What Is a PCI DSS Audit?

What is a PCA Compliance Audit?

Unlike a PCI assessment, which merchants can perform themselves, a PCI DSS audit can only be performed by a qualified security assessor (QSA). If you’re facing an audit, then you’re likely a large store doing so voluntarily, or a smaller merchant ordered to undergo one because of a recent data breach in your store. These audits are mandated by major credit card companies, and failure to comply can have dire consequences for your business.

Read on to learn what to expect from such an audit and how to prepare for it.

Top Reasons to Become PCI DSS Compliant

PCI DSS refers to Payment Card Industry Data Security Standards, and it is required for any store that accepts credit cards as payment. This applies both to stores that process credit cards, and stores that limit themselves to transmitting card data to third party payment gateways like PayPal and others. 

The case for “why PCI compliance” is two-fold:

1. The five major credit card companies on the PCI Council (Visa, MasterCard, American Express, Discover, JCB) say it is.
2. PCI-compliant merchants are more effective at protecting their customers’ data than merchants that are non-compliant. 

Or, as a third argument for the merchants unmoved by the first two: PCI DSS helps prevent breaches, and breaches cause downtime and lost revenue. 

For a more detailed breakdown of PCI compliance, see How Nexcess Helps Your Store Stay PCI Compliant.

PCI DSS Risks

Only 29 percent of companies remain compliant a year after their initial validation because they pass once, then drift into complacency.

Annual assessments are a required component of PCI compliance for every merchant, regardless of level. For smaller merchants, audits are usually the consequence of a data breach and a mandate from a major credit card company or bank.

It may be tempting to wonder about the consequences for non-compliance, or to just pay it lip service. Some might resent what they perceive as the credit card’s stranglehold on ecommerce. Others might just “have better things to do with my time, like run my business.”

What’s the worst that could happen?

The short answer is non-compliant merchants can be breached, audited, fined, and suffer damage to their brand reputation. The longer answer is although PCI compliance is required, it’s the beginning of security, not the end. Consider it as the “minimum acceptable standard” for securing your customers’ data.

How Much Does a PCI Audit Cost?

On average, a typical PCI audit for a smaller merchant costs about $15,000. This adds to other factors influencing PCI DSS certification cost, which usually relate to infrastructure and paying qualified personnel to apply and maintain best practices of data security. While this is not insignificant, the cost of ignoring compliance is far greater.

Beyond ethical concerns, failure to comply can result in:

• Fines by credit card companies ranging between $5000—$100,000
• Security breaches, which often involve downtime to resolve
• Legal action by endangered customers and third parties
• Damaged reputation and loss of consumer trust
• Loss of revenue
• Federal audits

Fines for stores that aren’t PCI compliant can be anywhere between $5000 and $100,000. So it’s important that you maintain compliance 100% of the time.

How Does a PCI DSS Audit Work?

If you’re facing an upcoming PCI DSS audit, then you’re likely either a level 1 merchant with more than 6 million credit card transactions per year, or a merchant from lower PCI compliance levels (2–4) that suffered a recent data breach. 

Credit card companies and banks stand to lose money from these breaches. If your store has been breached, they may view your store as a potential liability and forbid the use of their credit card in your store unless you can demonstrate PCI compliance by passing the audit. The central goal of the audit is to find non-compliance, provide guidance on how to fix it, and verify you’ve addressed any and all issues. 

The first step is finding a Qualified Security Assessor (QSA) to perform the audit. Only QSAs are licensed to perform the audits, as these organizations are certified by the PCI council to understand their data security standards. 

The simplest way to find a QSA is by choosing one from the list on the PCI website. As with any service, it is usually wise to talk to a few, as not all are created equal. Never hire a company claiming to be a QSA if not present on the PCI list; these companies are either outsourcing your request, or planning to sell you other services. 

Once onsite, the auditor will assess multiple areas of your business. As you might expect, this includes your cardholder data environment (CDE), defined as any device, component, network, or application that stores, processes, or transmits cardholder data. It also includes your policies and procedures surrounding your use of these systems.

