To protect the security of cardholder data, the PCI Security Standards Council requires organizations that work with payment cards to maintain compliance with the PCI DSS. If you’re an entity that stores, processes, or transmits cardholder data, it’s imperative to regularly conduct a PCI audit to ensure compliance.

Below, we will define common PCI requirements and discuss the seven steps of conducting a PCI audit.

What Is a PCI Audit?

A PCI audit is a rigorous examination of the Payment Card Industry Data Security Standard, which consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data.

At KirkpatrickPrice, our PCI audit program takes a seven-step approach to help your organization gain PCI compliance.

Beginner's Guide to PCI Compliance

Starting a PCI audit is overwhelming.

Our Beginner’s Guide to PCI Compliance will prepare you to complete your audit successfully.

You know you need a PCI audit, but don’t know what to expect or how to get started. This guide will prepare you for what your auditors are looking for and how to confidently begin your PCI compliance journey.

Get the Guide

The 7 Steps of a PCI Audit

1. Gap Analysis

How do you conduct a PCI compliance internal audit? Before beginning a PCI audit for the first time, we recommend conducting a gap analysis.

A gap analysis helps identify any administrative, physical, and technical gaps in your information security program, specifically, how you handle cardholder data. Going through a gap analysis allows our senior-level QSAs to understand your business and your level of readiness for a PCI audit. The gap analysis is an important step towards PCI compliance because your QSA can create remediation strategies that will guide you through the PCI audit process and towards compliance. Next, your organization will move on to remediate the findings found during the gap analysis.

Learn more about what to look for in a QSA before beginning any PCI audit.

2. Remediation

At this point, you may have detected some areas of non-compliance. Remediation will help your organization recognize its gaps and remediate those areas for a smoother path toward PCI compliance.

Now that your organization understands its administrative, physical, and technical gaps, a QSA from KirkpatrickPrice will work to develop a detailed remediation plan with findings from the gap analysis and recommendations on proper ways to mitigate areas of non-compliance.

3. Scoping and Planning

After weeks of remediation work, it’s time to start the PCI audit by verifying the scope of the engagement. We will work with your organization to analyze your services, geographic locations, payment applications, third parties, and other system factors to develop an accurate scope for the PCI audit.

This stage prepares the entire engagement team to move to the next step of gathering information. One helpful tip: The narrower the scope, the more accurate and efficient your PCI audit process will be, so we aim for a detailed and defined scope.

4. Gathering

At KirkpatrickPrice, we will collect your policies, procedures, and other documentation needed for your PCI audit through the Online Audit Manager.

Alongside your designated Audit Support Professional and QSA, you will begin answering questions and describing systems relating to your organization’s internal controls. The Online Audit Manager provides a platform that streamlines the PCI audit process and aids you in completing 80% of the PCI audit before one of our senior-level QSAs even visits your office for an onsite visit.

Gathering and preparing data beforehand gives you the opportunity to be more effective with time and communication during your onsite visit.

5. Onsite Visit

An onsite visit is probably what you envision when thinking about a stereotypical audit. Onsite visits are important for testing internal controls and observing your people and technology in action. During the onsite visit, a senior-level QSA, who has been partnered with you throughout the PCI audit process, will observe and test your organization to determine if your processes meet the 12 requirements of PCI compliance.

6. Report Delivery

Next, you will receive a Report on Compliance (RoC), which provides you with a detailed report on the results from your PCI audit. To generate RoCs, KirkpatrickPrice has a team of Professional Writers, who are trained and knowledgeable about the PCI DSS, that write high quality reports.

Your report will also go through our Quality Assurance processes to ensure it meets our quality standards. You can take a deep breath knowing your PCI audit was performed by a QSA and a firm that is committed to your organization’s compliance success!

7. Get on the List

We know the ultimate goal of completing a PCI audit is getting on the Visa Compliance List to give your clients an added level of assurance. By completing all the steps of your PCI DSS audit with a qualified auditing firm, you’ll receive a report to help you get on the list.

How to Market Your PCI Compliance

Going through the PCI compliance internal audit process can do more than assure your clients that their sensitive data is protected; PCI compliance can also be a powerful tool for your sales and marketing team.

How do you take your PCI compliance and market it to prospects and clients?

When you work with KirkpatrickPrice, you will receive a complimentary press kit that includes compliance logos, the writing and distribution of a press release announcing your recent PCI compliance, copy to use in marketing materials, and advice on how to best your market PCI compliance achievements.

