PCI DSS assessments, also called PCI DSS audits, may seem daunting for you and your business. But, we’ve broken down the process into 5 steps to help you understand what it will be like and how you can better optimize your time.
It’s important to note that the PCI DSS–the Payment Card Industry Data Security Standard–is just the beginning of your security and compliance journey. What it takes to get one business compliant will not be the same for another, and you will need to continue on the path of compliance throughout the year, not just around the time of your PCI audit.
What are the steps of a PCI audit?
PCI DSS Audits can be broken down into 5 steps:
Before you work with a QSA or even sign a contract, our sales team will be engaged to figure out what it is that you need and make sure that services are quoted appropriately.
Next, you're going to get an initial gap assessment. That's where we make sure that you're ready for an assessment. This piece is done personally by a QSA–who serves as a gatekeeper to make sure that a business is ready to start an audit. Especially in cases where a business has been checking off the Self-Assessment Questionnaire (SAQ) boxes, it’s important to make sure the client fully understands what is required to be ready.
Pre-engagement and pre-onsite were in preparation for the actual on-site, which is where we validate and document what we gathered during the pre-onsite. We will verify that you're doing what you need to do to be compliant. If there are things that need to be addressed, we give remediation steps so that you can get your Report on Compliance (ROC). SecurityMetrics QSAs are not “point-in-time” auditors, but this is a “point-in-time” audit. The data analysis will be based on the point in time that the on-site happens, so the audit will be based on that data going forward. However, your QSA will continue with you every step of the way to make sure you understand what's required to become compliant.
During the post on-site phase, we work with you to figure out what remediation has to be done, if any, and get the ROC ready to be signed.
The final step of the PCI Audit process is continued support. This is an important step, and one in which multi-year customers are able to reach out to their QSA when they have concerns about their environment or if their environment changes. We help them figure out what they need to do to maintain compliance and avoid getting into situations that would cause a much higher compliance burden.
Now that we’ve listed the steps of a PCI DSS Assessment, here’s more detail about each step.
The goal of the pre-engagement phase is to determine your path to compliance before a contract is signed. This step happens with our sales team and can also be thought of as pre-“QSA engagement.” Our sales team starts with a phone call and shares a scoping document with you to help define your environment and your PCI DSS compliance requirements.
They will then introduce you to our Audit Management Tool. This tool is an audit-support portal that provides a secure way for us to review evidence and to communicate during the other phases of the audit. This way, we can easily look at things like your data flow diagrams, network diagrams, evidence of your change control, etc. This makes the feedback process more efficient. We can say “Hey, you need to do this or that,” to meet a specific requirement.
Our ultimate goal is to guide you before, during, and after the on-site assessment so that you can make good decisions. Our focus on this goal is something that sets our process apart from some of our competitors. They may not spend as much time preparing clients for their PCI DSS audit. They may simply perform the audit, and if they pass, they pass; and if they don't, they don't–and that is definitely not our approach.
The first part of the pre-onsite, or “gap analysis” process, is a kickoff call where we find out if there are big-picture items we need to be aware of.
We will discuss your audit timeline. Are you trying to meet a certain deadline? We’ll also go over the scope in detail and find out all payment flows. How do payments come into the system? This portion typically takes between 12 to 20 hours, and the QSAs who perform this step specialize in this specific process.
You will continue to work with your QSA–who is experienced in getting people ready for an assessment. That QSA serves as a gatekeeper so we can avoid sending a QSA to do an on-site assessment at a client who is not actually ready.
This saves you time and money and helps the process go as smoothly as possible. Pre-onsite is an important step that prepares you to pass the on-site audit. We've found many times during the the gap analysis, even with clients that have been self reporting for years, they are shocked and surprised at what is actually required for PCI compliance. For example, PCI requires you to do a formal annual risk assessment. Do you actually do that?
Does your organization require a penetration test? During the pre-onsite phase, we find out if a pen test is required. In some cases, there are specific PCI DSS requirements which can only be met by a professional penetration test (as opposed to just a vulnerability scan).
Our philosophy is that we want to gather enough information before anybody comes on-site so that you're going to be successful in your efforts.
This information gathering stage includes 40 items that we look at. We ask questions like:
- Do you have policies in place?
- Do you have diagrams that document your data flows?
- How are credit cards being used in your environment?
- How does the data get into your systems?
- If it's there, do you store it? And if you store it, is it encrypted?
- Do you have a standard?
- Are you doing your regular vulnerability assessments?
- Are you doing your annual pen test and annual risk assessment?
Once I gain confidence that the customer is truly ready for an audit, I make a case for them to get into “the queue.” This means we are going to allocate a QSA resource to go perform the on-site audit.
At that point, the assigned QSA comes into the picture. Your original QSA will do a handoff call, and that new QSA will work with the customer and continue to make sure that everything is as it needs to be. They coordinate their schedule and ensure that the right people will be available during the on-site, for example, programmers and system administrators at data centers.
