Cyber security compliance audits are an integral part of securing your networks and systems from data theft or other types of cybercrime attacks. Audits are a process through which your information security policy, framework, and implementation are checked and tested to ensure that they meet the standards for compliance. In this article, well go into greater detail on why audits are an important part of maintaining compliance, and how frequently you should be conducting them.
The Importance of Audits
Audits are a way for you to ensure that you are maintaining compliance with the requirements put forth in the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of standards that apply to all companies that deal with payment card transactions. Whether your business is large or small, if you handle payment card transactions then PCI DSS standards apply to you. The PCI DSS was created with the intention of forming a standardized set of common sense best practices for information security in order to reduce the risk of missing cardholder data. These best practices are accepted industry-wide and are considered a mandatory baseline for securing systems and data from external intrusion, attacks, and theft.
A PCI DSS audit is conducted by a qualified security assessor (QSA). QSAs are an outside organization specializing in information security for the payment card industry. A company wishing to become a QSA must go through a rigorous process with the Payment Card Industry Security Standards Council (PCI SSC), which is the regulatory body responsible for crafting and implementing the PCI DSS. You can find out more details about the application process for QSAs, the requirements for a company to gain QSA designation, and the training requirements for allQSA employees here. Many of the payment card companies also allow an Internal Auditor to conduct an on-site PCI DSS assessment. In these cases, it is encouraged (or required) that the internal auditor obtains the PCI SSC Internal Security Assessor (ISA) certification.
The PCI DSS is a 139-page document that puts forth standards by which companies that interact with cardholder data must adhere to. Because of the extent and scope of the PCI DSS, maintaining compliance with the standard does not occur at a single point in time, but rather is an ongoing process through which companies continually assess their information security policies, procedures, and practices. Maintaining compliance with PCI DSS can seem daunting, but many of the requirements put forth in the PCI DSS are simply common sense cyber security ideas put into an actionable format. PCI DSS compliance is really just the first step towards implementing a robust defense against data theft and intrusion.
To understand the importance of a PCI Scan to maintain compliance with PCI DSS, one has to look no further than the most recent large-scale data breaches. The Equifax hack of 2017 immediately comes to mind, which resulted in the loss of sensitive data for roughly 148 million people. The scope of this security breach is hard to imagine, as is the fact that it went unnoticed for some time before it was caught. For todays companies handling sensitive cardholder data, the risks of not securing your systems are greater than ever before.
Outside threats continue to increase in complexity and effectiveness, while also becoming easier to use for less skilled cyber criminals. The costs of not properly securing sensitive data and systems can be catastrophic, particularly for small business. Roughly 60% of small and medium-sized businesses that have had a data breach cease operations within six months. This dispels the myth that information security is only a priority for large businesses. Rather, cyber crime threatens all long and small businesses, and mitigating the risk of suffering a data breach requires strict adherence to industry-accepted best practices on an ongoing basis.
For companies trying to figure out how to improve cyber security, maintaining regular audits to verify PCI DSS compliance is a recommended first step. Because the landscape of risk facing businesses of all sizes is constantly shifting, audits are an integral part of PCI DSS compliance and maintaining the ongoing security of your information, networks, and systems.
The frequency with which you must conduct audits is set forth by the payment card company that you work with, not the PCI SSC. The PCI SSC was founded by the payment brands Discover, Visa, MasterCard, JCB International, and American Express. Each different payment brand (with the exception of Visa and MasterCard which share the same requirements) has differing requirements for merchants and service providers when it comes to validating compliance with PCI DSS. In this section, well go over the requirements for each of these payment card brands so that you can gain a better understanding of the requirements for your company to maintain compliance.
If you handle American Express transactions, the requirements for maintaining compliance with PCI DSS are determined by the number of American Express transactions per year.
You are considered a Level 1 company if you handle 2.5 million or more American Express Card transactions per year, or if youve been specifically selected by American Express as a Level 1 business. Level 1 business must conduct an on-site security assessment annually. This assessment can be performed by a QSA, or it can be conducted internally as long as the results are verified by a chief information security officer, chief financial officer, or chief executive officer. Additionally, each Level 1 business must have a network scan conducted quarterly by an Approved Scanning Vendor (ASV). The findings of the scan or the ASVs Attestation of Scan Compliance (AOSC) must be submitted to American Express every 90 days.
A company is considered level 2 if it handles between 50,000 and 2.5 million American Express Card transactions per year. Service providers are considered Level 2 if they provide less than 2.5 million transactions. Level 2 companies must perform a PCI DSS Self-Assessment Questionnaire (SAQ), have the results certified internally, and submit the completed questionnaire to American Express annually. Additionally, Level 2 companies must conduct and submit the results to a network scan conducted by an ASV every 90 days.