Ready to Start Your PCI Compliance Audit?

We understand that PCI compliance can feel overwhelming. That’s why it’s so important to work with a qualified firm you can trust. At KirkpatrickPrice, we want to partner with you from audit readiness to final report.

Are you ready to work with a qualified QSA firm that partners with you throughout the PCI audit process? Connect with one of our experts today!

More PCI DSS Compliance Resources

Beginner’s Guide to PCI Compliance

PCI Demystified

What is a PCI audit?

Information security in the cloud depends on properly managing secrets, including AWS access keys. Authorized users and code must authenticate to use cloud resources. Authentication relies on shared secrets, but shared credentials may create security vulnerabilities, especially when shared naively by embedding them in application code. 

Embedding AWS access keys in code seems an efficient solution when, for example, your code needs to interact with the S3 API to store data in a bucket. However, it exposes the keys to anyone who sees the code.

AWS keys are often exposed in this way when code is uploaded to version control services like GitHub. However, publicly exposed code isn’t the only vulnerability to embedded access keys. Anyone inside the company with code access can view credentials they may not be authorized to use, undermining authentication and access control strategies.

Like giving out copies of your house key or leaving a spare under the mat, using AWS access keys in your code might seem handy, but it’s risky. If your code gets shared online, it’s like telling everyone where that spare key is. And even at work, not everyone should have a key to every door.

Below, we explore secure alternatives to embedding AWS access keys and other secrets in code.

What is an AWS Access Key?

Access keys are AWS’s primary long-term credential for programmatic authentication.  An AWS access key consists of an access key ID and a secret access key; together, they authenticate requests to AWS APIs, allowing users to interact with AWS services from their code, including via AWS CLI clients and SDKs. 

AWS access keys are associated with users in the AWS Identity and Access Management (IAM) platform. Because they are the programmatic equivalent of a username and password, they should be protected with the same diligence. Just as you wouldn’t embed your password in code, you should not embed your access key. 

How to Manage AWS Access Keys Securely

We’ll look at two ways to manage AWS access keys securely. The first is to avoid using them altogether, instead using temporary security credentials associated with AWS roles. The second takes advantage of AWS features to use access keys without exposing them needlessly.

Before discussing secure key management, a word of warning about the root users’ access key: the IAM root user has unconstrained access to every AWS resource. A bad actor may shut down servers, delete data, create and destroy users, or any other AWS API capability with the root user’s key.

For this reason, you should not use the root access key, and you should disable root user access keys already in use. In fact, it is good practice to avoid using the root account unless it’s strictly necessary, as we discussed in 10 Top Tips For Better AWS Security Today.

IAM Roles vs. IAM Users

An IAM role is an AWS identity with a set of permissions for making requests to AWS resources, but, unlike AWS users, roles are not associated with an individual. Users and applications can “assume” an IAM role, which allows them to take on the role’s permissions. Essentially, roles enable AWS customers to delegate permissions to other entities.

Roles have a couple of major advantages. First, a role can be attached to entities such as EC2 instances. That means the EC2 instance can request resources in line with the role’s permissions, obviating the need to embed an IAM user’s AWS access key in the code.

Second, roles can be used to create temporary credentials. IAM access keys are permanent until they are deleted, whereas a role’s temporary credentials automatically become invalid once a configurable time has elapsed.

Secure Use of AWS Access Keys

In some cases, you may prefer to use an IAM user’s access key instead of an AWS role, but you should not embed credentials in the code. Instead, you can safely store the access key in a location your code can read.

One option is to create an environment variable within your code’s operating environment to store the key. Environment variables are managed by the environment’s operating system and can be accessed via system libraries or the AWS SDK for your preferred programming language. Several Amazon services can use AWS Secrets Manager to retrieve secrets to inject into the environment variables of containers and other resources.

Another option is the AWS credentials file. The credentials file is a text file containing an access key. AWS SDKs and the AWS CLI will look for a credentials file and use the access key when making requests for other resources.

These methods—roles, environment variables, and credential files—are appropriate for different scenarios, but the critical point is this: embedding the AWS access key into your code is a bad idea.

How to Rotate AWS Access Keys

Rotation replaces an old key with a new key and retires the old key. AWS access keys are long-lasting credentials. If exposed, they may be exploited until the user or key is deleted. Key rotation limits the usefulness of leaked keys to bad actors.

