Cyber security compliance audits are an integral part of securing your networks and systems from data theft or other types of cybercrime attacks. Audits are a process through which your information security policy, framework, and implementation are checked and tested to ensure that they meet the standards for compliance. In this article, well go into greater detail on why audits are an important part of maintaining compliance, and how frequently you should be conducting them.
The Importance of Audits
Audits are a way for you to ensure that you are maintaining compliance with the requirements put forth in the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of standards that apply to all companies that deal with payment card transactions. Whether your business is large or small, if you handle payment card transactions then PCI DSS standards apply to you. The PCI DSS was created with the intention of forming a standardized set of common sense best practices for information security in order to reduce the risk of missing cardholder data. These best practices are accepted industry-wide and are considered a mandatory baseline for securing systems and data from external intrusion, attacks, and theft.
A PCI DSS audit is conducted by a qualified security assessor (QSA). QSAs are an outside organization specializing in information security for the payment card industry. A company wishing to become a QSA must go through a rigorous process with the Payment Card Industry Security Standards Council (PCI SSC), which is the regulatory body responsible for crafting and implementing the PCI DSS. You can find out more details about the application process for QSAs, the requirements for a company to gain QSA designation, and the training requirements for allQSA employees here. Many of the payment card companies also allow an Internal Auditor to conduct an on-site PCI DSS assessment. In these cases, it is encouraged (or required) that the internal auditor obtains the PCI SSC Internal Security Assessor (ISA) certification.
To understand the importance of a PCI Scan to maintain compliance with PCI DSS, one has to look no further than the most recent large-scale data breaches. The Equifax hack of 2017 immediately comes to mind, which resulted in the loss of sensitive data for roughly 148 million people. The scope of this security breach is hard to imagine, as is the fact that it went unnoticed for some time before it was caught. For todays companies handling sensitive cardholder data, the risks of not securing your systems are greater than ever before.
Outside threats continue to increase in complexity and effectiveness, while also becoming easier to use for less skilled cyber criminals. The costs of not properly securing sensitive data and systems can be catastrophic, particularly for small business. Roughly 60% of small and medium-sized businesses that have had a data breach cease operations within six months. This dispels the myth that information security is only a priority for large businesses. Rather, cyber crime threatens all long and small businesses, and mitigating the risk of suffering a data breach requires strict adherence to industry-accepted best practices on an ongoing basis.
For companies trying to figure out how to improve cyber security, maintaining regular audits to verify PCI DSS compliance is a recommended first step. Because the landscape of risk facing businesses of all sizes is constantly shifting, audits are an integral part of PCI DSS compliance and maintaining the ongoing security of your information, networks, and systems.
Auditing Frequency
American Express
If you handle American Express transactions, the requirements for maintaining compliance with PCI DSS are determined by the number of American Express transactions per year.
Level 1
You are considered a Level 1 company if you handle 2.5 million or more American Express Card
Level 2
A company is considered level 2 if it handles between 50,000 and 2.5 million American Express Card transactions per year. Service providers are considered Level 2 if they provide less than 2.5 million transactions. Level 2 companies must perform a PCI DSS Self-Assessment Questionnaire (SAQ), have the results certified internally, and submit the completed questionnaire to American Express annually. Additionally, Level 2 companies must conduct and submit the results to a network scan conducted by an ASV every 90 days.
Level 3
There are two classes of Level 3 companies according to American Express, those that are considered Designated and those that arent. Level 3 Designated companies must follow the same compliance rules as a Level 2 company. This means they must submit an annual PCI DSS SAQ, and have an ASV conduct a quarterly scan of their network. For non-Designated Level 3 businesses the annual self-assessment and network scan are recommended. Despite the fact that Level 3 merchants dont need to submit documentation to American Express, they are nonetheless bound to maintain compliance with PCI DSS, hence why it is recommended they complete an SAQ and ASV alongside the same timeline as Level 2 and 1 merchants.
Visa / MasterCard
Like American Express, Visa and MasterCard place merchants into different tiers based on the volume of Visa or MasterCard card transactions they perform annually, whether they are debit, credit, or prepaid. Each different level has different requirements that merchants must adhere to in order to avoid facing penalties.
Level 1
A merchant is considered Level 1 by either card company if they process over 6 million transactions annually, or they are identified by Visa or MasterCard as a Level 1 merchant. MasterCard also considers any company that has suffered a data breach that resulted in an Account Data Compromise (ADC) Event to be a Level 1 merchant that must meet more strict PCI DSS validation requirements. These 6 million transactions are across all channels, meaning e-commerce transactions and physical transactions both count towards this total. Level 1 merchants must file a Report on Compliance (ROC) annually. ROCs can be completed by a QSA, or by an Internal Auditor. If the ROC is conducted internally, it must be signed off by an officer of the company. For Visa merchants, it is encouraged the Internal Auditor has the PCI SSC Internal Security Assessor (ISA) certification. For MasterCard merchants, it is mandatory that the Internal Auditor possess a PCI SSC ISA certification. In addition to the ROC, Level 1 companies must have a quarterly network scan conducted by an ASV.
Level 2
A merchant is considered by Visa and MasterCard to be Level 2 if they process 1 to 6 million transactions across all channels annually. A Level 2 merchant must complete a Self-Assessment Questionnaire (SAQ) and Submit an Attestation of Compliance (AOC) annually. Additionally, Level 2 merchants must have a network scan performed by an ASV quarterly.
Level 3
A level 3 merchant processes between 20,000 and 1 million Visa or MasterCard e-commerce transactions annually. Each level 3 merchant must complete a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC) annually. Additionally, each level 3 merchant must have a network scan performed quarterly by an ASV.
Level 4
Visa and MasterCard consider merchants that process less than 20,000 e-commerce transactions annually, and other merchants that process up to 1 million transactions annually, to be Level 4. Level 4 merchants must complete a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance (AOC) annually. Level 4 merchants must also have a quarterly network scan conducted by an ASV.
Discover
Level 1
Discover has three criteria that can qualify a merchant as Level 1. The first criteria is if the merchant processes more than 6 million transactions on the Discover network per year. The second is if Discover determines that the merchant should meet the more stringent reporting and audit criteria of a Level 1 merchant. Lastly, if another payment brand or acquirer considers the merchant to be Level 1, then they must also meet Discovers Level 1 requirements. Level 1 merchants are required to have an on-site PCI DSS assessment performedannually by a PCI ASV. They must also submit an Attestation of Compliance (AOC) and a Report on Compliance (RoC). Lastly, each Level 1 merchant must have networks scans conducted by an ASV quarterly, but the scan results dont have to be submitted.
Level 2
Discover considers merchants who process between 1-6 million transactions on the Discover network annually to be Level 2 merchants. Level 2 merchants must complete a PCI DSS Self-Assessment Questionnaire (SAQ) and an Attestation of Compliance (AOC) annually, as well as network scans by an ASV conducted quarterly.
Level 3
Merchants who process between 20,000 and 1 million non-physical transactions on Discover networks, such as e-commerce, are considered Level 3 merchants. Level 3 merchants must follow the same requirements as Level 2 merchants.
Level 4
Any merchant that doesnt meet the requirements for the other Levels is considered Level 4. Level 4 merchants must complete the PCI DSS Self-Assessment Questionnaire (SAQ) annually, but only Discover Merchants must submit an Attestation of Compliance every year. Additionally, Level 4 merchants are required to have a network scan by an ASV conducted quarterly.
JCB
Non-physical transactions
Compliance with PCI-DSS standards is required beginning April 1, 2018, for all merchants who perform non-physical transactions with JCB cards. For merchants with more than 1 million JCB transactions annually, they must have an annual on-site assessment and complete quarterly security scans. Those merchants with less than a million transactions must perform a PCI DSS Self-Assessment Questionnaire (SAQ) each year, and conduct quarterly security scans.
Physical Transactions
Mandatory compliance for companies that only perform physical JCB transactions isnt required until April 1, 2020. The same JCB card transaction thresholds and their corresponding validation requirements as non-physical transactions apply.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.