidance for merchants and service providers on how they will be assessed.