AWS users can rotate keys in IAM without interrupting their software’s access to resources. The preferred approach is to create a new access key, update software to use the new key, and then make the old key inactive.

Once the user is satisfied all software is using the new key, they can delete the original.  AWS access key rotation can be carried out in the IAM web console, the AWS CLI, and the AWS API. 

Mitigating Risk When AWS Access Keys are Exposed

While AWS users can prevent the exposure of AWS keys, what should they do if a key is exposed? First, you must immediately invalidate the key. However, doing so will also prevent legitimate use, which could result in service disruption. Leaked keys should be invalidated as soon as possible, but you may want to rotate mission-critical software keys first. 

The exposed key may already have been used, so you must also check all resources the key grants access to. Depending on the user’s access permissions, their key may have allowed a bad actor to exfiltrate sensitive data or infiltrate malicious software. 

Finally, use S3 logs and AWS CloudTrail to investigate whether the key was exploited and take action to mitigate potential risks and vulnerabilities. 

Securely Storing other Secrets with AWS Secrets Manager

You may need to securely manage other secrets in addition to AWS access keys, including SSH keys, database credentials, and third-party API keys. AWS Secrets Manager provides a solution for storing, rotating, managing, and retrieving a wide variety of secrets. 

For example, to give an application access to a database, you would store database credentials encrypted in AWS Secrets Manager. The application can query Secrets Manager, which will decrypt and return the database credentials over an encrypted connection. Access to data stored in AWS Secrets Manager is controlled by IAM permissions policies for users, groups, and roles, providing fine-grained access control. 

Partner with an Expert to Strengthen Your Cloud Security

To learn more about AWS cloud security, visit KirkpatrickPrice’s AWS Security Services to find a wealth of cloud security and AWS audit educational content.

If you would like to discuss AWS audits with an experienced auditor, contact KirkpatrickPrice today.

Vetting and choosing vendors are some of the most important decisions you’ll make for your business, especially when it comes to information security.

They could do everything from run your call center to store your data, monitor your systems, or destroy your records. Yes, you can outsource a process or a department to vendors – but you can never outsource risk. No matter the vendor, they pose some level of risk to your organization – especially financial risk, operational risk, reputational risk, and cyber risk – because they have access to your data, network, hardware, cloud, and more.

This is why you must thoroughly vet potential vendors using a vendor due diligence checklist.

Once you’ve narrowed your vendor options to those that can support your needs, it’s time to gather the information that will help you take a risk-based approach to vendor selection – this is the vendor due diligence process. This information should help you rank the risk that potential vendors would pose to your organization, which strengthens your organization and protects you from insecure or irresponsible vendors.

Streamlining the vendor due diligence process is essential to its success so that it doesn’t become arduous and intimidating. Plus, vetting your vendors isn’t a one-time process; you should continually assess whether they’re introducing more risk into your environment or meeting your security standards.

In order to streamline this process, we’ve put together a vendor due diligence checklist as a guide.

This checklist isn’t extensive – questions could change based on your requirements or the company, industry, size, or region. It asks potential vendors to submit general information about their company, a financial review, reputational risk information, evidence of insurance, technical documentation regarding information security, and their policies. The more you know about potential vendors, the easier it is to assess their risk.

Vetting Compliance with a Vendor Due Diligence Checklist

There are 6 core areas to consider when doing your due diligence vetting a potential vendor:

  1. General company information
  2. Financial review
  3. Reputational Risk
  4. Insurance
  5. Information Security Technical Review
  6. Policy Review

General Information

There are obvious, foundational documents that are absolutely necessary to obtain from potential vendors.

This general information will confirm that the company is legitimate and licensed to do the work you need. This includes items like articles of incorporation, proof of location(s), any dba, aka, or fka information, and an overview of the company structure.

Financial Review

Assessing financials may seem irrelevant to your vendor selection process, but you do want to ensure that potential vendors are financially solvent. Would you want to partner with a company that may not be in business next year? To perform a financial review, you will need to know major assets, principal owners, loans, etc.

Reputational Risk

When you choose to work with a vendor, you’re putting part of your business in their hands.

Take choosing an audit firm, for instance. Would you want to hire a firm whose managing partner for audit quality was convicted of fraud? Absolutely not – that’s why assessing reputational risk is so important, even with companies you would typically trust (like a Big Four firm or even household names).

If you don’t include reputational risk in your due diligence process, you may miss information that would have changed your decision, like complaints or reports from the CFPB or BBB.

