Learning Center Home > PCI > PCI Audit Basics: What to Expect in a SecurityMetrics PCI Audit

PCI Audit Basics: What to Expect in a SecurityMetrics PCI Audit


A PCI DSS Assessment, commonly referred to as a PCI Audit, can seem like an overwhelmingly complicated process. We've broken our process down into 5 main steps and work with you every step of the way.

Watch this webinar as George Mateaki (QSA, PA-QSA, CISSP, CISA, CISM) discusses:

  • SecurityMetrics' PCI audit background
  • The 5 steps of the audit process
  • How to get the most out of our QSA experience with SecurityMetrics

This webinar was hosted on September 11th, 2019.

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

Webinar Transcript

0:00 Welcome everyone to our webinar this morning. This is “PCI Audit Basics: What to Expect During Your SecurityMetrics PCI Audit.” My name is Andrew, I am in Marketing here at SecurityMetrics, and I'm happy to introduce today George Mateaki, who is our presenter today. And as you can see on your screen, he holds the credentials of QSA, PA-QSA, CISSP, CISA, and CISM. George has been with us for many years now at SecurityMetrics and he has a lot of experience with PCI Audits and we're really looking forward to hearing from him today. 

0:41 Just a couple of housekeeping items before we get started: A question that we get quite often, is this webinar being recorded so that I can review it later? And the answer is yes, we are recording this session and we will be sending out a slide deck as well for your review. 

1:05 So just a little bit more about George. You can see his picture on your screen here, he is a Security Analyst here at SecurityMetrics. And I mentioned that he has many years of experience doing PCI on-site audits. Our customers have always spoken very highly of him and and enjoy working with him. He mentioned to me before we hopped on here that he has a couple of good stories that he's going to share with us today about some experiences, so we’re excited for those. 

A couple other items here and one quick disclaimer. The title of the webinar is PCI Audit Basics and just to be clear, PCI Audit is the term that we will use throughout the webinar. That is the colloquial term. That's what people are searching online. The PCI Council officially refers to it as a PCI Assessment, that is the technical term. But for our purposes here today, we will be using the term PCI Audit just because that is the term we use when talking with our customers and that's a term that is most understood. But just to be clear that the official term is PCI Assessment. They're basically interchangeable for our purposes. And then one last item, at the conclusion of our webinar today, we will have a Q&A session. So we invite you to chat your questions in using your GoToWebinar control panel. You can chat those in and at the end of the webinar we’ll leave about 10 or 15 minutes to answer as many questions as possible. 

2:50 At this time we're going to pass the mic over to George and we'll get started. Thanks everyone for joining us. Thank you Andrew and welcome everyone. I am very passionate about PCI. I've been working with it for a little while now and you may say, “How can anybody be passionate about PCI,” something so burdensome? But I have a long background with it and I love working with business people and helping them understand how they can implement the PCI controls. Once they have things working, they find out it's not as bad as it might seem. It doesn't take much to to prevent some of the things that breach systems the most. 

3:47 If you've heard webinars in the past from me, I repeat that PCI should represent where you start. It should not be your end goal. It should be your bare minimum of what people need to do to avoid getting breached. That's where you start. Okay, so just to go over the agenda. The first thing we're going to cover in this presentation is a little bit about SecurityMetrics, some of the history and then we'll get into the five steps that we use to get people through the audit process. And finally, how you can maximize your time with your QSA. SecurityMetrics goes beyond just doing the audit. They look at the whole process. What is it going to take to get you to compliance and how do we support you in that effort? It is in our interest as well to help you continue within compliance. Think of whose name is on your report. It’s going to be one of our QSAs and SecurityMetrics. We take that seriously and our customers are greatly valued and so that's important to us. All right, so that's our agenda. I'm going to move on to the next slide here. SecurityMetrics PCI Audit background experience. We've been doing audits for PCI or been a QSA company since 2006. So we've been at this for a little while and we've completed over 2,100 audits as of the middle of this year. We also do a P2PE Audit. It has a pretty robust standard and we were able to validate our first P2PE solution back in 2013. 

