BLOG HOME > Audit > 10 Misconceptions About Security Audits

10 Misconceptions About Security Audits

The focus of this blog will be how to have better data security and compliance technology so that you can avoid data breaches, costly fines, slow downs, and hindrances to your business. 

Have an Upcoming PCI Audit Deadline?

Request a Quote

The biggest challenge in establishing your data security policies and practices is learning the things that you know you need to learn more about. There are also things you don’t know you don’t know. Compliance partners can help you learn more about compliance and what questions you need to ask. Determine the questions you should be asking both yourself and your team. This blog will help you identify some of the questions you need to ask. 

Misconception #1

We have been doing our own internal PCI self-assessment; therefore, we are ready for a QSA assessment.

While the PCI requirements can be found in your self-assessment questionnaire, you may be missing some. Additionally, even if you’ve addressed specific requirements to the best of your ability, you might be lacking some experience or depth of understanding that could result in missing some requirements. 

At SecurityMetrics, we are dedicated to providing you with pre-assessment help through consultation and gap analysis as you work to better understand your situation.

Another problem is that you may have multiple channels of card acceptance, especially if most of your work involves an outsourced website. You may find out later that you're actually storing card data somewhere else or have another channel for acceptance. These factors will become evident as you start working on your requirements and doing your internal investigations to prepare for an assessment. 

Misconception #2 

Vulnerability assessments and penetration testing are the same. 

Organizations enroll for quarterly scanning and some think they are done with the self-assessment questionnaire. However, requirement 11.3 is all about penetration testing and penetration testing is not at all a vulnerability assessment. 

Vulnerability scanning requires that you use an approved scanning vendor and that you achieve passing scans every 90 days, whereas penetration tests are a much more involved, manual, and therefore more expensive service. The penetration testing requirement is required once a year or whenever significant changes happen to your environment. If segmentation checks are needed due to your internal network setup, that is also considered part of your penetration testing requirement. If you are a service provider, those segmentation checks must be performed twice per year or whenever any significant changes have occurred in your environment.

Do I Need a Penetration Test?

Request a Quote

Misconception #3

All aspects of credit card handling have been outsourced in my organization; therefore PCI compliance validation does not apply to me.

Some organizations assume that they are exempt from this standard because their outsourced party is PCI compliant. However, if you are a merchant and you are accepting cards in the sense that card deposits are actually coming to your merchant account by way of a service provider, you are obligated to declare your compliance with PCI DSS and much of requirement 12. 

You cannot outsource answers to questions regarding your information security policies, and you must have an incident response plan in place. A good QSA will help you identify those things that are still on your table that you need to address versus placed in the realm of your service provider (or whoever is outsourced for you). 

Get Started with Shopping Cart Monitor

Start Here

Misconception #4

Completing the Self Assessment Questionnaire (SAQ) is all that is needed.

Completing the self-assessment is different from passing the assessment. For example, some may think that when they sign up for ASV scanning from the Self Assessment Questionnaire that they are compliant. Unfortunately, that's not true. You have to sign up for scanning for anything that's applicable and in scope, and you must have the passing scan results. 

If you're doing a self-assessment and you find it to be difficult to get all the answers and get everything completed, it might be a good idea to hire a QSA to consult with. You can also just ask for help in better interpreting the questions, even though you're allowed to self-assess.

Misconception #5 

If I don't run Wi-Fi in my environment, I do not need to test for rogue wireless. 

Requirement 11.1 necessitates an accounting of all the wireless access points in your environment. But what sometimes gets overlooked is that you also need to account for unauthorized Wi-Fi that you discover, track down, and eliminate it. Or you need to investigate why that Wi-Fi access point is there, who should have access to it, or if it needs to be turned off. 

Threat actors have historically snuck into secure areas in a store and set up a Wi-Fi access point. Customers unwittingly used these Wi-Fi access points thinking that they're using your Wi-Fi. Threat actors then capture this traffic and many other users as well. So you must scan for rogue wireless that may be going on in your location.

Misconception #6 

I outsource critical handling of sensitive data to a service provider; therefore, I'm covered.

This can be frustrating because people pay a lot of money for somebody to handle sensitive data. But you still need to learn what exactly your service provider is handling for you. 

In the latest version of PCI DSS, requirement 12.8 necessitates that you list and verify the service providers you’ve engaged with. You need to include a description of the services that they provide, including a confirmation that they include all of the requirements that they are responsible for. A good service provider will actually provide you with a list of the very requirements they are handling. 

Requirement 12.9 is where the service provider has to comply, and state in their own service provider assessment, that they are doing all of these things. 

Don't be shy when you're working with your service providers (or those that are outsourcing critical functions for you). It is your right and responsibility to have that information from your service provider. You can even create a responsibility matrix that shows the requirements that are yours and the requirements that belong to your service provider. Have your service provider acknowledge their requirements in writing.  

