PCI Audit: Requirements and 5 Steps to Prepare for Your Audit

What is a PCI audit?

The PCI Security Standards Council (SSC), representing processor companies, financial companies, software developers, vendors, and merchants developed the Payment Card Industry Data Security Standard (PCI DSS). PCI compliance is aimed at preventing exposure and illicit use of cardholder and credit card information. 

To deal with credit card transactions today, all ISPs and merchants have to show a continual dedication to safeguarding cardholder and credit card information from unsanctioned use and access. A PCI audit checks how effective your organization’s security practices are and ensures that credit card data is processed according to their guidelines from start to finish. 

Throughout this process, your Internal Security Assessor (ISA) or an external Qualified Security Assessor (QSA) will look at the success of your organization’s data security control methods. To qualify, your payment system must adhere to 281 criteria specified in the PCI DSS. All service providers and merchants have to comply with these criteria, if they directly store and process cardholder data.  

Related content: This is part of an extensive series of guides about PCI compliance.

PCI Audit Requirements

If your organization is required to submit a PCI DSS or pass an on-premises audit, there are particular rules you have to meet. Depending on the level by which your organization is classified, you may be required to: 

• Recruit a QSA verified by the PCI DSS to undertake an on-premises audit of your data security policies, controls, and practices, with respect to your Cardholder Data Environment (CDE)
• Provide your organization’s internal auditor with PCI SSC certification and training as an ISA so that individuals can carry out PCI DSS audits every year
• Meet the requirements of the audit so the ISA or QSA can provide a ROC to the acquiring bank
• Ensure compliance until your subsequent annual audit, carrying out controls testing, vulnerability scans, and penetration tests regularly to make sure that your networks and systems are retaining credit and debit cardholder and card data security and privately

Related content: PCI DSS Requirements

Who Must Perform a PCI DSS Audit?

All service providers and merchants that process, accept, transmit or retain debit card or credit card information should adhere to PCI DSS rules. This requires implementing an information security methodology with 281 directives and 12 core requirements. 

Only merchants that process over 1 million or 6 million payment card transactions every year (this may vary according to the card brands you recognize) and service providers retaining, transmitting, or processing over 300,000 card transactions every year must be audited for PCI DSS compliance. 

For merchants that handle a smaller scale of data, filling out a Self Assessment Questionnaire (SAQ) and completing an Attestation of Compliance (AOC) is typically considered enough. 

Regardless of the size and type of organization, all service providers and merchants that have been the victims of data breaches that exposed payment card information also have to pass a yearly on-premises audit to ensure PCI compliance.  

Related content: PCI Compliance Levels

How Does a PCI DSS Audit Work?

The main aim of the audit is to detect non-compliance, offer guidance on how to restore it, and demonstrate that you have addressed all problems. 

The initial step involves finding an appropriate QSA to carry out the audit. Only QSAs are permitted to carry out the audits — they are verified by the PCI council to know their standards of data security.   

The easiest means of finding a QSA is by selecting one from the PCI website list. It is recommended that you talk to a few, as not all QSA are equally experienced. You should not hire a company that claims to be a QSA if they don’t appear on the PCI list. Such companies are either going to sell you different services or will outsource your requirements. 

Once the auditor is on-site, they will look into various areas of your organization. This could include your cardholder data environment, which encompasses any components, devices, networks, or applications that process, transmit, or retain cardholder information. It also consists of your procedures and policies outlining how to use such systems. 

The PCI auditor is responsible for stopping cardholder information from being compromised, not for penalizing your organization. Provided that you remain engaged and cooperative, the auditor will tell you how to improve and will assist you with this process. 

To carry out these changes effectively, you can nominate a compliance leader from your organization. This person will take responsibility for compliance, but they should also have the power to elicit change throughout your teams.  

5 Steps to Prepare for Your PCI DSS Audit

Before you are subjected to a PCI audit make sure you undertake the following practices.

Assess your PCI DSS compliance status with a gap analysis 

You might not be compliant this year, even if you passed the compliance test the previous year. Organizations may work alongside a QSA early on to make sure that they show compliance with PCI DSS.

The PCI DSS compliance on-premises audit procedure might take time to create if you are not prepared. To begin with, a QSA could pre-audit your organization to discover if you are doing anything that doesn’t align with the requirements of PCI DSS. The QSA can then carry out a PCI DSS gap analysis. 

This could help you develop a more effective (including cost-effective) compliance strategy. It can also help you identify any gaps before you are audited so that you can take action prior to the PCI DSS onsite audit.  

Collate your records and relevant data

You should document all precautions and safety activities so that auditors can easily find possible issues. The more in-depth your records are, the smoother and quicker the auditing process. 

