Questions about your PCI DSS Audit
After nearly two decades in the data security industry, we’ve gained some valuable insights—particularly when it comes to complying with the Payment Card Industry Data Security Standard (PCI DSS). To address some of the most common questions we receive about PCI assessments, we sat down with Lee Pierce, a PCI assessment expert with over 15 years in the industry.
How Can I Get Ready for a PCI Assessment?
Preparing for a PCI Assessment is no small task. The biggest challenge is that most businesses don’t have the staff available to focus their efforts on a PCI assessment. You may need to hire new staff or outsource some additional help.
Watch this video for more tips on how to prepare for your PCI assessment.
How Much Does a PCI Assessment Cost?
The cost of a PCI assessment can vary greatly. In the very low range, for a customer that outsources nearly everything that they do, the cost could be as low as 16 to 18 thousand dollars. Complex audits can cost tens of thousands of dollars, if not hundreds of thousands of dollars, depending on the locations, the processes and how many different parties need to be interviewed.
Watch this video to learn more about the factors that go into the cost of a PCI assessment.
Can I Self-Assess for PCI Compliance?
When it comes to determining whether or not you can self-assess, there are primarily two types of entities: merchants and service providers. As a service provider, you can choose to self-assess as long as you’re not a level 1 service provider. As a merchant, you can self-assess if you’re doing fewer than 1 million transactions per year.
Watch this video to learn more about who can self-assess for PCI compliance.
How Does P2PE Affect What I Need to Do for PCI Compliance?
Point-to-point encryption (P2PE) is where it's at these days. It reduces scope, reduces complexity, reduces risk, and reduces cost. When implementing P2PE at your business, you need to make sure you have a validated solution.
Watch this video to learn more about P2PE.
What Happens if I’m PCI Compliant and a New Standard is Released?
What do you do if the PCI DSS changes after you’ve already proven your compliance? The standard is often updated because data security is constantly evolving.
Watch this video to learn how to handle this type of situation.
Is Storing Tokens the Same as Storing Credit Card Data?
What is the difference between storing tokens and storing credit card data? A lot. You have effectively removed the need for protecting stored cardholder data if you properly implement tokenization.
Watch this video to learn more.
Why Should I Reduce My PCI Scope?
Should you reduce your PCI Scope? The answer is definitely yes. If you don’t reduce your scope, you’re looking at a nearly impossible success rate if you have any levels of complexity in your environment.
Watch this video to learn more about how and why you should reduce your scope.
What is In Scope for PCI Compliance?
It takes time and a little research to determine exactly what falls within your PCI scope. You have to look at every single process that’s going on, and sometimes it’s easy to overlook things.
Watch this video to learn how you can determine what’s in your scope.
What Happens if I Don’t Pass My Audit?
A PCI Audit is kind of like a final exam, so what should you be focusing on to increase your chances of passing your assessment the first time?
Watch this video to hear tips on how to maximize your readiness, and also what to do if you receive a failing report on compliance.
If I Have the Right Payment Processing Solution, Does That Make Me PCI Compliant?
Sometimes people think their payment processing solution alone determines whether or not they are PCI compliant. This is not the case. There are still a few PCI requirements in play even if you’re using P2PE.
Watch this video to learn about some of the additional requirements that pertain to the “human element” of PCI.