ZenGRC

Simply Powerful GRC

PCI Compliance Checklist for Audits

· ·

The PCI Security Standards Council (PCI SSC) established PCI DSS as a framework for merchants and service providers to use in securing credit card and cardholder data from a breach.

Annual audits to document your compliance with the Payment Card Industry Data Security Standard (PCI DSS), however, can be nerve-wracking and expensive. Preparing for that first audit alone can take two years and cost $50,000 or more. 

Avoid headaches and costly remediation: Follow these steps to prepare for your PCI DSS audits, by creating a PCI Compliance Checklist that fits your business operations and demonstrates your compliance.

What are the levels of PCI compliance?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The levels of PCI compliance are based on transaction volumes and are set to differentiate the assessment requirements for merchants.

Here are the primary levels of PCI compliance for merchants:

1. Level 1:

  • Merchants processing over 6 million Visa transactions annually (all channels) or global merchants identified as Level 1 by any Visa region.
  • Requirements:
    • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) – or – internal auditor if signed by an officer of the company.
    • Quarterly network scan by Approved Scan Vendor (ASV).
    • Attestation of Compliance Form.

2. Level 2:

  • Merchants processing 1 million to 6 million Visa transactions annually (all channels).
  • Requirements:
    • Annual Self-Assessment Questionnaire (SAQ).
    • Quarterly network scan by ASV.
    • Attestation of Compliance Form.

3. Level 3:

  • Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.
  • Requirements:
    • Annual SAQ.
    • Quarterly network scan by ASV.
    • Attestation of Compliance Form.

4. Level 4:

  • Merchants processing less than 20,000 Visa e-commerce transactions annually, and all other merchants processing up to 1 million Visa transactions annually.
  • Requirements:
    • Annual SAQ recommended.
    • Quarterly network scan by ASV if applicable.
    • Compliance validation requirements set by the acquirer.

For Service Providers, there are also defined levels:

1. Level 1:

  • All VisaNet processors (members and non-members) and all payment gateways.
  • Requirements:
    • Annual ROC by QSA.
    • Quarterly network scan by ASV.
    • Attestation of Compliance Form.

2. Level 2:

  • Any service provider that is not in Level 1 and stores, processes, or transmits more than 1 million Visa transactions annually.
  • Requirements:
    • Annual SAQ.
    • Quarterly network scan by ASV.
    • Attestation of Compliance Form.

Note: The specifics can change over time, and other card brands (like MasterCard, Discover, American Express, etc.) have similar but sometimes slightly different criteria. Always refer to the official PCI Security Standards Council documentation or consult with a PCI professional when assessing compliance requirements.

Your PCI Compliance Audit Checklist

A PCI Compliance Audit Checklist is a valuable tool that guides organizations in preparing for and undergoing a PCI DSS audit. The checklist covers the key requirements and control objectives of the PCI DSS. Here is a condensed version of such a checklist:

1. Build and Maintain a Secure Network

  • 1.1: Use firewalls to protect cardholder data.
  • 1.2: Properly configure routers and switches.
  • 1.3: Prohibit direct public access and protect the perimeter.
  • 1.4: Implement a DMZ to filter and screen traffic.
  • 2.1: Change default passwords and other default security parameters.
  • 2.2: Harden system configurations for security.
  • 2.3: Encrypt administrative access for non-console access.

2. Protect Cardholder Data

  • 3.1: Restrict cardholder data storage and retain only what’s needed.
  • 3.2: Do not store sensitive authentication data after authorization.
  • 3.3: Mask PAN (Primary Account Number) when displayed.
  • 3.4: Render PAN unreadable anywhere stored.
  • 3.5 & 3.6: Protect keys and manage cryptographic architecture.

3. Maintain a Vulnerability Management Program

  • 5.1: Deploy and update anti-virus solutions.
  • 5.2: Ensure anti-virus programs run regular scans.
  • 6.1: Establish a process to identify and apply security patches.
  • 6.2: Secure applications and systems against known vulnerabilities.

