Managing Your PCI Audit (Part 2)
Welcome back to our Managing Your PCI Audit & Compliance Blog! By Michael Nelson – PCI Practice Manager
See here for Managing your PCI Audit & Compliance blog part 1
By now your organization has chosen a Qualified Security Assessor (QSA) who will be performing PCI compliance assessments, but now when do you schedule the on site visit for the QSA? The answer is simple; once the organization is prepared. As discussed prior in Managing Your PCI Audit (Part 1), without appropriate preparation the PCI audit process can rapidly deteriorate.
Now this may seem shocking, but it is not unusual for some very large organizations, and smaller ones too, to not understand or have documented all of the ways in which the company accepts and processes credit card information. For the purpose of this blog lets assume your company does know and has documented comprehensive credit card information flows throughout the network. We will detail these requirements in a later blog.
From the large organization and data center to the mid level business, assigning the key participants for the PCI audit is crucial and must occur before scheduling the onsite review with your QSA. Key stakeholders depending on the size and complexity of the company may include among others:
- Infrastructure Engineering
- Systems Administration
- Applications Development
- Information Security
Coordinating with the appropriate resources from the participating departments and discussing the upcoming PCI audit is key. This includes making certain participants are informed of their roles, time requirements and availability requirements. Once complete, it is time to reach out and schedule the QSA.
Request that your QSA send an itinerary and schedule one-week prior to arrival. This will help set schedules and necessary arrangements for your key personnel. Depending on your company size and complexity the QSA may be onsite for a week or more.
Once onsite the QSA will want to schedule a meeting to coordinate activities, meet the key participants, layout the schedule, establish management rapport, and answer any questions. It is important that your key participants are effective communicators and clear on their roles. As the main point of contact for the organization you should plan on dedicating your time to participate in all QSA meetings and interviews.
I would like to point out that almost all QSA firms (an auditor) also offer PCI consulting (advisor). This is however a very fine line to have one firm in both the role of advisor and auditor. It is best to separate these functions obtaining a PCI consultant to advise your company on identifying the necessary actions to achieve compliance and a QSA to measure the organizations compliance.
A typical QSA itinerary might be as follows:
- Project kickoff meeting
- Network Diagram and CDE review
- Credit card flow review
- Key Personnel Interviews
- Supporting documentation review
- Remediation review
Always remember that while the QSA is providing the itinerary you the customer need to maintain control. Participating in all meetings and interviews will eliminate audits going off track and insure that each key participant is focused on their area of responsibility and expertise and maintain the scope as defined in the organizations pre-assessment meetings. I cannot stress enough that preparation, knowledge and management oversight are key to an effective and efficient audit.
In my next blog I will go into details an exactly what needs to be done around Network Diagrams, Credit Card Flow, and Documentation. Until then contact us here to see how we can advise your organization on reaching PCI Compliance. See you soon!