6:02 We try to have our QSAs do 18 audits per year. If you compare that to some other companies you'll notice that it's a little different. Our focus is on quality over quantity. And that helps our QSAs to have some life balance and reduces turnover. That is the sweet spot for us where we're doing good quality audits for our customers, we get repeat business and people are happy with the product that we provide. You’ll notice we have over twenty five awards for our products and services and we do more than just just PCI assessments. One of the awards came from Fortress. They gave us the Cybersecurity Award for 2019 for PCI Assessments

And so our company has made a name for itself in the industry and we pride ourselves in doing a good job. We are an approved QSA company and we're listed on the PCI website. Many of our QSA's hold certifications beyond PCI and that speaks to the breadth of experience we have in our department. Many of the people here have run data centers, information security department's or have managed IT departments. They have decades-long experience in all facets of IT and information security. 

7:58 We bring to the table quite a lot in terms of experience. We have the knowledge necessary to audit systems with an emphasis on providing a quality product to our customers. Some of the certifications that our people have are beyond PCI. Some have certifications in HIPAA including the HCISPP. We do HIPAA assessment as well. We have the HITRUST certifications and a lot of us have the CISSP as well as the CISA and CISM, they have to do with audit and information security. We definitely bring a breadth of experience to our PCI Audits

You'll notice in the picture these are our well-seasoned folks. I'm pretty seasoned myself. You'll notice they have decades of experience in the field. Gary has 28 years of IT experience, 12 years of  QSA experience and a hundred plus Audits. Jen and Matt also have a very large number of audits. And so with this wealth of knowledge we help each other as we come across things that need to be figured out. 

9:52 For example, let's say there's a requirement that that's not quite well defined and we need to figure something out. We can draw on each other and pool our knowledge and figure out the best path forward. A lot of times in our audits we will provide guidance to each other. In an audit we're not allowed to actually create any document or create anything but we do provide guidance. Our goal is to help our customers become compliant. So many times they're faced with difficult challenges with compliance. This is where we show our strength. We’re able to leverage each other's experiences. 

Download the latest guide to PCI compliance

Download Now

10:44 Also, the P2PE certification that Matt has takes a lot of knowledge and expertise to even be able to understand what you're trying to look at. So again, the experience is very wide within our department. We just had a question come in asking, “What is P2PE?” P2PE is point to point encryption. They say that P2PE will reduce scope. Typically when someone swipes their card the path that data takes is all in scope. So wherever that data resides, let's say it gets into a database, all of that gets audited. With the point-to-point encryption, it encrypts right at the point of swipe or when they take the card data in. So once that card data comes in it gets encrypted and then it's no longer considered card data in the sense that people can't touch it. They can't look at it. 

11:56 And so it takes all of that infrastructure out of scope until it's decrypted again. And so a point to point encryption solution will allow you to become PCI Compliant in a much easier way. There's a lot less for you to validate. You still require policies, you still require correct implementation but point to point encryption, P2PE, is a great solution to help reduce scope. It does come at a price though. We have a lot of customers that do Implement a P2PE solution. 

Our audit methodology. Now just to make sure we don't confuse, in our audit methodology we mention a vulnerability analysis that is looking at where you might have some problems. In PCI they require that you do a vulnerability scan both internal and external. That's a little different, that's looking at your specific systems. When we're doing a vulnerability analysis we look at the areas that you may need help in. What are the things that make you vulnerable to some sort of attack or a security breach? So in our methodology the first thing we do is define your scope. What is it that you're trying to secure and apply the PCI standard to? 

From a general perspective you always want to reduce your scope as much as possible. Reducing your scope in itself is a security control. You're limiting what can be attacked. That is the idea, right? And you want to be able to simplify what needs to be protected and that way you can bring to bear the full resources needed to make sure it stays as secure as you can make it. 

Okay so number one, we're going to figure out what the scope is. We're going to identify vulnerabilities, figure out the areas that you may need help in protecting and then we'll analyze your risk level. One important part here is that we try to be with you every step of the way. I’m deeply involved in the second step of the process that we're going to talk about. I want to clarify something. As we go through this process, we're not allowed to do anything for you. We can't write your policies for you. We can't perform any sort of sysadmin stuff for you, but we can provide guidance. 

14:59 And so we're with you every step of the way and if we have something that can help you, we will make you aware of it. From an audit perspective we make sure that we remain neutral, let's say unbiased and in order to do that we can't perform any of those functions, but we can provide guidance. 

So let’s define the five steps of the process. We start with the pre-engagement. Before any QSA is working with you and drilling into your environment our sales folks will be engaged to figure out what it is that you need and make sure that things get quoted appropriately. So you're going to get the pre-engagement. Next, you're going to get an initial gap assessment. That's where we make sure that you're ready for an assessment and that's a piece that I do personally. I serve as a gatekeeper to make sure that you are ready. People sometimes think they're ready and then we go out there and it's a different story. Especially if they've been checking off the self-assessment questionnaire they may not fully understand what's required and so in this initial gap piece we help customers understand what's required. 

Next is the on-site. The first two steps are in preparation for the on-site. We state a few times in our presentation that we are not a point-in-time auditor but this is a point-in-time audit. When the on-site happens that is the point where we're going to look at the data and everything's going to be based on that. But we're going to continue with you every step of the way to make sure you understand what's required to become compliant. 

So, the first two steps are pre-engagement, that's more of what the sales folks figure out what you need. Then we're going to move to the initial gap assessment, making sure you're really ready for an assessment. And then we schedule a resource for the on-site and that's when the rubber meets the road, that’s where stuff happens. So the auditor in the initial gap assessment will gather evidence and there should be some indication that you're ready. On the on-site we actually validate and document what we see and that you're truly doing what you need to do to be compliant. And if there are things that need to be addressed then we write what needs to be done to remediate so that you can get your report on compliance. Then we're going to move to the post on-site, that's that process of working with you to figure out what remediation has to be done, if any, and getting the report ready to be signed. 

18:17 And then the final step of the process is continued support. I've had a number of customers that are multi-year customers and as the years go by they develop trust. They're able to reach out to me and find answers when they have concerns about their environment or if things change. We help them figure out what they need to do to maintain compliance or not get into something that could cause them a much higher compliance burden. Sometimes we refer to it as burden meaning the additional work you need to do to be compliant. 

18:58 In my opinion a big part of what sets us apart from other folks is our concern for the customer and an ongoing relationship. When customers have questions they're able to reach out and get answers and be able to figure out a good path forward to remain compliant. Okay, so in summary form that's the five steps of the process and we're going to go into detail in each one of them. All right, so five steps of the process: pre-engagement, pre on-site, on-site, post on-site, and ongoing support. In ongoing support you have the submission of The ROC. The ROC is the report on compliance. We will be putting our signature on there and adding that SecurityMetrics performed the audit.

Pre-engagement. The goal is that before you sign a contract we determine what your path is to compliance. We have an initial call and then there's a scoping document that we share with you to help define what's going on. And again, this is with our sales team. You haven't engaged the QSA yet, this is pre-engagement. And then you get introduced to a tool that we use called SuraLink. SuraLink is a great tool. It provides a secure way for us to review evidence and to communicate with the customer so that we can actually look at things like your data flow diagrams, network diagrams, evidence of your change control and those sorts of things. Then we can provide feedback and say, “Hey you need to do this or that,” so that we can meet a specific requirement. Again, the goal of this pre-engagement is so that sales can figure out the right thing to quote for you and that you get the right product that you need. 

Next on the pre on-site phase is the initial gap analysis. You will have somebody like myself, someone that is experienced in getting people ready for an assessment and and making sure that they are ready. We serve as gatekeepers so that we avoid a QSA going out to do an assessment and someone thinking that they're ready and not actually being ready. Then they have to pay to have someone come out again so we try to avoid that. We want to help the process go as smoothly as possible and avoid any issues that could cause problems. This is an important step to prepare you to pass the on-site. Many times while I'm doing the gap analysis, even with people that have been self reporting for years, they are shocked and surprised at the things I tell them because it's really easy to just mark a checkbox but when you get down to it you realize maybe you weren't doing it. Things like a formal annual risk assessment. Do you actually do that? 

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

23:16 I find out if a pen test is required and things like that and just hammer it out. What is a pen test? So for PCI, there are specific requirements. It's not just a vulnerability scan, that will not qualify as a pen test and sometimes people get confused and it's okay. So we work those things out in the initial gap. The first thing you do with with our gap analysis process is a little kickoff call and we find out if there are some timelines we need to be aware of. Are we trying to meet a certain deadline? I'll go over the scope in detail and find out all payment flows. How do payments come into the system? This is typically between 12 to 20 hours and and the QSA that does this specializes in this specific step. And I'm one of those guys. 