Insurance

Gathering insurance information from potential vendors is similar to gathering general information – it’s a must-have and foundational to your decision-making. Gather information on general liability insurance, cyber insurance, or insurance specific to services.

Information Security Technical Review

When a vendor performs a service for you that impacts your data security or privacy programs, you must do a thorough vetting of their information security program. The more they are willing to show you during the vetting process, the better. A good starting point is collecting internal or external audit reports, pen testing reports, and their history of data breaches.

Policy Review

Policies and procedures are the backbone of any organization. If a potential vendor cannot provide policies that cover change management, data retention, or privacy, they probably do not have the controls needed to protect your organization’s data network, hardware, or cloud.

Choosing a Compliant Vendor

Once your potential vendors have submitted all of their answers from the due diligence checklist, you may be in one of the following situations:

  • A potential vendor is not willing to answer all of your questions. Depending on the nature of your question, you may have the right to be suspicious of their processes and determine that they do not understand your standards.
  • A potential vendor answers all of your questions but their evidence proves they pose a significant risk to your company, and it is unreasonable to try and mitigate. Cross them off your list!
  • A potential vendor doesn’t quite meet your standards, but the risk they pose isn’t significant, and they are willing to improve their information security practices in exchange for your business. Now it’s up to you to determine what you require of them to change – more frequent pen testing? A SOC 1 Type II report? The inclusion of new Trust Services Criteria in their SOC 2 audit? Better policy documentation?
  • You have more questions based on a potential vendor’s initial answers. Ask them! If they want your business badly enough, they will cooperate with your due diligence process.
  • One potential vendor’s security processes stand out among the rest – your choice is easy!

Proactively protect your organization.  If you choose a vendor without vetting and assessing what types of vendor risk they present and whether the relationship will help achieve your objectives, you can put your business in jeopardy.

Work with KirkpatrickPrice to Build Your Vendor Management Program

We believe performing quality vendor compliance assessments is vital to the strength of your vendor management program, but we understand how hard it can be to create a reliable program. If you don’t currently perform vendor due diligence, consider using our vendor due diligence checklist (below) as a guide.

If you still have questions about vendor relationships and they can impact information security, or if you want to put KirkpatrickPrice through your vendor due diligence checklist, let’s talk today! Our experts are passionate about helping your organization achieve the assurance it deserves.

Download the Vendor Due Diligence Checklist

Download Checklist

What is the Open Source Security Testing Methodology Manual (OSSTMM)?

The Open Source Security Testing Methodology Manual, or OSSTMM, is a peer-reviewed methodology for security testing, maintained by the Institute for Security and Open Methodologies (ISECOM).

The manual is updated every six months or so, to remain relevant to the current state of security testing. ISECOM’s main goal with the OSSTMM is to offer a scientific method for accurately understanding operation security. You can use it for penetration testing, ethical hacking, and other security tests. ISECOM uses verified facts to ensure that organizations using the OSSTMM for penetration testing can make informed decisions.

OSSTMM includes the following key sections:

  • Operational Security Metrics
  • Trust Analysis
  • Work Flow
  • Human Security Testing
  • Physical Security Testing
  • Wireless Security Testing
  • Telecommunications Security Testing
  • Data Networks Security Testing
  • Compliance Regulations
  • Reporting with the STAR (Security Test Audit Report)

At KirkpatrickPrice, we use the OSSTMM to develop our advanced penetration testing services. Our tests provide reliability, effectiveness, and thoroughness, as top industry sources influence them. The OSSTMM allows KirkpatrickPrice to perform penetration tests that provide measurable and accurate results.

What makes up the OSSTMM? Which principles and channels does its methodology test? Below, we define the OSSTMM further and explore the five core testing channels and methodologies.

5 OSSTMM Testing Channels & Methodology

To help organizations understand their security, OSSTMM guides businesses in testing their operational security through five channels. Doing such helps them determine how well their security processes actually function. Essentially, they reveal what your operations actually accomplish, not just what they are supposed to accomplish.

The five channels tested include:

  1. Human Security: Assessing the security in human interactions and communications.
  2. Physical Security: Rigorously testing any tangible aspects of security requiring physical effort.
  3. Wireless Communications: Examining electronic signals and communications, covering all aspects of wireless security.
  4. Telecommunications: Evaluating digital and analog telecommunications networks, including all forms of phone and network line communications.
  5. Data Networks: Testing electronic systems and networks used for communication, whether wired or via cables.