4. Implement Strong Access Control Measures

  • 7.1: Restrict access based on a need-to-know basis.
  • 7.2: Establish access controls.
  • 8.1: Assign unique IDs to each person with computer access.
  • 8.2: Use strong cryptographic measures for passwords.
  • 8.3: Implement MFA (Multi-Factor Authentication) for remote access.

5. Regularly Monitor and Test Networks

  • 10.1: Track and monitor access to network resources and cardholder data.
  • 10.2: Implement automated audit trails.
  • 10.3: Record specific data points in logs.
  • 10.4: Synchronize critical system clocks.
  • 10.5: Secure audit logs.
  • 10.6: Review logs daily and audit logs periodically.
  • 11.1: Implement a process to test security controls.
  • 11.2: Conduct vulnerability scans and penetration tests.

6. Maintain an Information Security Policy

  • 12.1: Create, publish, maintain, and disseminate a security policy.
  • 12.2: Implement a risk assessment process.
  • 12.3: Develop usage policies for critical employee-facing technologies.
  • 12.4: Assign responsibility for information security.
  • 12.5: Establish security management responsibilities.
  • 12.6: Implement an information security awareness program.

This checklist is a general overview and might not cover every specific detail or requirement for each organization. Always refer to the official PCI DSS documentation or consult a PCI professional when preparing for an audit.

Who Needs a PCI DSS Audit?

All merchants and service providers who accept credit cards or process, transmit, or credit card data must comply with PCI DSS or face fines of up to $100,000 per year. In some egregious cases, you can even lose credit-card processing privileges. 

Not everyone needs an audit, however. Recognizing that different entities have different levels of data security risk, the PCI SSC created four compliance levels for merchants and two for service providers who handle credit card transactions

Level 1 organizations must demonstrate PCI DSS compliance by procuring an on-site audit from a Qualified Security Assessor (QSA) or PCI-certified Internal Security Assessor, who will then file a Report on Compliance (ROC) with the acquiring bank.

Level 1 enterprises include:

  •   Merchants that process 1 million or more in-store and e-commerce payment card transactions annually, depending on which cards they accept
  •   Service providers that process, store, or transmit data from more than 300,000 payment cards per year
  •   All enterprises that have experienced a security breach that resulted in the compromise of credit card or cardholder data

Those in Levels 2, 3, and 4 may be able to complete a self-assessment questionnaire (SAQ) and Attestation of Compliance (AOC) in lieu of the audit and ROC.

How do you conduct a PCI audit?

Conducting a PCI DSS audit requires a structured approach to ensure that all areas of the Payment Card Industry Data Security Standard (PCI DSS) are adequately addressed. It’s important to remember that if you’re looking to be officially validated as compliant, you must work with a Qualified Security Assessor (QSA) for a full assessment. Here’s a step-by-step guide on conducting a PCI audit:

1. Scope Determination:

  • Identify all systems, networks, and processes where cardholder data (CHD) is stored, processed, or transmitted. This includes, but is not limited to, databases, servers, networks, point-of-sale devices, and even paper records.
  • Remember that reducing the scope can simplify the audit. Consider strategies like segmenting your network to ensure CHD isn’t unnecessarily exposed to wider parts of the organization.

2. Engage a Qualified Security Assessor (QSA):

  • If your business requires a formal PCI DSS assessment, you’ll need to hire a QSA. They will conduct the audit and sign off on the Report on Compliance (ROC).

3. Pre-Assessment:

  • Conduct a gap analysis to identify areas where you might not meet PCI DSS requirements. This helps focus remediation efforts before the formal audit begins.

4. Document Policies and Procedures:

  • PCI DSS requires documented policies and procedures for various aspects of information security. Ensure these are up-to-date and relevant. They should cover areas like data retention, access controls, incident response, etc.

5. Conduct the Audit:

  • Using the PCI DSS requirements as a guide, the QSA will evaluate your controls and processes.
  • They’ll review system configurations, examine security policies, perform vulnerability scans, test security systems, and interview staff.
  • Ensure all necessary documentation, such as network diagrams, data flow diagrams, and policies, is available for the QSA.

