PCI audits should be treated the same as financial exams

Register now

While reporting for the PCI DSS is annual, it’s expected that the standard is followed 24/7/365. For most businesses, however, everyday demands like customer engagement and financial performance can distract from payment security obligations.

But what happens when that annual PCI audit requirement rolls around? Small businesses and other organizations allowed to self-assess their compliance will stop what they’re doing to check boxes on a form, and then they will move on.

Get a PCI Qualified Security Assessor (QSA) involved, however, and it’s a different story. Now the business is subject to a formal, third-party assessment of its PCI compliance. And with that comes the need to prepare.
Your CFO wouldn’t go into a financial audit blind, and your legal team wouldn’t respond to an inquiry without first doing its homework, yet 40-50% of IT professionals are unprepared when our QSA knocks on their door. This is the No. 1 reason the assessment fails.

Lack of preparation for a PCI DSS assessment usually results in unexpected and unnecessary expenses, as well as lost productivity among all parties involved. For example, failure to create the required documentation ahead of time prolongs the assessment process, elevating QSA fees.

In addition, an unnecessarily complex cardholder data environment (CDE) and a lack of required controls will result in high, last-minute remediation costs and higher ongoing control costs. Being unprepared almost always causes the business to miss its reporting deadline as well, which can trigger hefty noncompliance penalties from the merchant acquirer.

Preparing for a PCI DSS assessment is similar to other compliance audits in that it involves gathering the necessary information and documentation so that the QSA can effectively assess against the standard. Of course, a basic understanding of the PCI DSS itself is also required.

Many businesses choose to undergo a PCI gap analysis to find and fix compliance holes efficiently and economically, without the rush that comes with a formal assessment. With time for remediation afterward, the QSA can help uncover ways to tighten scope, simplify compliance and reduce long-term costs.

For reprint and licensing requests for this article, click here.
PCI Risk Payment processing ISO and agent