6 Steps of a PCI Audit
To protect the security of cardholder data, the PCI Security Standards Council requires organizations that work with payment cards to maintain compliance with the PCI DSS. If you’re an entity that stores, processes, or transmits cardholder data, you may be asking QSA firms, “How do you conduct a PCI audit?”
A PCI audit is a rigorous examination of the Payment Card Industry Data Security Standard, which consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data.
At KirkpatrickPrice, our PCI audit program takes a six-step approach to help your organization gain PCI compliance.
1. Gap Analysis
How do you conduct a PCI compliance internal audit? Before you begin a PCI audit for the first time, we recommend going through a gap analysis.
A gap analysis helps to identify any administrative, physical, and technical gaps in your information security program; specifically, in the way that you handle cardholder data. Going through a gap analysis allows our senior-level QSAs to understand your business and your level of readiness for a PCI audit. The gap analysis is an important step towards PCI compliance because your QSA can create remediation strategies that will guide you through the PCI audit process and towards compliance. Next, your organization will move on to remediate the findings found during the gap analysis.
Learn more about what to look for in a QSA before beginning any PCI audit.
Are you worried that after a gap analysis, you’ll be left to mitigate areas of non-compliance on your own?
Not when you partner with KirkpatrickPrice on a PCI audit. Now that your organization understands its administrative, physical, and technical gaps, a QSA from KirkpatrickPrice will work to develop a detailed remediation plan with findings from the gap analysis and recommendations on proper ways to mitigate areas of non-compliance. The remediation step in the PCI audit process will help your organization to recognize its gaps and remediate those areas for a smoother path towards PCI compliance.
3. Scoping and Planning
You’ve been through weeks of remediation work, what’s next?
It’s time to start the PCI audit by verifying the scope of the engagement. We will work with your organization to analyze your services, geographic locations, payment applications, third parties, and other system factors to develop an accurate scope for the PCI audit. The narrower the scope, the more accurate and efficient your PCI audit process will be, so we aim for a detailed and defined scope. The scoping and planning stage prepares the entire engagement team to move to the next step of gathering information.
At KirkpatrickPrice, we will collect your policies, procedures, and other documentation needed for your PCI audit through the Online Audit Manager.
Alongside your designated Audit Support Professional and QSA, you will begin answering questions and describing systems relating to your organization’s internal controls. The Online Audit Manager provides a platform that streamlines the PCI audit process and aids you in completing 80% of the PCI audit before one of our senior-level QSAs even visits your office for an onsite visit. Gathering and preparing data beforehand gives you the opportunity to be more effective with time and communication during your onsite visit.
5. Onsite Visit
What is an onsite visit?
An onsite visit is probably what you envision when thinking about a stereotypical audit. Onsite visits during the PCI audit process are important for not only testing internal controls that cannot be accurately tested remotely, but also seeing your people and technology in-action.
We are putting our name, our reputation, and our firm’s reputation on the line when we issue a report – we take that responsibility seriously, and onsite visits are major part of that responsibility. During the onsite visit, a senior-level QSA, who has been partnered with you throughout the PCI audit process, will observe and test your organization to determine if your processes meet the 12 requirements of PCI compliance.
6. Report Delivery
The final step in the PCI audit process is receiving a Report on Compliance (RoC), which provides you with a detailed report on the results from your PCI audit. To generate RoCs, KirkpatrickPrice has a team of Professional Writers, who are trained and knowledgeable about the PCI DSS, that write high quality reports. Your report will also go through our Quality Assurance processes to ensure it meets our quality standards. You can take a deep breath knowing your PCI audit was performed by a QSA and a firm that is committed to your organization’s compliance success!
Bonus: How to Market Your PCI Compliance
Going through the PCI compliance internal audit process can do more than assure your clients that their sensitive data is protected; PCI compliance can also be a powerful tool for your sales and marketing team.
How do you take your PCI compliance and market it to prospects and clients?
When you work with KirkpatrickPrice, you will receive a complimentary press kit that includes compliance logos, the writing and distribution of a press release announcing your recent PCI compliance, copy to use in marketing materials, and advice on how to best your market PCI compliance achievements.
How do you conduct a PCI audit? Now you know how we perform PCI audits at KirkpatrickPrice. Are you ready to work with a QSA firm that partners with you throughout the PCI audit process? Contact us today!