It’s all about the plastic.
Even though we have more alternative electronic payment options than ever before, Americans prefer the credit card over any other payment mechanism. This means it’s relatively simple for businesses to charge their customers online and get paid using one of a variety of payment gateways — all they have to do is move information from one place to another to collect their revenue, and the internet makes this a simple task.
But this convenience simultaneously presents an obstacle: that data needs to be moved and stored safely. It should only be accessible by authorized entities, and should be kept far out of reach from malicious third parties. For enabling an entirely new era of transacting, online card payments also come with their own set of liabilities that can leave customer financial data vulnerable and a business’s reputation on the line.
This means your company, whether large or small, needs to be on the forefront of PCI compliance. A PCI compliance audit is an essential tool for helping you get there.
What is a PCI audit?
A PCI audit is a series of tests to confirm that a business is PCI compliant. If the audit yields that a company is less than totally compliant, then it presents that company with a clear roadmap of which holes to patch in order to achieve compliance.
“PCI” stands for “payment card industry,” and the major credit card companies banded together in order to define what it means to be “PCI-compliant.” They arrived at a set of security standards and best practices that companies have to stick to if they’re going to process payment information (or any other sensitive customer data) online. These are collectively known as the Payment Card Industry Data Security Standard (PCI DSS), and they were created by the PCI Security Standards Council (PCI SSC).
This set of best practices works to increase controls and protection around cardholder data while simultaneously reducing credit card fraud. That’s why it’s as important as it’s ever been for businesses to know where they stand on their PCI audit.
Passing a PCI audit calls for a multi-faceted approach
This is not a test you can cram for the night before. A PCI audit looks at the complete picture of how a business handles customer payment information. If this situation is dire the week before, it’s probably not going to get much better before the auditor arrives. There are only so many things you can do to make a difference in time. That’s why you need to make compliance an ongoing concern, it can’t be a simple box that you check once and forget about.
It’s good to start from the ground up by building a strong team that already understands the importance of PCI compliance. You would do well to title one of them something in line with “compliance manager,” making it clear that this person is at the top of the pyramid you’ve established in order to protect and maintain your compliance. Make sure the rest of the members of the team not only have specific responsibilities to this end, but that they are also accountable for them.
You should also know your own responsibilities, and identifying your business’s PCI level is a great first step. There are four different PCI levels (accordingly numbered one through four), and your level is merely a reflection of how many transactions your business processes in a year.
Level one is for the biggest companies that process more than six million transactions per 12 months, so that have the highest bar to clear: they must supply a full report on compliance (ROC) in addition to an attestation of compliance (AOC). Merchants operating at levels two, three, and four must instead complete a lower-impact self-assessment questionnaire (SAQ) annually.
Companies at different levels are subject to different rules and standards, but they always start by forming a picture of where they might be vulnerable to malicious attack.
Complete a risk assessment
Every step of PCI compliance is about reducing the risk of credit card breaches, but this is unfortunately a rather broad goal to aim for. To get there as effectively as possible, businesses need to map the relationship between their IT infrastructure and payment processing systems. That way they’re more able to more clearly understand the threats and vulnerabilities that potentially threaten these assets.
These risk analyses do nothing less than paint a picture of the environment the business is already operating in: they should define its critical hardware and software assets, as well as the risk levels for each of them. This allows for a prioritized list of what actions to take and when. If you don’t know where you already stand, then you’re not going to know how to improve your position.
Document your procedures and processes
Every stable structure has a firm foundation. When it comes to the security of your business, its procedures and processes are that essential foundation. PCI assessors (as well as banks, credit card companies, or especially involved consumers) will want to see that you’ve taken the time and care necessary to put into writing how you keep sensitive information safe.
Have clear documentation that not only addresses how your company processes information in a secure fashion, but continues to take steps toward protecting that security. This saves you the embarrassment of not having such documentation on hand when an authority figure asks for it.
Identify your compliance gaps and fill them
Your audit will illuminate where your company’s PCI methods are falling short. But if the leadership has already taken the step of conducting its own audit ahead of a formal PCI audit, then that’s great news: it means it won’t be difficult to get authorization to spend any funds that might be necessary to solve potential problems and make overall improvements.
Once that remediation is complete, it might be worth engaging with a quality security assessor (QSA) firm so that it can conduct its own gap analysis. The QSA will review your security policies for accuracy and completeness, as well as guide you on what might be missing in order to pass a full-scale assessment with flying colors.
PCI compliance is important, and the relevant authorities are distinctly invested in helping companies get there. This is not about collecting noncompliance fees with a “gotcha” moment, but about protecting consumer confidence in online credit card transactions. When customers trust online shopping, then they’re going to use their credit cards online more often.
So take the steps toward compliance and make it clear that customers can spend money with your business without any fear of negative repercussions or data breach. PCI compliance is a figurative merit badge that lets them know they can trust you with their valuable information.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.