Questions? Contact Us

 

Latest News

Featured News & Events

Preparing for a PCI audit is a marathon, not a sprint

Payment Card Industry (PCI) compliance is growing in its rigor and scope amid the rapidly evolving world of online and mobile credit card transactions. The PCI Data Security Standards (PCI DSS) aim to protect consumer credit card data by offering businesses an outline of rules and guidelines to ensure their credit card systems are secure.

But the reality of implementing these standards is where the rubber meets the road for many businesses when they have to validate their processes and procedures through an annual PCI audit. Getting ready for a PCI audit is akin to training for a marathon. It takes months of preparation and hard work long before the day of the big event. Remaining compliant is like a marathon that never ends, needing focus 27-7-365.

It all starts with knowing your PCI environment; what kind of operating systems do you run, how many operating systems do you run, what policies do you have in place to manage those operating systems, how many staff and third-party vendors are involved in managing and maintaining those systems – and many more of those such questions must be answered.

The next step is to create or update your business' network diagram. PCI compliance requires an accurate diagram that outlines system connections to card data. The diagram needs to show how cardholder data enters your network, which systems that data interacts with as it is processed within the network and at what points cardholder data may leave the network such as flowing to a payment processor. A Qualified Security Assessor (QSA) will want to be able to see exactly where and how card data flows through your networks, devices, system components and any connections between the cardholder network and other networks.

It's also essential that the leadership of your business knows what to expect. If this is your first PCI audit, you might consider doing a pre-assessment with a QSA so that all stakeholders (i.e. head of security, head of compliance, head of operations, head of development, head of legal) understand the process and policies. At the very least, you should download the PCI DSS self-assessment questionnaire to give you and your team a starting to point for how to prepare. The questionnaire will prompt you to evaluate everything from which credit cards are accepted and the number of transactions per year to the number of firewalls and routers you have and how many external and internal IP addresses are in your network. The bottom line is that you need to know your system before you start the audit process.

Then there's the looming uncertainty of whether your network and systems are in fact secure. Don't be caught by surprise. PCI DSS requires an annual risk assessment that identifies critical threats and vulnerabilities. To meet this requirement it is best to conduct an internal examination of your systems, process and procedures and as well as a full risk assessment to determine system vulnerabilities prior to an audit. Then you can correct any errors and prioritize IT security enhancements based on any potential threats.

Preparing for an audit is a lot of work. There are a lot of security standards to meet and policies to implement. And you have to make sure your business' practices match those policies. A third party vendor, such as ZZ Servers, can help with security measures like firewall controls, security standards, data encryption, log monitoring and log archiving. Before you get overwhelmed by the audit process, remember there is help out there that can help kickoff the process of preparing for an audit – saving time and stress along the way.

ZZ Servers Co-Founder Spoke at International Busin...
PCI Scoping: Start big to narrow the scope

Related Posts

 

Tag Cloud

small business sender policy activesync IT security Cybersecurity Business Solutions backup solutions network INFOSEC anti virus members area David Zendzian credit card payment motivation Continuous Monitoring Online Business Home Depot Breach qsa QSA Geekend intrusion detection Ubuntu Internet Zendzian protect data HIPPA cloud Email eCommerce Solutions Sysadmin PCI Audit follow.The HIPAA Privacy Rule ZZ Servers Co-Founder dsbl Xen lamp safe computing National Cyber Security Awareness Month Charleston cyber security IT services data protection hosting control panel ZZ Servers Presentation healthcare solutions Internet infrastructure Alarm logical security embedded PCI Compliance Reports Server Mangement Las Vegas CentOs Internet Corporation PCI Data Security Standards phishing Control Panel IT solutions Credit Card Security BSides caller-id DRP PCI Service Provider data breach Hackers cell phone email data privacy Windows vulnerability scanning Domani Names search computer security Shmoocon business solutions security circles pci complliant hosting Disaster Recovery Plan dss Hosting IT Solutions teensy shared server black friday smartphone security VPS Servers iphone command line shared folders compliant hosting Debian credit card education IT vps change Health Care Cybersecurity support compliance trends infrastructure phishing attacks Medical Records physical arduino openssl windows 7 health care providers employee training mail server log files ipad cyber protection HIDS Medical Solutions Firetalk credit cards stolen businesses SSL information technology personal information cyber liability insurance eCommerce bash malicious software Positive Customer Impact Announcement social engineering Web Hosting cyber monitoring Interworx-CP Scalable Redundant Cloud Infrastructure Information Technology Vulnerability passwords IT Services multi-factor authentication PCI compliance business HIPAA Solutions Assigned Names two factor authentication PCI Solutions Car Hacking shared secure hosting cyber monday InterWorx assesment cloud infrastructure TLS exchange Payment Card Industry spoofing PCI PCI DSS 3.2 Healthcare Records business community spf Credit Cards HIPAA solutions spam GDPR computing in the cloud apache World Backup Day cybersecurity ICANN Health Insurance Portability Compliance Cybersecurity email accounts recovering data blackberry computer networks Security Accountability Act Business Solutions management video PCI Hosting vyatta router firewall filter security PCI HIPAA amazon ec2 OSSEC shared hosting password Small Business physical security kerio cli Cloud Computing Linux Business Planning DEF CON cyber permissions business solitions HIPAA TiaraCon