6. Remediation:

  • If gaps or non-compliant areas are identified, you’ll need to address these before achieving compliance. This may involve changes to systems, policies, or procedures.
  • After remediation, a re-test of the non-compliant areas will be required.

7. Report on Compliance (ROC) & Attestation of Compliance (AOC):

  • Once all areas are compliant, the QSA will compile a ROC detailing the findings and confirming compliance.
  • The Attestation of Compliance is a form where the assessor and the company attest to the accuracy of the audit.

8. Submit Documentation:

  • Provide the ROC, AOC, and any other required documentation to your acquiring bank and/or the card brands as needed.

9. Maintain Compliance:

  • Compliance is an ongoing process. Regularly review and test your systems and processes to ensure they remain compliant.
  • You’ll need to revalidate your compliance annually, which might involve another audit or a Self-Assessment Questionnaire (SAQ), depending on your transaction volume and storage methods.

10. Ongoing Monitoring and Testing:

  • Implement regular vulnerability scans and annual penetration tests as required by the standard.
  • Regularly monitor logs and alerts to detect and respond to security incidents.

Remember, the primary goal of PCI DSS is to protect cardholder data. The audit process, while rigorous, is designed to ensure that organizations are taking the necessary precautions to secure this sensitive information. Always stay updated with the latest version of PCI DSS, as requirements can evolve.

5 Key Steps of a PCI Audit

It’s crucial to understand that PCI DSS compliance is an ongoing process, not a one-time event. Organizations should continuously monitor and adjust their controls, processes, and systems to maintain compliance and ensure the security of cardholder data. Regularly scheduled reviews, scans, and assessments are essential to this continuous compliance effort. While the entire process can be quite detailed, we can condense it into five key steps for a clearer high-level overview:

1. Scope Determination:

  • Objective: Identify the systems, networks, processes, and any third-party services involved in storing, processing, or transmitting cardholder data (CHD).
  • Actions:
    • Map out data flows to understand how cardholder data moves within your environment.
    • Segment networks to isolate the cardholder data environment (CDE) from other systems, reducing the scope and complexity of the audit.

2. Pre-Assessment & Gap Analysis:

  • Objective: Understand your current state of compliance and identify areas of non-compliance.
  • Actions:
    • Review the PCI DSS requirements against your current controls and practices.
    • Identify and document gaps or areas that need remediation.

3. Remediation:

  • Objective: Address and fix identified gaps to meet PCI DSS requirements.
  • Actions:
    • Modify processes, implement new controls, or update systems to ensure compliance.
    • Re-assess and re-test remediated areas to confirm that they now meet the necessary requirements.

4. Formal Assessment:

  • Objective: Conduct a thorough review of the organization’s adherence to PCI DSS by a Qualified Security Assessor (QSA) or via a Self-Assessment Questionnaire (SAQ) for certain organizations.
  • Actions:
    • Provide required documentation (network diagrams, policies, procedures) to the QSA.
    • Undergo vulnerability scans and, if necessary, penetration tests.
    • Collaborate with the QSA during the audit, which may include interviews, system reviews, and evidence collection.

5. Documentation & Submission:

  • Objective: Validate and attest to the organization’s compliance with PCI DSS.
  • Actions:
    • Receive the Report on Compliance (ROC) from the QSA detailing the organization’s compliance status.
    • Complete the Attestation of Compliance (AOC) to formally attest to your compliance state.
    • Submit the ROC, AOC, and any other required documents to the acquiring bank and/or relevant card brands.

Cybersecurity and PCI compliance management tools

As you forge a path for your business through the pandemic and our highly regulated, highly interdependent world, many tools can help keep your business stay competitive while keeping cybersecurity and compliance top priorities. Various cybersecurity and PCI compliance management tools can help organizations maintain a secure environment, meet PCI DSS requirements, and manage the compliance process more effectively. It is important to choose the best tool for your business, preferably one that helps with compliance as well.

Manage Your PCI Compliance with ZenGRC

ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow but also lets you find areas of high risk before those risks manifest as real threats. 

Worry-free compliance management is the Zen way. For more information on how ZenGRC can enable your CMS, schedule a demo.