So our approach or philosophy is that we work with you before anybody comes on-site to make sure that that you're going to be successful in your efforts. And again our goal is to guide you before, during and after the on-site so that you can make good decisions. And this is something that makes us different from some of our competitors. They may not spend as much time preparing folks for their audit. They just perform the audit and if they pass, they pass and if they don't, they don't that that is definitely not our approach. 

So let's go over just a few more items on the Pre on-site, the initial gap analysis. We have 40 items that we look at and we don’t go in-depth. It's just basically things like, do you have policies in place? That's a big one. If somebody doesn't have policies in place I'm pretty sure they're not doing PCI the way it needs to be done. So usually that's where I start. Do you have policies in place? Do you have diagrams that that document your data flows? Like how how credit cards are being used in your environment? How does the data get into your systems? If it's there, do you store it? And if you store it, is it encrypted? 

So all those questions come into play but the 40 questions that we look at are the big ones. Do you have a standard? Do you have policies? Are you doing your regular vulnerability assessments? Are you doing your annual pen test and annual risk assessment? So these are the higher level items that we do a quick check on and we get a good feeling about whether or not the customer is actually ready to go ahead and do their audit. Once I gain confidence that the customer is truly ready for an audit then I make a case for them to get into the queue and what that means is we're going to allocate a QSA resource, I’m a QSA, but I'm not the one assigned to go and do the on site audit. 

26:48 I'm more of a checker to make sure they're actually ready for their audit and once we deem that they're at the point where they need to be, we allocate a resource and the customer will commit to a certain time and date for the onsite. The ultimate goal is to make sure the customer is ready and that they commit to an on-site date. At that point, the QSA that's going to be assigned to them comes into the picture. We do a handoff call and that new QSA is going to work with with the customer and continue to make sure that everything is as it needs to be for them to be audited and nothing's changed or any problems have come up. And so they continue to work with the customer until they actually come on-site. They coordinate their schedule and ensure that the people are going to be available that need to be available like programmers and system administrators for data center visits and those types of things. So that pretty much covers our initial gap or the pre on-site.

Now on to the on-site audit. This is the exciting and fun part. So we go on-site and we work with our customers to understand their environment and validate, actually observe and see that everything is as they have attested to and we collect evidence that supports it and we are required to keep that for three years. So not only does the customer get audits but we get audited as well. The council will audit us to make sure we're doing what we need to in order to have good quality audits. The QSA goes there, validates everything and we continue to use our little tool mentioned, SuraLink, to review the data and evidence that we collect. So a big part of that on-site is interviewing people. 

28:59 We talk with a lot of the people involved in the process and in addition to talking we want to see everything. You've defined this card flow, now we want to see it. If that card flow involves a person at some point we need to physically see what that person does, if they file a document away in a file we want to be aware of what's going on. And if by chance any card data gets stuck anywhere it needs to be appropriately protected. And so that's all part of the on-site. The other thing that we do when we're on-site is we confirm that your policies are real. We talk to your employees that should have read the policy and we ask them questions and try to understand if the training is sticking. Sometimes it doesn't always stick but we'll choose a sample and try to get a feeling for how that part of the process is going. We'll make recommendations if people don't seem to remember what they need to do, but that is all part of the on-site process. 

There are some other things that occur and one is the review of the configuration standards. That's a big deal for us. If you have systems, you define a standard and once that standard is defined you apply it to whatever that system is. As a QSA we're going to check, we're going to take a sample of systems, look at your configuration standard and make sure it matches. This is where we feel we excel, in the continued support for our customers. 

Post on-site. So in the post on-site phase we're looking at remediating items and helping to support the customer in getting compliant. Typically the the report is going to be 45 to 60 days to complete. Right after the on-site audit the QSA is going to give you a list. He’ll say, for example, “It seems like your change management process didn't have sufficient evidence. Meaning, it doesn't look like the controls are effective. So you need to remediate that problem. I need to see some change control documentation.” 

