PCI DSS Audit and Certification Checklist: How To Get Ready For the Final Audit
Getting ready for your final audit? If your organisation is new to the process of achieving and maintaining PCI DSS compliance may seem tedious and costly. However, if you can put the right tools and practices in place, the process can be much simpler, and this is certainly achievable by most small and medium-sized enterprises.
So, before you make the final call to the auditor, make sure that you’ve marked off and conformed to all the points on your compliance checklist. If you’re not making use of a hosted solution, you need to fulfil all of the 12 requirements of PCI DSS at all times. There are also a number of other key points that ensure your readiness for the final audit.
The following list of eight actions will help you prepare your organisation for the PCI compliance audit. Keep the list handy and check off actions as you’ve completed them.
- Categorise the Level of your Organisation.
The most important step is to categorise your merchant and service provider level. This is important because it will help you decide whether you need to work on a Self-Assessment Questionnaire (SAQ) or if you need a Level 1 Onsite Assessment done by a Qualified Security Assessor (QSA).
- In case of SAQ compliance, determine the platforms you need to be compliant with. This can be determined by visiting www.pcisecuritystandards.org and finding out which scenario fits your organisation best. Based on this scenario, you can choose from a number of SAQ platforms such as A, B, C, C-VT, D and P2PE-HW.
- In case of a Level 1 Onsite Assessment, get a Qualified Security Assessor who can ensure good quality work matched with a fair fee.
- Develop the Scope of PCI DSS for your Organisation
Though it may seem easy at first, it’s one of the most daunting tasks to develop and maintain a way to track all your credit card assets and locations. You must know the business processes that involve the use of cardholder data, its storage location, its access mechanism and the ports and protocols applied when transferring cardholder data from one location to another. Update this inventory on an ongoing basis.
Many organisations fail to achieve PCI compliance because they try to implement the standard across the entire organisation instead of focusing only on the areas involved in dealing with cardholder data. Scoping your organisation for PCI DSS helps save a lot of time, cost and effort for both your organisation and your QSA. With the scope minimised, you can effectively concentrate on compliance areas only. Make sure you include only those processes in the scope of compliance that are directly or indirectly involved in storing, processing and/or transmitting cardholder data.
- Install and Keep an Updated Firewall
Although it may seem like an easy task at first, most organisations fail to comply with this very basic requirement of PCI DSS. This normally happens due to a misconfigured firewall. Hence, it is very important to keep an updated firewall between the public network and cardholder data.
- Ensure the Implementation of Strong Access Control
Protection of data is ensured with regular implementation of strong access control measures. Make sure that you’ve deployed digital certificates and other widely used cryptographic techniques for authentication purposes. Additional security is also desirable: access to data decryption keys should be limited to a “need-to-know” basis.
- Strictly Consider Compliance as an Ongoing Process
New threats emerge every day just as compliance requirements keep evolving. To ensure compliance at all times, it is important to conduct regular monitoring and testing of networks. Review your PCI scope at least every three months and make use of data loss prevention and event monitoring tools to analyse the safety of your data in real time. Also verify that all your third parties that deal with storing, processing and transmitting cardholder data are also PCI-compliant and ask for written proof.
Often organisations that achieve one-time compliance fail to maintain and operationalise PCI-compliant policies and procedures. Though the intent to remain compliant never diminishes, gradual changes in the environment lead towards non-conformity. Some of the changes may be new employees, staff turnover or promotions. Many auditors see this as a general weakness in organisations that lack the willingness to keep up with controls. To ensure the long-term success of your PCI DSS agenda, you must include these checkpoints in your final list every time:
- Awareness and support of senior leadership in terms of cardholder data security and contractual responsibility
- Role awareness and implementation of all control owners that are assigned to every PCI control
- Written procedures to manage control processes as outlined by PCI DSS
- Existence of automated tools such as SIEM and File Integrity Monitoring to help operationalise security controls
- Existence of automated tools to monitor and measure the effectiveness of security controls.
Some of the processes that can be automated with the application of the correct tools are:
- File Integrity Monitoring
- Incident Response
- Vulnerability Management
- Asset Identification and Management
- Logging and Security Event Monitoring
- Default Password Checking
- Firewall Rule Review
- Access Provisioning and Access De-provisioning
- Wireless Rogue Detection
- Keep your Policies and Procedures Updated
It’s important to keep track of changes and updates in organisational policies and procedures to make it easier for the auditor to understand any changes you make. The Information Security Policy, in particular, should be maintained and communicated to all employees to keep them knowledgeable about information security threats. Regular trainings and awareness sessions on information security must also be conducted.
- Conduct Internal Audit
To ensure all your controls are working effectively, always conduct an internal assessment or audit prior to the final audit. Often the IT controls implemented for ensuring compliance do not work as expected. An internal audit can help fix these errors to put all necessary controls in place.
- Communicate with your Qualified Security Assessor throughout the Year
You must always stay in contact with your QSA throughout the year, especially in times of major changes to your IT environment. This helps keep them updated and also allows you to proactively deal with any potential new issues rather than dealing with them after implementation. With their years of experience, they can provide you with valuable and meaningful advice right away when problems arise, and help you solve them there and then.
Did this checklist help you? Do you need more assistance? Stickman Consulting can help you get ready for your final PCI DSS audit. Just visit our website or contact us today.