Certain organizations view documentation as a bothersome and demanding process. Nevertheless, detailed documentation safeguards the organization, particularly when you openly state your security methods. Ideally, you should verify that all your documents are updated regularly. 

Your documentation must feature information about your encryption protocols, procedures to secure stored card information, and key management methodologies. Such records demonstrate that the organization meets the compliance requirements and has controlled and organized methods in place to continue meeting the auditing requirements.  

If your organization changes its policies or card data methods, update your documentation accordingly, as such changes may affect your PCI compliance status. 

Assess your risk level

The central aim of PCI compliance is reducing the likelihood of credit card breaches.  A good initial step an organization can take is to map the connection between its payment processing system and IT infrastructure. This allows you to gain a clear picture of the potential vulnerabilities that threaten your organization’s assets. 

A risk analysis includes the risk levels of an organization’s critical hardware and software assets. This will help you create a list of which actions to take and when to take them. You need a benchmark so that you know how to improve your security. 

Regularly test your infrastructure 

Proactively manage your CDE. Information security consultants, cybersecurity auditors, and QSA can assist you with your PCI DSS compliance and your security protection. 

You should carry out the tests mentioned here and adopt the necessary measures according to the results you obtain:

• Web application tests – annual web application testing is required to meet the reporting and testing requirements of the PCI DSS Requirement 6.6.
• Vulnerability scans – assesses your external network systems via an authorized scanning provider to adhere to PCI DSS Requirement 11.2. Plan to carry out an ASV scan quarterly.
• Local network vulnerability scans – lets you isolate vulnerabilities in the local network. You should carry out local network vulnerability scans on a quarterly basis.  
• Penetration tests – you must carry out an annual penetration test to adhere to PCI DSS Requirement 11.3.

Consult third-party experts  

It often makes sense to work together with a third party. Every organization has its own focus and expertise — by collaborating with a third party, you can gain a new perspective on existing methodologies. External experts are more likely to have the distance needed to form an objective assessment. 

You might choose to outsource the following activities:

• Analyzing source code
• Reviewing firewall rules
• Updating documents
• Detecting and remediating vulnerabilities

How SIEM Can Help with Your Audit

Here are several ways in which security information and event management (SIEM) technology can help with your PCI audit:

Collecting logs

The PCI DSS requires companies to continuously monitor the security controls built into their CDE. Particularly, PCI DSS Requirement 10 relates to monitoring networks and Requirement 11.5 relates to the implementation of change detection mechanisms. 

These two aspects are especially important for PCI compliance, because system logs enable investigation and response during security events. SIEM solutions can help achieve these compliance objectives by collecting logs from all security controls within the organization and continuously monitoring these environments. 

Generating reports

In addition to collecting logs and monitoring systems and networks, SIEM solutions can supply the periodic reports needed for audits. SIEM tools can also trigger alerts when certain suspicious activities are detected — typically incidents that may put your data at risk.

Monitoring users

PCI requires organizations to maintain user controls. Here is how SIEM can help:

• Develop a SIEM scenario for any event that results in deleting, modifying, and adding user credentials, IDs, and other identifying objects.
• Monitor all authentication events made by all terminated users.
• Monitor all access activity related to inactive accounts.

Collecting antivirus logs

The PCI DSS requires organizations to deploy and continuously patch antivirus solutions. SIEM tools can help achieve these objectives by helping organizations collect antivirus logs. It can also help define a list of all unsafe services and ports found while a call is running. 

Additionally, organizations can integrate third-party feeds, and then let the SIEM tool detect all protocols, services, and ports that are known for security vulnerabilities.

Achieving control requirements

Here are several ways in which SIEM can help satisfy control requirements:

• Collecting system logs
• Restricting access to only users with administrator or root privileges
• Enabling auditing in audit files and checking access-related events
• Alerting you whenever system-level objects, including databases, stored procedures, or tables are either deleted or created.
• Issuing alerts whenever audit services are stopped on the compliance host.

PCI Compliance with Exabeam Fusion SIEM

Exabeam Fusion SIEM, a cloud-delivered solution, combines conventional SIEM with an effective outcome-based approach to threat detection and incident response (TDIR) requirements, finding threats with behavior analytics, and automating detection, investigation, and response efforts. Fusion SIEM can support your PCI Compliance checklists and governance by helping you:

• Detect and control all privileged, shared, and executive accounts
• Ensure that users have access only to appropriate systems, detect any violations 
• Track and monitor all privileged, administrative, executive accounts, as well as unusual access to sensitive systems 
• Uniquely, identify all users, even if they attempt to obscure their identity via device or account switching
• Analyze and identify all anomalous behavior, whether by privileged, regular, or machine accounts, and then alert and assist in investigation of this activity
• Present prebuilt PCI reports to help your audit team meet compliance objectives

See Exabeam in action: Request a demo