See here for Managing your PCI Audit & Compliance blog part 1

By now your organization has chosen a Qualified Security Assessor (QSA) who will be performing PCI compliance assessments, but now when do you schedule the on site visit for the QSA? The answer is simple; once the organization is prepared. As discussed prior in Managing Your PCI Audit (Part 1), without appropriate preparation the PCI audit process can rapidly deteriorate.

Now this may seem shocking, but it is not unusual for some very large organizations, and smaller ones too, to not understand or have documented all of the ways in which the company accepts and processes credit card information.  For the purpose of this blog lets assume your company does know and has documented comprehensive credit card information flows throughout the network.  We will detail these requirements in a later blog.

From the large organization and data center to the mid level business, assigning the key participants for the PCI audit is crucial and must occur before scheduling the onsite review with your QSA.   Key stakeholders depending on the size and complexity of the company may include among others:

• Management
• Infrastructure Engineering
• Systems Administration
• Applications Development
• Information Security

Coordinating with the appropriate resources from the participating departments and discussing the upcoming PCI audit is key.  This includes making certain participants are informed of their roles, time requirements and availability requirements.  Once complete, it is time to reach out and schedule the QSA.

Request that your QSA send an itinerary and schedule one-week prior to arrival. This will help set schedules and necessary arrangements for your key personnel.  Depending on your company size and complexity the QSA may be onsite for a week or more.

Once onsite the QSA will want to schedule a meeting to coordinate activities, meet the key participants, layout the schedule, establish management rapport, and answer any questions.   It is important that your key participants are effective communicators and clear on their roles.  As the main point of contact for the organization you should plan on dedicating your time to participate in all QSA meetings and interviews.

I would like to point out that almost all QSA firms (an auditor) also offer PCI consulting (advisor).  This is however a very fine line to have one firm in both the role of advisor and auditor.  It is best to separate these functions obtaining a PCI consultant to advise your company on identifying the necessary actions to achieve compliance and a QSA to measure the organizations compliance.

A typical QSA itinerary might be as follows:

• Project kickoff meeting
• Network Diagram and CDE review
• Credit card flow review
• Key Personnel Interviews
• Supporting documentation review
• Remediation review

Always remember that while the QSA is providing the itinerary you the customer need to maintain control. Participating in all meetings and interviews will eliminate audits going off track and insure that each key participant is focused on their area of responsibility and expertise and maintain the scope as defined in the organizations pre-assessment meetings. I cannot stress enough that preparation, knowledge and management oversight are key to an effective and efficient audit.

In my next blog I will go into details an exactly what needs to be done around Network Diagrams, Credit Card Flow, and Documentation. Until then contact us here to see how we can advise your organization on reaching PCI Compliance.  See you soon!

PCI DSS compliance has now become a household name for security and IT departments worldwide, potentially having significant impact on those organizations that store or process credit cards. According to the PCI Security Standards Council “All merchants, whether small or large, need to be PCI compliant.”

While the security requirements are the same for all covered organizations, the method of proving compliance depends on the number and value of annual credit card transactions. For merchants processing more than 6 million transactions a year, this means an on-site audit by a Qualified Security Assessor (QSA). For more information on PCI DSS please visit https://www.pcisecuritystandards.org.

For many organizations the term “PCI Audit” seems to be shrouded in mystery. Having facilitated many PCI audits for large organizations, I have probably been asked every question imaginable in regards to PCI. What exactly is involved? What is my Cardholder Data Environment? How much information must I provide?

As an adviser I have always tried to impress upon my clients the need to understand and proactively manage the PCI Audit process, and in particular to be prepared for onsite interviews by the QSAs. Many of the staff members that the auditor will be interviewing (e.g. office PC users, call center operators, systems administrators) may view the auditor; either as an adversary, from whom as much information should be withheld as possible, or as a friend, to whom all information should be provided when requested. In fact, neither of these positions is appropriate and both can lead to trouble for the organization being audited.

Proactive PCI Audit management is the cornerstone to a successful audit process. While many businesses simply do not have the time, staff, or trained personnel to prepare for all aspects of a PCI audit, I recommend finding qualified external resources to help the organization down this path. It is important to remember that while most QSAs are reasonable and professional organizations they are not employees and maintain significantly different roles, responsibilities, and organizational insight.

Managing the PCI audit carefully will help reduce time, costs, and operational impacts to the organization. At a minimum audit management will refine the scope and keep answers to audit questions on point. Keys to a successful audit and meaningful results are to appropriately prepare staff, set expectations, and sharpen scope. Expert resources to manage the process can add significant benefit to the organization and potentially reduce the cost of compliance.

The PCI audit process consists of many areas, however we will be focusing on the “on-site Interview” portion. The first step in the onsite interview is preparation. Once you have chosen your QSA find out exactly when the auditor will be on site, what activities the auditor will be conducting, and what documentation they will require. Knowing all of this will help you to understand exactly what level of detail the auditor is looking for, as well as which team members will be asked to take part in onsite interviews. Make sure to schedule the auditor’s on-site presence when there is the minimum impact on your business operations.

PCI audits may become less effective and minimally productive due to a lack of preparation on the client side. Inappropriate preparations may lead to a host of issues including the over exposure of information, withholding or attempts to hide information by well intended but ill advised staff, or as well as inaccurate and or inconsistent answers.   Theses issues among others can cause significant problems and expense down the road for the organization under audit. Preparing each staff member before the onsite meeting is vital to a successful, efficient, and effective audit.

Some examples of staff interview preparation includes understanding exactly what is meant by “Cardholder Data Environment” and what this actually means to the organization. The organization and the auditor must agree on the scope prior to the commencement of the audit. Only information directly related to the CDE should be provided in interviews. Auditors should be expected to provide their interview questions for review beforehand, comply with an interview schedule, and should not interview additional staff members who may confuse the issues or provide inappropriate answers. It is the responsibility of the individual managing the audit process to ensure the interview is on topic, within scope, and with the appropriate staff.

My next blog I will cover actual questions that have been asked as well as the proper way to answer them. I will also dive deeper into the audit process.  Until then please contact us here to learn more about how we can assist your organization to manage the compliance process.

See my next blog post here – Managing Your PCI Audit & Compliance part 2 – preparing for the QSA visit.