When it comes to PCI audits, being prepared is the key, but what should you do before your auditor shows up?
Let’s face it, does anybody like doing audits? They can be a headache for everyone involved. Between going over the requirements, being told what you’re doing wrong, and learning what needs to be fixed, you’re exhausted by the end. But if you prepare properly for your next audit, it will go more smoothly, making you, your company, and your auditor very happy.
SEE ALSO: PCI Audit Alphabet Soup: De-Jumbling the Jargon
Something crucial to remember is PCI auditors are not your enemy. They want to help your company become compliant with PCI DSS. But if they come to your company for an audit and you haven’t made any preparations, the audit can quickly turn into a nightmare.
Here are some tips on how to prepare for a PCI DSS audit:
Don’t assume you’re compliantJust as hackers evolve and change, so do PCI DSS standards. In fact, they recently came out with the new PCI DSS 3.2.1, which addresses new security issues. Don’t assume that if you were compliant last year, you’re automatically compliant this year.
Keep up to date on any changes in the PCI standard, and document any changes in your business. This can help you spot vulnerabilities that may show up with these changes.
SEE ALSO: 10 PCI Security Standards Myths
Understand your risksYou can’t protect your company from what you don’t know. Conducting risk assessments annually is a great way to understand where your company may be vulnerable. This will help your auditor see that you know what needs to be fixed.
Document and diagram your data flow in your networkThe biggest problems auditors see with data breaches is companies don’t realize where their card data flow is coming and going out of their network. This leaves their card data potentially vulnerable to hackers. How can you protect a process you don’t know exists?
When it comes to your network, some questions to ask yourself are:
- What is my scope?
- How is my network constructed?
- Is my network segmented internally?
- Does my environment have a multi-interface firewall?
- Do I have multiple firewalls?
- Do I have more than one output of card data flow?
- Where is my card data stored?
SEE ALSO: 7 Hearty Tips to Avoid Costly Data Breaches
Have correct and current documentationFor PCI compliance, constant and updated documentation is the key to a smooth audit. Documenting all security measures and actions in your company helps your auditor easily assess your company and point out potential security issues. It also protects your organization from potential liability if you are breached.
Work with your Assessor oftenQSAs have seen it all when it comes to security issues, so working with them often will help you fix a lot of potential problems in your security. They’re a great resource many companies don’t take advantage of.
Working with the assessors outside the audit shows them you are serious about addressing security. This will make your audits go much more smoothly.
Work with one of our QSA’s!
Get a Compliance leaderDon’t expect just the IT department to take care of compliance. It’s much more involved than security. To properly implement new policies throughout your company, you need someone in a full-time position dedicated to PCI compliance.
Whether you’ve done many audits or this is your first one, it's smart to be prepared.
SEE ALSO: 5 Simple Ways to Get PCI Compliant
Want to know more on how to prepare for your auditor? Check out our ebook, How To Prepare For A PCI DSS Audit.