Major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB, acted against the increased number of data security breaches by coming together to create the PCI Security Standards Council. This Council developed a security standard for merchants that process credit card data, known as the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS encourages and enhances cardholder data security by providing globally-recognized data security measures. Merchants, service providers, and subservice providers that store, transmit, or process cardholder data, including credit, debit, or other payment cards, are required to adhere to the PCI DSS. The PCI DSS audit is designed to test whether your organization is compliant with the 12 technical and operational requirements established to protect cardholder data.
What Do You Need to Know Before Your PCI Audit?
When it comes to preparing for your PCI audit and securing your cardholder data environment (CDE), it’s important to understand where all of your sensitive assets lie. Taking an inventory to identify any and all locations with stored cardholder data and performing a thorough search of all systems to identify cardholders and track data is a critical PCI audit preparation step.
The scope of your CDE determines the extent to which all PCI DSS controls must be in place. Common issues with PCI compliance are a result of scoping errors. Any personnel, processes, or technologies that store, process, or transmit cardholder data are considered to be within your CDE and, therefore, in scope for your PCI audit. These assets include:
- Any devices that provide security/authentication services, such as firewall, router, or patching servers
- Any asset that is connected to the CDE
- Any routing rules that allow traffic into the CDE
- Any asset that can impact CDE security in any way
To reduce the scope of your PCI audit and assessment, you can use logical and physical controls to ensure network segmentation. Segmentation is the use and implementation of additional security controls to separate systems with different security needs. These controls commonly include firewall and router configurations to deny traffic passing from out-of-scope networks and the CDE, network hardening standards, and physical access controls.