PCI Data Security Standard: How to survive an audit
By Amy Rogers Nazarov
While neither attaining nor assessing PCI compliance is any small feat, IT security professionals say there are steps you can take to make the audit process less burdensome.
PCI stipulates that all Level 1 merchants -- those who process more than six million credit card transactions per year -- must do a yearly on-site audit of their security systems and procedures. The assessment may be conducted by internal staff (and must include a signoff from a C-level officer) or by a third party.
Some steps are a matter of common sense. Organize your documentation, advises Lynn Goodendorf, CISSP and vice president of information privacy protection at Intercontinental Hotels Group. "Identify in advance the key contacts internally who will need to meet with the auditors."
Some mandate a proactive stance. "My number-one recommendation is to evaluate and assess your adherence to PCI," says Russell Rowe, president and founder of Chief Security Officers, a Scottsdale, Ariz.-based consulting firm authorized by Visa to assess companies' PCI compliance. "Remediation activities should be initiated to cure any deficiencies before the auditors arrive on-site."
It also helps to approach audits -- and compliance in general -- "with a risk-analysis mind-set," notes Barak Engel, CSO of LoyaltyLab, a PCI-compliant provider of outsourced CRM applications.
Think like an auditor, Engel says: "Figure out where the risk is." He cites a company that began a lengthy credit card encryption process as part of its PCI compliance, only to stop to consider whether it actually needed to store the numbers in as many places around the network as it had. Unable to justify storing the data on multiple servers, IT consolidated the information, shrinking the encryption project drastically and making it easier for auditors to verify the information was secure.
Another critical point underscored by Rowe: Ensure that under no circumstances do you store cards' security codes -- the last three digits on credit cards' signature panel.
Organizations categorized below level 1 aren't required to do an audit, but some nevertheless hire an outside auditor to verify PCI compliance, Rowe says. "Insiders can be under pressure not to report bad news."
His company works with clients on setting the scope of the PCI audit, which Rowe says is often the trickiest part. For example, a sampling of credit card security procedures may be sufficient to verify compliance for a merchant with a couple thousand stores, each storing card data but on a common point-of-sale system. Yet, if each store has a different POS system, an audit will take much longer -- each store's security procedures have to be checked and validated, he says.
CSO has made its share of tough recommendations to clients. "The most unpopular is [advising a company] to segregate POS networks from other corporate networks," Rowe says. "This can significantly reduce the scope of a PCI audit, but typically involves significant work on the IT side to implement."
08 Jun 2006