Understanding PCI compliance auditing

A step-by-step guide of what a compliance audit entails

Businesses of all sizes must undertake PCI compliance auditing to ensure that their customers' data is protected during credit or debit card transactions and if stored within any internal business databases.

See What is PCI compliance?

A classification system based on the number of transactions that a business processes each year sorts businesses into levels. Established businesses with a large number of transactions will fall into the higher levels and are most likely well versed in this audit process; a business classified as Level 1 (having more than 6 million credit card transactions per year) will probably have participated in the annual audit as part of the PCI (Payment Card Industry) Data Security Standards. However, a Level 4 business (having less than 1 million credit card transactions per year) preparing to participate in their first audit may find it a little daunting.

If you're feeling that PCI auditing is complicated and you're a little overwhelmed with it, then getting to grips with what this type of audit is may be the first step toward putting your mind at ease.

In the simplest terms, PCI auditing is a process carried out by a qualified auditor to establish whether or not a business is compliant with security standards relating to the processing of transactions made via a credit or debit card (payment card).

PCI compliance auditing is a process whereby your business point of sale system is assessed. The purpose of this is threefold: (1) to examine your system, (2) to identify vulnerabilities, and (3) to prevent data from being compromised.

The following list is a step-by-step outline of what a compliance audit involves:

  • All credit card data are sensitive in nature, so when you intend to build a compliance audit program, it is important that you find a qualified security assessor (QSA), who is approved by the PCI SSC (Payment Card Industry Security Standards Council), to conduct the audit.

    The initial work of the QSA involves evaluating your security infrastructure and procedures, policies, networks and systems. When done, the QSA will submit to you a risk assessment.

  • The risk assessment will be the foundation for improving your data security. The QSA will give advice on conducting staff to training on security awareness, so that all your employees have the knowledge and skills needed to meet current PCI standards and regulations.

  • Following a risk assessment review, any vulnerabilities found will be ranked and prioritised according to seriousness, so you will know which areas need to be addressed first. The focus of this is to improve your data security standards.

  • Any problems identified in the audit should be addressed, and the QSA who conducted the audit can manage this process, or act as a consultant giving advice on improving your PCI compliance. If you have a high level of compliance already, then you may not need to do much to prepare for the audit. If you've never been audited, then addressing any issues that have arisen will ensure that the audit goes smoothly. If your organisation has previously been exposed to a breach, then an audit will give you guidelines to follow to avoid future security breaches.

PCI compliance auditing helps businesses to ensure they are providing the most secure environment for their customers to process payments and ensures that transactions don't result in a compromise in the customers' data.

Ensuring that you have PCI compliance and a solid infrastructure for managing data security will increase customer confidence in your business and ensure that you're not exposed to security breaches that could have been avoided.

Recommended reading:
PCI compliance checklist
PCI compliance services in Australia
PCI compliance requirements for Aussie businesses

Join the CSO newsletter!

Error: Please check your email address.

Tags Data Security Standards (DSS)data securityPCI compliancesecurityPCI (Payment Card Industry)Payment Card Industry (PCI)credit cardsPCI auditing

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CIO Staff

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts