The very word “audit” has been known to strike fear among the most steadfast of people. Really, all an audit does is check that you are doing the right thing. As long as your credit card billing systems, policies, and processes are up to snuff, you should have nothing to worry about when undergoing a PCI compliance audit.

In fact, an audit can be helpful for confirming that you’re operating as you ought to — or for helping to identify what exactly you need to change so you can be properly compliant.

PCI Compliance Audits

During a PCI audit, your business undergoes a review to establish the extent to which you adhere to the security standards that protect customers’ data during the processing of credit and debit card transactions, as well as in situations where that data is stored in your company’s databases. Basically, your infrastructure, procedures, networks, and policies are examined for vulnerabilities to prevent sensitive data from being compromised.

At the conclusion of an audit, you can take the assessment and make any necessary changes to beef up your system.

Being PCI Compliant

How can you determine the degree of security built into your infrastructure and protocol? You’ll pass your audit with flying colors if you can effectively address the following questions according to PCI DDS standards.

Do you currently have any card data stored?

If you do not, then this will not be one of your potential vulnerabilities. If you do, keep in mind that you want to store as little card data as possible, and without redundancies.

Best practices recommend implementing disposal policies and procedures that keep data retention to a minimum and encourage the destruction of the information you use to authenticate transactions as soon as they are authorized — even if the data itself has already been encrypted.

Is your network secure?

Map your data connections and make sure you have a firewall at each Internet connection (install one everywhere necessary) and along the perimeters (wireless networks and mobile devices, for example).

Non-firewalled connections can be among the riskiest aspects of an ostensibly secure network. Similarly, restrict access to only those who truly need it, and then only to the elements of your system that each user requires.

Are the apps you use to process payments secure?

Isolate the functions of each digital tool and utility to the extent that you can to make sure that access to one application does not provide access to all of them. That is, keep access to each application unique per server, so overlapping use cannot be transformed into a vulnerability. Of course, you also want to make sure that any potential vulnerabilities are covered by using mandatory login credential authorization and instituting firewalls.

Don’t forget to treat mobile apps in the same conscientious way you treat any other software. They may be user-friendly, but they wield the same potential security weak points as those that reside within your onsite network.

Do you limit and track access to systems?

Limit access to your systems by requiring regular changing of passwords, access codes, and other credentials. Track all access to your system to make sure only authorized individuals are getting in.

Make sure those with access can only reach the areas they need, as per your assessment of them as users. Here too, you’ll want to cordon off distinct processes so as to minimize risk.

Is your card data storage secure?

Require authentication — including two-step authentication wherever possible — to ensure your card data storage is as impenetrable as possible.

Because of regular updates, this is one area where you might inadvertently get rusty (truly, it can happen in any aspect of security), so keep logs for when updates are undertaken, even if they're handwritten.

Do you track changes to your servers and firewall settings?

Server hardware changes or platform updates can be extremely tricky. The same can be said about the ongoing evolution of firewall security.

Data systems are always works in progress, so it's essential to maintain logs of every change. This way you'll feel confident asserting that all sensitive transaction data is secure.

Have anyone's admin privileges changed or any new users been created?

Probably, right? The whole point of having the ability to make changes to who can do what within your billing system is that changes are necessarily ongoing and inevitable.

Here too, any time your company's data undergoes any changes to governance privileges, there will be increased risks involved. Keeping dynamic logs of these changes – and ensuring that multiple sets of eyes are checking the logs for potential oversights – helps mitigate the dangers of potential privacy breaches.

Compliance Beyond the Audit

Unfortunately, it's easy to forget that PCI compliance is a continuous process. Organizations are required to monitor and test their networks at regular intervals. You can't just "set it and forget it."

Remember, the above questions address the broad concepts that come into play with PCI compliance. The specifics of what you need to look for will depend on which type of compliance you need. To make sure you are properly covered, you will first have to define the scope of the Cardholder Data Environment (CDE). This is a nuanced art unto itself, because if your scope is too large, then it can become prohibitively expensive and difficult to secure. However, a scope that is too small could put cardholder data at risk.

The PCI DSS standards also require that businesses regularly test security systems and processes. This is extremely challenging for many businesses, which is why CimTrak’s advanced file integrity monitoring software is so useful. With CimTrak installed, users can receive instant alerts as soon as any significant file changes take place.

The Bottom Line

Once your business has undergone a PCI compliance audit and revised any areas of vulnerability, you will be in great shape with regard to your customers. You’ll be able to demonstrate a high level of professionalism and the most certifiably secure environment available.

When customers submit payments for processing, they can be confident their transactions and data are not at risk. In turn, that solid infrastructure for managing data security will build confidence in your business as a whole and in the responsible way you are handling any risk to their data.

Use the PCI compliance audit to your advantage — learn where your vulnerabilities are, conquer them, and market yourself with all the confidence of one who protects their customers' data.

PCI Compliance Checklist eBook

Jacqueline von Ogden
Post by Jacqueline von Ogden
March 22, 2016
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".