Yes, the pre-onsite phase can seem quite detailed, but it’s this phase that sets our PCI DSS assessments apart and saves time, money, and frustration for all parties. We want to make sure our PCI audits are a positive experience.
The onsite portion is the exciting and fun part. Once a QSA arrives on-site, they go to work by trying to understand your environment so they can validate and actually observe that everything is as they have attested. The QSA collects supporting evidence, and is required to keep that evidence on file for three years. In fact, the PCI Security Standards Council (PCI SSC) regularly performs audits of QSA firms like SecurityMetrics to make sure they are following assessment protocols.
As the QSA is validating controls in the environment, they will continue to use our Audit Management Tool to review data and evidence.
A large part of the onsite phase is interviewing people. QSAs like myself talk with the people involved in the process, and we want them to show us everything in their environment. For example, you've defined this card flow, now we want to see it. If that card flow involves a person at some point, we need to physically see what that person does. If they file a document away in a file we want to be aware of what's going on. And if by chance any card data gets stuck anywhere, it needs to be appropriately protected.
During this time, we will also confirm that your policies are documented and in practice. We talk to your employees that should have read the policies, and we ask them questions so we can understand if the training is sticking. Sometimes, it doesn't always stick, so we will make recommendations if people don't seem to remember what they need to do.
One of the most important things during the onsite phase is the review of the configuration standards. This is a crucial step for us. If you have systems, you’ll need to have defined a configuration standard. Once that standard is defined, you apply it to the appropriate system. As QSAs, we will take a sample of systems, look at your configuration standard, and make sure they match.
SecurityMetrics stands apart in the area of thorough and continued support, and are able to provide continued support for our customers during this step.
In the post-onsite phase, we focus on helping you remediate items from the onsite assessment and completing the ROC and attestation of compliance (AOC). Typically the report will take 45 to 60 days to complete. Right after the on-site audit, the QSA will give you a list of remediation items. They may say, for example, “It seems like your change management process didn't have sufficient evidence. Meaning, it doesn't look like the controls are effective. So you need to remediate this problem, and I will need to see some change control documentation.”
We want to help clients achieve remediation within a certain amount of time, while at the same time preparing their report. We aim for a 30-day remediation window, with the report taking 45 to 60 days. Once we finish the report draft, and once you've properly addressed your remediation items, the draft goes through our QA process, which can take up to 10 days. We want to time out the process efficiently, especially when clients are trying to meet deadlines.
Sometimes, we work with service providers who are getting a PCI DSS assessment at the request of a customer. They will typically be working towards a specific date and often this becomes critical when we're coordinating the onsite phase and assisting with remediation items post assessment.
Once you take a look at the draft of your ROC and attestation of compliance (AOC), it passes through QA. Once all things are taken care of on the sales side, you will sign the report, and then it will come to us to countersign–and that marks the end of step four: the post-onsite phase.
The final phase in our process of your audit is ongoing support. And this is hopefully where we make another difference. SecurityMetrics QSAs provide consultation that helps you make good decisions throughout the year.
Once you're required to validate PCI, it becomes an annual event. So, we focus on helping you prepare for your next assessment. We like our customers to remain compliant and to avoid things that could cause them problems. So, this step is important to us; it’s a PCI partnership, not just the checking off of a box.
We provide continued consulting and support, and this is where you can make the most of your QSA experience. You can always reach out to your QSA. They have a full grasp of your compliance requirements. Sometimes there are technical issues that come into play and your QSA can leverage all the experience we have within the Audit department, as well as the experience from other departments like penetration testing or development.
If you are planning on making any significant changes to your payment environment or network, definitely drop a line to your QSA to say, “Hey, we're thinking of making this change. Will that cause any issues for compliance? Will that increase what we need to do?”
Why choose SecurityMetrics for your PCI audit?
The number one differentiator of SecurityMetrics’ PCI audits is simple: a thorough scoping process. Our years of PCI DSS assessment experience help us understand as QSAs that people don't always know, or are not always able, to articulate all of their company’s card data flows at once. That is understandable. Our process helps clients document what they know and leave space to refine their processes over time.
In addition to a foundation of thoroughness and accuracy, SecurityMetrics brings unmatched industry knowledge and experience that has been boiled down into a superior process with multiple checks and balances.
We only schedule 18 audits per QSA, per year. We are looking for quality–not quantity. This, combined with our extensive pre-onsite phase, collaboration with other technical departments, and ongoing support phase, provides the support and guidance businesses actually need–as opposed to a “one and done” assessment.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and more than 20 years in IT. He graduated from BYU Hawaii and Hawaii Pacific University with a bachelor’s degree and a master’s degree in Information Systems. George’s hobbies include car/motorcycle/scooter repair, gaming, ethical hacking, DJ/Live Audio Professional Services, and computer repair. He has worked in compliance and IT auditing since 2011.