I participated in your session on PCI DSS during the Compliance and Security Virtual Seminar on March 7th and have a follow-up question for you. I am the IT audit manager at a bank that is classified as a Level
2 merchant and was wondering if internal audit is able to perform the periodic self-assessments required by PCI, since we don’t have an ISA on staff.
Yes, absolutely. In fact, there are no requirements about who in an organization can complete the PCI self-assessment questionnaire (SAQ). This annual assessment -- mandated of all Level 2, 3 and 4 PCI DSS merchants -- requires only that the organization evaluate the effectiveness of its security controls and certify to its merchant bank that its operations fall within PCI DSS requirements.
Ask the Expert!
Got a vexing compliance problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
As you may know, the PCI self-assessment program does not apply to Level 1 merchants, who must have a qualified security assessor (QSA) conduct an annual independent assessment of their security controls and provide that assessment to the merchant bank.
In addition to completing the annual assessment, PCI DSS also requires a few other assessments that can be performed by different groups:
- Quarterly external vulnerability scans must be performed by an approved scanning vendor (ASV) and may not be conducted by internal resources.
- Quarterly internal vulnerability scans may be performed by any qualified party (internal or external), provided that there is organizational independence between the tester and those responsible for the controls. Internal audit would be an excellent candidate for this role. These scans must also take place after any significant change to the payment environment.
- Annual internal and external penetration tests may be performed by any qualified party passing the same independence test.
So, the bottom line is your internal audit group may indeed play a significant role in your PCI DSS compliance program.
This was first published in April 2012