Get my free SecurityMetrics PCI Guide

Download Now

Misconception #7

I don’t need to know what my penetration testing scope should be because the QSA will figure that out for me.

While it is true that your QSA can help you determine the scope of the assessment, they are reliant upon the information you provide, such as detailed network diagrams, process flows, and firewall rule sets. 

If you do not have a firm understanding of these elements, the QSA won’t really know how to advise you. As you establish a clear diagrammed outline of your environment (hopefully aided by guidance from your QSA), the scope of the testing will become clearer to you. 

The bottom line is the entity being assessed is responsible for the end testing methodology. 

Misconception #8 

(This misconception is specifically for service providers) Once I have a validated report on compliance, I'll automatically be listed with Visa or Mastercard and their service provider listings. 

It’s very important that you understand that a service provider is required to establish a relationship with a sponsoring bank. This is something that a QSA cannot do for you. 

Visa and Mastercard consider an entity a level one service provider when they exceed 300,000 transactions annually on any one card brand. 

When you are a level one service provider, you're required to have a PCI assessment performed by a QSA. When you have a level one service provider assessment performed by a QSA and you have an assigned report on compliance and validation of compliance, you do have the opportunity, if you're willing to pay the fees to Visa and Mastercard, to be listed as a level one service provider on their websites. This will usually cost the service provider around $2000 per year for that privilege. Not sure on pricing these days; it may have increased.

As you are contemplating becoming listed as a service provider with Visa or Mastercard, and before you do your assessment with a QSA, you should start working on developing a relationship with a sponsoring bank as soon as possible because this can be a lengthy process. 

Misconception #9 

Since I've completed a SOC compliance audit successfully, I don't really need to worry about my PCI compliance (or vice versa).

Both SOC 1 and SOC 2 audits must be conducted by a CPA firm, whereas a PCI DSS assessment must be conducted by a QSA. 

The PCI DSS consists of nearly 400 individual controls, some of which could apply to a SOC audit. But there are far more differences than similarities. Many elements of the PCI DSS lend themselves to the SOC compliance work and vice versa, but full validation of either is independent from the other, and they must be treated as separate assessments. Each assessor signs on the line for personally confirming the validated elements of the SOC and of the PCI assessment. 

While some evidence can be used for either assessment, the majority of the work involved for PCI compliance validation will be outside the scope of what SOC audits require. Now, the variability involved with SOC assessments needs to be considered here. The SOC assessment is tailored to the particular objectives and controls defined by the entity being assessed, whereas PCI is more rigid and deals with cardholder data flows and whenever the cardholder data is stored, processed, or transmitted. 

Therefore, some entities may have a lot of overlap between SOC audits and PCI, while others may have very little. 

Misconception #10

It's my QSA's job to get me compliant. 

Assessors review the information and evidence that you provide. Your QSA provides consultation on that evidence and on the efforts you are putting forward to get compliant, but they are not an IT team that steps into place and makes changes to your firewalls, hardware,  software, or programming. Those changes need to be handled by a separate service or could be done internally. 

This is something you need to keep in mind as you're preparing for an assessment. Do you have the right resources inside your company to take care of these concerns or do you need to look into getting an outside firm that specializes in what you need? There are firms that you can hire to bring your environment up to industry standards. 


  1. Feel comfortable enough to ask informed questions. You need to build a culture inside of your business that encourages informed questions, sharing of information, and clearly defined job assignments. Shed the fear of the unknown and instead be afraid of what you don't know that you don't know. That way you'll have the right questions to ask your QSA for help as you're working.

  1. Tackle your challenges with a team effort. Hopefully, all of these duties of becoming compliant and gathering evidence don’t fall upon one person in the organization. It can be helpful to create a matrix of responsibility inside your company of who is in charge of what. Keep logs on what they're doing to change things and make sure you're following PCI DSS on tracking changes. 

  1. Document everything and organize it for updating and future use. This is part of the PCI DSS assessment requirements - that you have everything documented and that you have a means in place to update that documentation so that it never becomes out-of-date and incorrect. 

  1. View your PCI compliance efforts as ongoing throughout the year. Because your company doesn't just sit statically, there are changes that occur. You need to be aware of the changes and make sure that you're tackling them as they happen. For example, penetration testing is a once-a-year requirement, but if you have a significant change to your environment, you need to test again. Your QSA can help you determine if the change is significant enough to do another penetration test, so definitely use your partner assessor to help you know how to respond to those changes. 

  1. Lastly, make sure you've engaged someone early enough in your assessment process. This will help you avoid issues with deadlines and other stressors. FInd a good assessor early and be confident that you can ask questions and trust their suggestions. 

Ultimately, you will be able to avoid many of these misconceptions if you view security as a mindset rather than a checklist. This attitude, with a trusted partnership with an assessor, will allow you to take the appropriate steps to secure your peace of mind and never have a false sense of security. 

Written by Lee Pierce 

Join Thousands of Security Professionals and Subscribe