And so typically after the assessment we try to get things remediated within a certain amount of time and during that time we're writing the report as well. We're typically looking for that window of 30 or so days with the report being 45 to 60 days. Once we get the draft done of the report and once you've remediated your items, it still goes through our QA process which can take up to 10 days. And so we try to put enough cushion in there especially when people are trying to meet a certain date so that we have enough time to complete the report on target.

32:38 So for example, we sometimes work with service providers who have a customer that they're working with that has requested that they get an assessment. And so they're working towards a specific date and often this becomes critical when we're trying to plan things out with the on-site. So post on-site we're focusing on ensuring that the remediating of any items called out during the audit get done. And there you have your post on-site goal. We're going to document the results of what we what we observed. And we're going to try to complete your ROC and your AOC. 

33:23 So that's the goal. And of course, you have to remediate anything that was observed that was not compliant. Post on-site, continuing with that phase, we're going to work through the completion of your remediation items. We are gathering evidence. A lot of times this will take the form of comments on the report saying you have a remediation item. These go away off the report when they’re completed. The SuraLink tool will have items in there like a dashboard where you can see what's outstanding and you can watch the items turn green as they get approved and as you submit evidence for your remediation. Once everything is green you should be good and we’ll be able to push your report through. Once you take a look at the draft and things look correct and our QA has gone through it we will do the signatures. Once all things are taken care of on the sales side the customer will sign it and then it'll come to us to countersign and that will be the end of that phase. The post on-site, our goal is to do the rock and the AOC. Once you have those documents that's step number four. 

We do the QA portion of the process and send a draft to the customer for review. For service providers we can submit it to some of the card brands. I believe American Express does require the customer to submit it on their own but all the other ones we can submit for the service provider. 

So that's the end of that phase and now for the final step 5. The final phase in our process of your audit is the ongoing support. And this is hopefully where we make a difference. We're providing consultation that helps you make good decisions throughout the year. 

Interactive PCI Compliance IT Checklists

Download PDF Here

36:15 Once you're required to validate PCI this becomes an annual event so we're helping you prepare for the next assessment when we're providing guidance. We like our customers to remain compliant and to avoid things that could cause them problems. And so this step is important to us. It is a PCI partnership. This is what we look for, that we’re an asset to help you maintain your compliance. 

36:52 We provide consulting throughout this continued support and this is where you can make the most of your QSA experience. As you work with your QSA and you get a feel for where their expertise lies you can reach out to them. They have a full grasp of your compliance requirements. Sometimes there are technical issues that come into play where your QSA can leverage all the experience that we have within our department and in other places. Sometimes there's a technical challenge that prevent you from becoming compliant and that's where we can look at other people's experiences and figure out what different ways we can approach a compliance problem. Once you engage a QSA and you're doing this annually. If you are planning on making any significant changes definitely drop a line to your QSA, email or whatever and say, “Hey, we're thinking of making this change. How will that cause any issues for compliance? Will that increase what we need to do?” 

So the moment you store card data, that's a big deal. And so with those types of things you need to be aware of what the additional requirements will come into play. If you want to make the most out of working with your QSA reach out to them throughout the year before your next audit and get their feedback just to be sure that that you're making good decisions. Why choose SecurityMetrics? Number one is our thorough scoping. I'm going to share with you some of my experiences. 

39:03 Sometimes when working with customers, for whatever reason, they'll forget a card flow. It's not until you start walking through step-by-step that they're like, “Oh, yeah. Well actually sometimes we do this”. And you have to document all your card flows. Well with SecurityMetrics QSA's, they have all this experience working with customers and they understand that people don't always know or are not always able to articulate all the card flows all at once. And so what you do is step through the process and you document what you know and then you refine that over time so that you have a good definition of your scope. And again as I mentioned earlier you want to reduce your scope to reduce what could be attacked. So scoping, industry knowledge and experience, we've got tons of that. We have collaboration and consistency with the different areas. We have expertise with pen testing, forensics, and number of different areas and we want to be a year-round partner, not just the one time auditor that comes on site. We also offer policies, we have a group of templates that people can use to help facilitate getting those done. That can be a bit of a burden and we can help.

Let's move to the testimonials. You'll notice that these two testimonials are people that work very intimately with SecurityMetrics. We're an integral part of their compliance program, they rely on us. You'll notice the person from the University of Missouri Bank, that when they have changes they rely on us, they reach out to us.

