How to pass a PCI compliance audit
A PCI compliance audit tests your company's card security practices to see if your clients' information is safe. Find out what to expect and how to pass it.
Passing PCI compliance audits requires documented processes and consistent execution across your team. Here is how we approach compliance management.
Compliance Management Made Easy
Summary
- 70% of consumers fear sharing financial data online - Despite high-profile hacks occurring at regular chain stores, people remain nervous about credit card security, making third-party PCI compliance assurance valuable for building consumer confidence in your business
- All card-accepting businesses need auditing regardless of size - Four levels classify businesses from 6 million+ annual transactions (Level 1 requiring rigorous checks) down to fewer than 20,000 online transactions (Level 4), with audits required every 12 months by Qualified Security Assessors
- Equifax hack proves technical systems need human implementation - 2017 breach exposed sensitive data that was not encrypted despite the company having all the wherewithal to protect it, illustrating that staff training matters as much as technical safeguards
- Failing costs more than just fees - Consequences include higher processing fees, fines from credit card companies, loss of card processing ability, increased security monitoring, extra costly audits, and worst case, exposed customer data destroying your reputation. Need help managing compliance workflows?
It’s a scary scenario: your business’ information systems get hacked, and credit or debit card information is stolen. Having helped companies build compliance workflows at Tallyfy - where compliance is one of our most discussed topics - I’ve seen firsthand how important proper preparation is. It has happened to some of the biggest companies, and you can bet it sent their customers into a frenzy of worry when the information was finally made public. But passing a PCI compliance audit shows that you handle information securely.
Knowing and addressing risks could save you from a nightmare scenario, and give your customers confidence when they use their cards to shop with you. The first time you have to pass a PCI Compliance audit, you may find the very thought somewhat daunting. But preparing for a PCI Compliance audit is a process, and once you’ve got it right, it will become a matter of routine. Let’s take a closer look at the whys and wherefores - and help you with your recipe for PCI Compliance success.
What is a PCI compliance audit?
No matter how large or how small your business is, you should undergo PCI compliance auditing to show that you’re taking good care of your customers’ credit card security. In our conversations with operations leaders at mid-size financial services firms, we have heard that the biggest challenge is not the technical controls themselves, but ensuring consistent execution across all staff handling card data. Your transactions must be safe, and any data that you store must also be protected.
PCI stands for Payment Card Industry, and the audit is among the measures set out in its Data Security Standards. It uses a classification system to rate your business based on the number of card transactions you process annually. For example, a level one business processes over six million card transactions per year while a level four business handles fewer than one million.
What does the PCI compliance auditor look at?
To determine how safely your customers can use their cards to pay you, the auditor approaches his task with three distinct aims in mind:
- Firstly, he or she will examine your entire payment system
- In the process, the auditor will seek out vulnerabilities that may put your clients at risk
- Finally, the auditor examines how you store data and whether it is safe from hackers
Follow the step-by-step process
As you can see, PCI compliance is not only important for your customers’ security; it’s also vital to your business’ reputation. Approach your audit with a positive mindset. It’s a golden opportunity to improve your business’ payment system security. The payoff is worth it.
Step 1: Appoint a qualified security assessor. This person will be formally trained in conducting PCI compliance audits and will have credentials from the PCI SSC or Payment Card Security Standards Council.
Step 2: Inform all the relevant staff about the process and ask them to cooperate fully. Your security assessor will need to dig into all the networks and systems you use as well as your internal payment-related policies and procedures. Your staff should be ready to help with all the necessary information.
Step 3: Act on the risk assessment information. Once the assessor has all the relevant information, he or she will use it to produce a PCI risk assessment. This is a valuable document because it will help you to get your data security up to scratch. Any vulnerable areas will be ranked in order of their severity, helping you to prioritize the most serious weak spots in your data security system.
We’ve talked about the value of risk assessments before - and this area is one where you can’t afford to compromise. If your business is being assessed for the first time, you might find yourself with a lot of changes to make. Managing the workflows that will address risks can be complex, and some businesses prefer to retain the security assessor as a consultant who helps to drive the process forward.
Cutting costs and getting it done faster
Smaller vendors aren’t actually required to undergo PCI compliance auditing, but voluntarily doing one is probably a good idea. But consultants don’t come cheap, so the less of their time you need, the lower the cost will be.
Prepare yourself for your audit by using the PCI Self-Assessment Questionnaire (SAQ) that applies to your business. You can find all this info on the PCI Security Standards Council website, or you can ask your bank to help you find the information you need.
After completing your SAQ, you will know which areas to attend to before the audit begins. The actual audit will merely confirm whether or not you have achieved the level of security you were aiming for.
Don’t get so tied up in technicalities that you forget the potential impacts of human error. Based on hundreds of implementations we have observed across regulated industries, the organizations that struggle most with compliance audits are those with huge productivity variations among staff - sometimes 4x to 10x differences in how consistently people follow security procedures. Getting all your employees on board before your assessment is important. They need to understand what process they should follow to ensure that client information is kept safe.
This is dramatically illustrated by the 2017 Equifax hack. A company dealing with very sensitive, confidential data, it had all the wherewithal to protect it.