PCI Audit Requirements

• Transparency and cooperation
• Completed PCI audit checklist
• Understanding of current PCI DSS
• Your printed copy of your Report on Compliance (ROC) from the previous year
• Evidence of quarterly scanning and penetration testing
• Evidence of regular event log checks
• Documentation on how you handle third party vulnerabilities

Remember: the role of the PCI auditor is to prevent the compromise of cardholder data, not to punish your company. As long as you’re cooperative and vested, the auditor will explain where you need to improve and help you do it. To execute these changes efficiently, consider appointing a compliance leader within your organization. This individual takes responsibility for compliance efforts, but also should have the authority to compel change across your team.

9 Common PCI Mistakes Revealed by PCI Audits

If you care enough about PCI compliance to read this article, then you’re on the right track. Following are nine common mistakes for merchants undergoing audit, though your experience may vary according to your business needs and PCI compliance level. 

Hiring a PCI compliant hosting provider like Nexcess will go a long way toward preventing these mistakes, but it’s not a magic bullet. Merchants must do their part as well, but most hosting providers can assist you in this task.

An easy way to boost your PCI compliance is by using a PCI compliant host like Nexcess. 

Reminder: CDE, or cardholder data environment, refers to any device, component, network, or application that stores, processes, or transmits cardholder data.

Unnecessary storage of credit card data 

As a general rule, you should take every reasonable step to avoid storing credit card data, and never store CVV numbers for any reason. Many merchants choose to store data to accelerate their customers’ checkout process without fully understanding the implications for compliance. Don’t be one of them.

Failure to separate the CDE network from rest the organization’s IT infrastructure

The key phrase to remember in PCI-compliance and access to cardholder data is “as-needed.” Make it your mantra. This applies more so to sub-networks within your organization. When applied to your network, it is known as “network segmentation,” though it usually applies to sub-networks within your organization. Sub-networks used for internal office communications should have no access—direct or indirect—to the sub-networks with access to the CDE.

Failure to restrict access to the CDE to only those employees that need it 

Once again, only employees needing access should have it. This refers both to physical access to areas housing devices within the CDE, but also permissions and passwords.

Insufficient training and security awareness

This extends to your team as well as yourself. If you employ a team, consider appointing someone as a Compliance Officer to take responsibility for training efforts, and give them enough authority to get the job done.

Weak password security policy

Passwords to any system within the CDE should be unique, complex, and never shared between employees. Password managers like LastPass, Zoho, 1Password, and many others are invaluable for safely generating and storing complex passwords. If your team isn’t using one, then it’s a red flag for your security practices. Two-factor authentication for any CDE system is likewise essential, whether Google Authenticator, Duo, or something similar.

Don’t wait for your PCI compliance to lapse, jump into it and perform your own audit first. 

Missing web application firewall (WAF) 

A web application firewall (WAF) identifies and interrupts malicious activity and exploits. Most merchants don’t use one in their infrastructure. You can pass a PCI assessment without, but it requires a code audit any time you make changes to your application (Magento, WordPress, and so on). Most hosting providers can provide a WAF solution, or you can use a cloud-based one, which will increase security and simplify PCI compliance.

Inadequate network activity logs 

A network log is a record of events, and is crucial for identifying and tracking the efforts of bad actors attempting to gain access. Again, if you’re a level 1 merchant that processes millions of credit card transactions per year, you’re an inviting target and likely have a network administrator in place. If you’re not a Level 1 merchant and you’re facing audit, then it means you were recently breached 

Missing or poorly configured firewalls and routers 

The security of a network firewall (not to be confused with web application firewall) or router is only as good as the person configuring it. Know your stuff or employ someone that does.

Unclear or outdated security incident response procedures 

Whether you use Magento, WooCommerce, or any other platform, you or your system administrator should take great pains to stay current on the latest vulnerabilities. Have a plan to respond to exploits when—not if, but when—they occur.

Don’t Wait for Your Audit to Get Started

As a final point, never forget that PCI compliance is an ongoing effort. Annual audits are only one component of compliance, but a proactive approach with upcoming changes to your CDE will often pay dividends. Engage your QSA about these changes well before they happen, as they can provide sage advice about maintaining compliance. 

For guidance with PCI compliance, contact our sales team between 9 a.m.–5 p.m. eastern time, Monday to Friday.