41:41 I've worked with both of these customers. Robyn is saying how we're a big part of their compliance program. So this is the way that we like to work with our customers. We want to be a partner and be with them every step of the way, that is our preferred approach to working PCI compliance. 

I believe we have a video to showcase our SuraLink tool that helps facilitate the collection, review and communication of evidence. So I'll turn the time back to Andrew. All right. Thank you George. We're going to pause for just a minute here for our SuraLink demo. 

Suralink Demo

(Video) Today we're going to be taking a look at SuraLink which is the tool that we use for creating and tracking tasks, exchanging files and overall just to help the audit process move along more smoothly. So upon logging in, you'll see under active engagements is a list of projects that are currently in progress. 

42:46 This is nice because If you're a larger company such as a university or a restaurant chain, you can have anywhere from five to fifty engagements going at a time. But it also works great If you're just a single company. You can take a quick high-level glance at the progress of each project. From here and on the bottom left, you'll see a list of what's called ‘My team’. This is the personnel from your company that we've added to help work on these projects. One nice feature of SuraLink is that if you have over 20 or 30 people involved and they don't all need to have access to all the engagements at once, you can restrict who has access to which engagements. You just have to request that through us. 

43:36 So that's the company team. Over in the bottom right is the SecurityMetrics team. This is the personnel from SecurityMetrics that have been assigned to the project. You’ll have their email addresses so you can contact them if you have any problems or questions. Now, we'll go ahead and take a look at one of the engagements. 

43:55 Once you click on it, you'll see a list of all of the requests. Clicking on any of those will give you a more detailed description of what we're looking for to close the request. And you'll notice on some of these is a link with files. These are documents or files that we provided to you to help you with completing the request. Each request has three statuses. There is outstanding, which is this blank status, this is how they all start. Once you attach a file, which we're going to do now, you'll get a little yellow exclamation point which means it's fulfilled. This will flag it for the QSAs review. If any of them are returned, you'll get this red “X” here and in that case you'll want to scroll down and check the comments. So I left one for myself here. It says please revise and update your network diagrams. This is just a description of what needs to be done in order to fulfill that requirement. 

Now if you ever have a request that is outstanding but you don't have a file to attach, you can change the request manually to fulfilled. Or if a file attached to another request will fulfill this one you can change it to fulfilled and leave a comment explaining that. Once the requirement is fulfilled it'll turn green. One other thing I want to note here is that we break up all of the requirements into different sections for each of the requirements in the PCI DSS. So it's easy to navigate between each section and when it's fulfilled you'll get this little green check mark and it will be closed. 

45:44 That was just a high-level. Look at SuraLink. If you'd like a more in-depth look or have any questions, please feel free to reach out to your account manager. 

Download the latest guide to PCI compliance

Download Now

Question and Answer

George and I are going to hop off for just a minute here and we'll review some of your questions and then we'll be right back. Thanks. Alright, so we are ready to go with some of these questions. There are a lot of good questions coming in. The first question that we would like to address is regarding P2PE. We touched on that a little bit earlier, it’s point-to-point encryption. So the question here is, “How much of this process goes away or is simplified with P2PE devices and the greatly limited scope?”

46:40 So that's a great question. The council actually has an SAQ P2PE that you can pull up and that will give you an idea of what areas are still in scope. But pretty much you still have to do inventory. You still have to make sure people aren't substituting devices. You still have to have policies in place. People could try to work around the device and the way that you're collecting data so you have to have policies in place that address all the PCI requirements. 

47:19 Section 12 is all the policy stuff. Section 9 is your physical requirements. You'll find section 9 and section 12 and there may be a few other sections but for the most part that's where a lot of the work will be for P2PE solution. If you pull up the P2PE SAQ from the PCI council's website, you'll be able to see what a limited scope would look like. So typically PCI is 12 sections and you'll see that there's only three or four that are that are validated for P2PE SAQ. 

Next question, “For ongoing support, does SecurityMetrics reach out if there are changes to the PCI DSS that can impact a client?” 

48:20 The answer is yes. Often times this is done by the individual QSA assigned to the customer. As things change that could affect their customer, they reach out to them and let them know. When there's a large change sometimes we'll send out an email to all customers letting them know. For example going from PCI DSS version 2 to 3 or some other major change. We provide some guidance on what the differences are. But the answer to that question is yes, when there are changes we do notify our customers. 

Hopefully we're to the point where we remember the technologies that our customers use and on occasion will reach out and say “Hey, did you notice that Cisco had a breach on a particular iOS version?” Or something where they need to go and update their systems or , “Hey, I know you guys use some technology and you may need to go and update it depending on what version of Linux you're using there could be a new breach.” So the other thing that the QSAs try to keep aware of are the current breaches, the things that hit the news and let the customer know that, “Hey you if you're using this technology, you may want to make sure you're patched and you're doing what you need to do to address this issue that has just come up.” So in addition to changes to the standard, we also try to keep you up to date with breaches that are occurring. 

Next question, we've had a couple people ask about tokenization. “What if our vendor is using tokenization? Are they still storing credit card data?” So the answer to that is no. If they're storing a token, they're not storing card data. Be careful though because for different customers that token’s going to be at different places along the the payment process. But in general, no, if you're tokenizing basically what's occurring is the card is data sent to the person that's going to approve the transaction. Once that approval is received, the payment data is no longer used to refer to the transaction, a token is created and at that point that token is no longer considered card data. So that would not be considered storage of card data. 

A follow-up question, “We don’t store credit card data, we only store tokens. Does that mean we are PCI Compliant?” So the question of whether you’re PCI Compliant requires a validation. You can't say “I'm PCI Compliant,” if you don't have an AOC. You may be doing things that are compliant with the standard but that doesn't mean…  The reason I laugh at that question is that time and time again, people say they're PCI Compliant but they don't have any sort of AOC meaning somebody actually went and checked. And when people actually check they may be partially compliant but not fully compliant. So, you know when people say. “I'm PCI Compliant” sometimes it's used a little loosely. 

52:15 When they say, “Hey, how do we know if this guy's PCI Compliant?” Show me the AOC. And that better be an AOC that's recent. Every year they have to do a new AOC. And the question is, is that service they provide on the AOC? Just because you get an AOC and it says, company X is compliant, that doesn't mean the service they're giving you is compliant. So what has to be on that AOC is the service that they're advertising is PCI Compliant. That's the only way something is PCI Compliant. You have to be assessed. Somebody has to actually check and validate whether or not you're complying to the standard.

Great, we’ll do just one more question here and then we'll wrap up. And just a reminder to everyone, if we don't get to your question we will actually reach out to you on an individual basis within the next couple of days. We're trying to ask the most generally applicable questions here that might be of interest to everyone. 

The next question is, “If you do not pass your audit is the failure reported to the PCI Council and the card brands?” The answer is no. We don't report your failure to anybody. So let me just put that into context. So let's say we come out and do the audit and you have some things outstanding. That doesn't mean you failed the audit, that means you need to address some issues. Once you address those issues we consider you compliant unless it's something that we have to come back out and revalidate in person. Then we'll do a revisit, we’ll validate and once that's done then we consider you compliant. 

54:15 We mentioned in the presentation that the audit is a point-in-time audit. So once that goes beyond a certain amount of days, we will issue what's known as an incomplete report of compliance. Meaning you are not compliant, but we don't submit that to anyone. It's not like we go and say, “Hey this company is not compliant.” We don't tattle on you or anything. It's just the validation that you got and we weren't able to validate the controls and so you get an incomplete report of compliance. All the submission to the card brands we can do on behalf of solution providers. The way it works is, if you're a merchant usually it's you're acquiring bank that's requiring you to get this done and so there's usually some pressure coming from somewhere. We don't just report on people and say, “Hey these guys aren't doing what they need to.” We do not do that. 

All right, George we want to thank you for your time today. It's been a great webinar, and hopefully everyone was able to get an overview of the PCI audit process. And if you have any further questions, you can always reach out to us at events@securitymetrics.com. Also, if you'd like more information on a PCI audit for your specific organization, you can visit our website securitymetrics.com. Go to our PCI audit page. You can also request a quote if that's something you're interested in and we will have someone reach out to you with more information. So thanks everyone for joining us here today, and we look forward to seeing you again at another webinar very soon. Thanks. 

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

We are excited to work with you.


Thank you!

Your request has been submitted.