There are two classes of Level 3 companies according to American Express, those that are considered Designated and those that arent. Level 3 Designated companies must follow the same compliance rules as a Level 2 company. This means they must submit an annual PCI DSS SAQ, and have an ASV conduct a quarterly scan of their network. For non-Designated Level 3 businesses the annual self-assessment and network scan are recommended. Despite the fact that Level 3 merchants dont need to submit documentation to American Express, they are nonetheless bound to maintain compliance with PCI DSS, hence why it is recommended they complete an SAQ and ASV alongside the same timeline as Level 2 and 1 merchants.
Visa / MasterCard
Like American Express, Visa and MasterCard place merchants into different tiers based on the volume of Visa or MasterCard card transactions they perform annually, whether they are debit, credit, or prepaid. Each different level has different requirements that merchants must adhere to in order to avoid facing penalties.
A merchant is considered Level 1 by either card company if they process over 6 million transactions annually, or they are identified by Visa or MasterCard as a Level 1 merchant. MasterCard also considers any company that has suffered a data breach that resulted in an Account Data Compromise (ADC) Event to be a Level 1 merchant that must meet more strict PCI DSS validation requirements. These 6 million transactions are across all channels, meaning e-commerce transactions and physical transactions both count towards this total. Level 1 merchants must file a Report on Compliance (ROC) annually. ROCs can be completed by a QSA, or by an Internal Auditor. If the ROC is conducted internally, it must be signed off by an officer of the company. For Visa merchants, it is encouraged the Internal Auditor has the PCI SSC Internal Security Assessor (ISA) certification. For MasterCard merchants, it is mandatory that the Internal Auditor possess a PCI SSC ISA certification. In addition to the ROC, Level 1 companies must have a quarterly network scan conducted by an ASV.
A merchant is considered by Visa and MasterCard to be Level 2 if they process 1 to 6 million transactions across all channels annually. A Level 2 merchant must complete a Self-Assessment Questionnaire (SAQ) and Submit an Attestation of Compliance (AOC) annually. Additionally, Level 2 merchants must have a network scan performed by an ASV quarterly.
A level 3 merchant processes between 20,000 and 1 million Visa or MasterCard e-commerce transactions annually. Each level 3 merchant must complete a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC) annually. Additionally, each level 3 merchant must have a network scan performed quarterly by an ASV.
Visa and MasterCard consider merchants that process less than 20,000 e-commerce transactions annually, and other merchants that process up to 1 million transactions annually, to be Level 4. Level 4 merchants must complete a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC) annually. Level 4 merchants must also have a quarterly network scan conducted by an ASV.
Merchant validation and reporting requirements for businesses that process transactions with the Discover network can be found here. These guidelines follow the same pattern as the other major payment card brands. Discovers criteria for merchant levels can be found here. Additionally, any merchant that suffers a data security breach may be required to validate their PCI DSS compliance at a higher level.
Discover has three criteria that can qualify a merchant as Level 1. The first criteria is if the merchant processes more than 6 million transactions on the Discover network per year. The second is if Discover determines that the merchant should meet the more stringent reporting and audit criteria of a Level 1 merchant. Lastly, if another payment brand or acquirer considers the merchant to be Level 1, then they must also meet Discovers Level 1 requirements. Level 1 merchants are required to have an on-site PCI DSS assessment performedannually by a PCI ASV. They must also submit an Attestation of Compliance (AOC) and a Report on Compliance (RoC). Lastly, each Level 1 merchant must have networks scans conducted by an ASV quarterly, but the scan results dont have to be submitted.
Discover considers merchants who process between 1-6 million transactions on the Discover network annually to be Level 2 merchants. Level 2 merchants must complete a PCI DSS Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance (AOC) annually, as well as network scans by an ASV conducted quarterly.
Merchants who process between 20,000 and 1 million non-physical transactions on Discover networks, such as e-commerce, are considered Level 3 merchants. Level 3 merchants must follow the same requirements as Level 2 merchants.
Any merchant that doesnt meet the requirements for the other Levels is considered Level 4. Level 4 merchants must complete the PCI DSS Self-Assessment Questionnaire (SAQ) annually, but only Discover Merchants must submit an Attestation of Compliance every year. Additionally, Level 4 merchants are required to have a network scan by an ASV conducted quarterly.
JCB changed their PCI-DSS validation requirements beginning on April 1, 2018. Prior to now, many of their PCI-DSS validation requirements were recommendations. Now, compliance is mandatory. Details of the changes can be found on JCBs Data Security Program website. JCB delineates between companies in a somewhat different way than the other payment brands. It is therefore helpful to look at the differences in requirements between non-physical transactions and physical transactions using a terminal.
Compliance with PCI-DSS standards is required beginning April 1, 2018, for all merchants who perform non-physical transactions with JCB cards. For merchants with more than 1 million JCB transactions annually, they must have an annual on-site assessment and complete quarterly security scans. Those merchants with less than a million transactions must perform a PCI DSS Self-Assessment Questionnaire (SAQ) each year, and conduct quarterly security scans.
Mandatory compliance for companies that only perform physical JCB transactions isnt required until April 1, 2020. The same JCB card transaction thresholds and their corresponding validation requirements as non-physical transactions apply.