Organizations cannot afford to neglect their PCI compliance obligations. According to its website, PCI could punish offending organizations with a monetary penalty ranging in value from $5,000 to $100,000 per month. These fines could spell the end for a small business. Acknowledging those consequences, organizations need to make sure they’re PCI compliant. More than that, they must ensure they’re prepared for when auditors come knocking on their door. Here are some practices that organizations can use to prepare themselves for their next PCI audit.
Familiarize Yourself with the PCI Requirements
The PCI DSS is prescriptive – the requirements tell you exactly what you need to do and how an auditor will assess your compliance. The requirements are your guide, and a review will help you determine which requirements apply to you, which are not in scope, as well as the technical tools and documentation you’ll need. While going through this process, you will also be able to determine which things are already in place, which may need review, and anything you may need to complete before the next audit (e.g., an annual review of a system provider’s attestation of compliance, AOC).
Know Your Scope and Boundaries
Remember that PCI is concerned with the safe handling of cardholder data, so properly delineating the boundary of your cardholder data environment (CDE) will be key to success. The more you can limit the CDE, the easier it will be to protect and it. This will also help you focus your audit on what is most important. As you analyze your CDE, consider whether you can shrink the footprint and segment the systems storing, processing, and/or transmitting cardholder data.
Remember Your Frequency-Bound Controls
The PCI requirements have several types of controls, some are continuous, others triggered by events (e.g., significant change), and others are interval based – annual, quarterly, monthly, etc. Be sure to set a regular cadence for interval-based controls, ideally doubling the frequency required by PCI. Why double? Unexpected events can easily derail the best-laid plans. Doubling the frequency adds a cushion against those events and helps eliminate the risk of a finding; you can’t go back in time and make up for a missed access or firewall review.
Gather Your Team and Set Expectations
One key to a successful audit is preparation. It’s not enough to follow all the requirements, an auditor is going to need evidence of completion. Your team will need to provide reports, screenshots, interviews, and documentation, which will take time away from their normal activities. Knowing ahead of time which people and teams will be needed, the schedule of auditor interviews, and the types of things that will need to be delivered will make for a better audit. Finally, ensure you have an audit coordinator manage these activities. A central person to schedule teams, organize evidence, and liaison with the auditors is a key to success.
Keep a Positive Attitude
Remember, the auditor is there to help you – compliance is a way to help ensure you are protecting your company and your customers. Compliance is a team effort, and the goal is to reduce risk to the CDE. The auditor is a partner, not an adversary, even though an audit may not feel like that. Another way an auditor can help is to perform a gap analysis or pre-audit check. Bringing in outside guidance to help prepare is a great way to set expectations, discover any areas that need work, and perform a test run for the team.
Now Is the Time to Get Ready for Your next PCI Audit
Tripwire Enterprise can help organizations prepare themselves for the next PCI audit. It can do this by enabling organizations to generate compliance reports with the click of a mouse. In doing so, organizations don’t have to waste time and resources in getting ready for a PCI audit. Automated controls help organizations remain prepared for an audit at all times. Learn more about how Tripwire’s solutions can help you with your PCI compliance efforts.