But according to news reports, the data that was stolen, triggering multiple lawsuits against the company, wasn’t encrypted. The lesson? Don’t neglect staff training.
Your technical systems will help you, but ultimately, it’s your people who must put the measures in place.
A job worth doing is worth doing well
Your parents probably told you that a job worth doing is worth doing well, and nowhere is this truer than when you are protecting your clients’ financial security. The Entrepreneur reports that over 70 percent of people feel nervous about sharing their financial data online. This, despite the fact that some of the most high-profile hacks have occurred at regular chain stores.
Whether your business deals with people in person or online, being able to give third-party assurances that you have done everything you can to keep their financial information safe will build consumer confidence in your business.
It’s therefore well worth putting a little extra effort into your audit preparations. From what I’ve observed working with regulated businesses - with financial services representing 17% of our leads at Tallyfy - you’ll be relying on a team to get things done. So, be sure that every step has been followed and every box ticked.
Looking to streamline your PCI compliance workflows? Discover how Tallyfy helps regulated businesses manage compliance processes with trackable, repeatable workflows.
Related questions
How often are PCI audits required?
You need to be PCI compliant, and you need to be audited every 12 months. Corporations, too, should be scanning their networks quarterly. The timing depends on your business size and how many credit card transactions you process each year. Larger companies that process millions of transactions require more regular checks than a smaller businesses.
Who conducts PCI audits?
All PCI audits should be between the client and a Qualified Security Assessor (QSA) as designated by the PCI Security Standards Council. They are specially trained professionals who know the ins and outs of protecting payments. Self-assessment questionnaires may be sufficient for smaller businesses, but larger ones must hire these certified assessors.
What is a PCI compliance check?
A PCI compliance check is much like a security health check-up on how you deal with credit card data. Everything is scrutinized, from your computer networks to how you train your staff. The check ensures you are complying with all 12 overarching security requirements established by the payment card industry, such as maintaining secure passwords and safeguarding stored card data.
What are the 4 levels of PCI compliance?
Level 1 applies to businesses that process more than 6 million transactions annually and require the most rigorous checks. The second level includes those who process 1-6 million transactions. Level 3 targets companies that process 20,000 to 1 million online transactions. Level 4 is designed for small businesses that process fewer than 20,000 online transactions or up to 1 million regular transactions a year.
How to prepare yourself for the PCI DSS audit?
Begin by charting where all your credit card data goes in your business. Next, see if your policies align with PCI standards. Train your team on security fundamentals, write down all your processes and even run some test security scans. It’s like getting ready for a big inspection - you want to find any problems before the auditor does.
Who needs to be PCI compliant?
Every merchant that accepts, processes, stores, or transmits credit card data is required to be PCI compliant. That includes online sellers, restaurants, bricks-and-mortar merchants, and even service providers who assist in processing payments. You are subject to rules if you are processing one credit card transaction a year or 10 million.
What happens if you fail a PCI audit?
Not passing a PCI audit can result in higher fees for processing, fines from credit card companies or loss of card processing. You might also be hit with more security monitoring and extra audits that will cost you money. The worst-case scenario would be if customer data were exposed and your reputation was damaged.
What are the most common PCI audit failures?
A lot of time businesses get burned because they do not encrypt the card data that they store or they use a weak password. Other common problems are to do with un-patched security, bad network design, and insufficient security policy. Another common problem is failing to regularly train employees on security best practices.
How much does a PCI compliance audit cost?
The price is based on your business size and complexity, but it ranges widely. Small businesses might pay a few hundred dollars for self-assessments, while a full audit for a large firm could cost $50,000 or more. Ongoing support and security updates throughout the year contribute to the overall cost.
Can you automate PCI compliance processes?
Yes, there would be a lot of PCI compliance that you can automate. This involves performing security scans regularly, monitoring system changes, logging employee training, and logging security. Automation tools can help catch security issues early and ensure that nothing falls through the cracks in your compliance program.
What is the difference between a PCI audit and a self-assessment?
A PCI audit, on the other hand, is an extensive, in-person analysis by a certified assessor who examines every part of your payment security. A self-assessment could be thought of more as a detailed checklist you make yourself. Although both have the goal of ensuring compliance, the auditors and the audit are much more stringent and are necessary in larger businesses.
How long does a PCI compliance audit take?
A normal PCI audit may last a few weeks to a couple of months or just a few months. The timeline varies based on the size of your business, the complexity of your payment systems and how well-prepared you are. Small businesses that opt for self-assessments could finish in a matter of days.
About the Author
Amit is the CEO of Tallyfy. He is a workflow expert and specializes in process automation and the next generation of business process management in the post-flowchart age. He has decades of consulting experience in task and workflow automation, continuous improvement (all the flavors) and AI-driven workflows for small and large companies. Amit did a Computer Science degree at the University of Bath and moved from the UK to St. Louis, MO in 2014. He loves watching American robins and their nesting behaviors!
Follow Amit on his website, LinkedIn, Facebook, Reddit, X (Twitter) or YouTube.
Automate your workflows with Tallyfy
Stop chasing status updates. Track and automate your processes in one place.