The OSSTMM focuses on these five channels as important operational areas that need proper security testing to secure your organization. Our penetration testing methodology builds upon these ideas to find any enterprise weaknesses and vulnerabilities that need further addressing.

That’s the value the OSSTMM brings to the table.

Pen Testing with the OSSTMM Methodology

Why is it important to test your security controls? Why should your organization spend time and money on penetration testing?

According to the IBM Security 2019 Cost of a Data Breach Report, the average cost of a data breach in the United States is 8.9 million dollars. When you partner with a quality auditing firm, you’re helping your organization close the gaps in your security and catch costly vulnerabilities.

Imagine what that cost could do to your organization.

It’s a cost you can avoid when you hire penetration testers that rely on quality methodologies such as the OSSTMM. To find your operational security gaps and reduce your risk of breach, contact KirkpatrickPrice today.

More Penetration Testing Resources

People often ask: is an internal audit necessary? What if we’re a smaller organization, should we be spending our already limited resources on an internal audit program?

If your clients depend on you to provide efficient, compliant, and secure services, then the answer is a resounding “yes”.

Internal auditing is an important function of any information security and compliance program and is a valuable tool for effectively and appropriately managing risk. Are we ensuring we are doing what we say we’re doing? Are there gaps in our policies and procedures? Are there any areas for improvement? Are we meeting our compliance goals? ? Let’s explore these important questions below.

What is the Purpose of an Internal Audit?

According to the Institute of Internal Auditors:

The Role of Internal Audits

“The role of internal audit is to provide independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively.”

Internal auditing objectively enhances an organization’s business practices. It involves gaining insights into an organization’s culture, policies and procedures, and it contributes to the oversight of the board and management. This contribution is made by verifying the effectiveness of internal controls, including operational efficiency, risk mitigation measures, and compliance with relevant laws and regulations.

5 Reasons Why Internal Audits are Important

Internal auditing programs are critical for the surveillance and assurance of the proper protection of your business assets against threats. Additionally, they verify the alignment of your business processes with documented policies and procedures. Let’s examine the significance of internal auditing through five different lenses and how it contributes to your organization’s compliance with prevalent frameworks and regulations:

  1. Provides objective insight
  2. Improves efficiency of operations
  3. Evaluates risks and protects assets
  4. Assesses organizational controls
  5. Ensures legal compliance

Provides Objective Insight

You can’t audit your own work without having a definite conflict of interest.

To remain objective, your internal auditor or team cannot have any operational responsibility. In cases where resource constraints impact smaller companies, it’s acceptable to cross-train employees in different departments for auditing purposes. By providing an independent and unbiased view, the internal audit function adds value to your organization.

Improves Operations Efficiency

By objectively reviewing your organization’s policies and procedures, you can rest assured you are following those policies and procedures appropriately, and that they adequately mitigate your company’s unique risks.

Through ongoing monitoring and evaluation of your processes, you can identify suggestions for enhancing their efficiency and effectiveness, ultimately enabling your organization to trust its processes rather than individuals.

Evaluates Risks and Protects Assets

An internal audit program assists management and stakeholders by identifying and prioritizing risks through a systematic risk assessment. A risk assessment can help to identify any gaps in the environment and allow for a remediation plan to take place.

Your internal audit program will help you to track and document any environmental changes and ensure the mitigation of any found risks.

Assesses Controls

Internal auditing is beneficial because it improves the control environment of the organization by assessing efficiency and operating effectiveness. Internal auditing answers questions like: Are your controls fulfilling their purpose? Are they adequate in mitigating risk? Controls are only helpful if they are helping your organization meet its goals.

Ensures Compliance with Laws and Regulations

By regularly performing an internal audit, you can ensure compliance with any and all relevant laws and regulations. It can also help provide you with peace of mind that you are prepared for you next external audit. Gaining client trust and avoiding costly fines associated with non-compliance makes internal auditing an important and worthwhile activity for your organization.

Build an Unstoppable Internal Audit Program with KirkpatrickPrice

We know that building out an internal audit program is challenging.  If you still have questions about developing your own internal audit program, or even strengthening your current process, our experts are ready to help!

Connect with an expert today and let’s start building your internal audit program.

More Internal Auditing Resources:

6 Steps to Construct Your Internal Audit Program

Chief Compliance Officer Series: Constructing an Internal Audit Framework

CFPB Readiness Series: Developing an Internal Audit Process