What is the PCI DSS?
The PCI Security Standards Council was jointly developed by the payment card brands to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. It ensures that all data that lives within the Cardholder Data Environment (CDE) is protected and secured from theft or unauthorized use. Any merchant, service provider, or sub-service provider who stores, processes, or transmits cardholder data, or has cardholder data, must adhere to the Payment Card Industry Data Security Standard (PCI DSS).
The current version of the data security standard is PCI v3.2, which has approximately 394 controls, six control objectives, and 12 major subject areas.
What Do You Need to Know Before Your PCI DSS Audit?
We understand that preparing for a PCI DSS audit can be daunting. However, when it comes to preparing for your PCI DSS audit and securing your CDE, it’s important that you begin by understanding where all of your sensitive assets lie. Unfortunately, data can leak out of known storage locations, and cardholder data often ends up being stored in both known and unknown locations on most networks. It’s important to have a good inventory as a starting point to identify any and all locations with stored cardholder data, and a thorough search of all systems should be performed to identify cardholder and track data.
You’ll also need to select a QSA, or Qualified Security Assessor. QSAs are independent, third-party assessors that have been qualified by the PCI SSC to validate an organization’s compliance with the PCI Data Security Standard. If you are required to obtain a PCI Report on Compliance (PCI RoC), you must engage a QSA to audit your environment against the PCI DSS requirements, validating your controls. Since the PCI DSS is such a comprehensive standard, it’s always a good idea to go with an experienced auditor when choosing your QSA.