Our thinking

PCI DSS Audits – What to Expect

The Payment Card Industry Data Security Standard (PCI DSS) applies to all businesses which accept card payments (via debit or credit card).

When you sign a merchant agreement with a bank (or a payment service provider, such as PayPal) to accept payment cards, you also agree to comply with the PCI DSS standards – and accept liability for heavy penalties if you don’t! Your merchant agreement may also include clauses which allow your bank to:

  • terminate services if you are not compliant
  • request an external audit (at your expense!) to confirm compliance.

The purpose of this article is to give you a brief overview of the PCI DSS audit process and how it may apply to you.

 

What is PCI DSS?
The major card companies (Visa, Mastercard, AMEX, Discover and JCB) have always had security policies which they expect their merchants to adhere to. In 2004, the five companies decided to combine their standards to form a single, international standard administered by the Security Standards Council (SCC) which would apply to all organisations that accepted card payments.[1]  If you accept card payments, that includes your organisation!

The purpose of PCI DSS is to protect cardholders’ financial information by setting a minimum security standard that all merchants must meet or exceed. The standard is set by experts, and is designed to minimise the risk of data theft in most scenarios.

Historically, the SSC has not taken an active part in enforcing compliance. However, recent high profile data breaches have led the SSC to take a more active role, directing service providers to be more proactive in following up audit results and taking action against non-compliant businesses.

 

Who must complete an audit?
All businesses which accept card payments must complete an annual audit. The type of audit to be completed is determined based on:

  • The number and value of transactions processed by the merchant every year. This is used to categorise the merchant into one of four levels and determines whether or not they can self assess or must use an accredited external auditor (a QSA).
  • The processes which the merchant uses to process card payments. This determines which Self-Assessment Questionnaire (SAQ) the merchant is eligible to complete.

For more information about PCI DSS levels and processes, see our article “What is PCI DSS and why should I care?”  http://www.terrafirma.com.au/our-thinking/pci-dss-care/

 

 

 

[1]

 

How are PCI DSS audits conducted?
The business’ level determines how audits will be conducted. Businesses may choose to publish the audit results, for example on their company website, or may keep them confidential.

Your payment services provider may request a copy of your SAQ (or may ask you to complete a SAQ via their online portal) at any time as proof of your PCI DSS compliance. Keep your completed SAQs securely in case they are requested.

Level 3 or 4 businesses
If your business is a Level 3 or 4 business, you will usually be allowed to self-assess. To complete a self-assessment:

  • Download ‘Understanding the SAQs’ from the PCI DSS website.
  • Identify the SAQ which your business needs to complete.
  • Download and complete the appropriate SAQ.

Exception
If a card provider (for example, VISA or MasterCard) decide that your business presents an unusual risk, they may direct you to hire a QSA to complete your annual audits. This would normally occur following a security breach – failure to comply with the request would generally lead to your merchant services agreement being revoked, leaving your business unable to accept card payments.

Level 2 businesses
A level 2 business may choose to self- assess or may hire a QSA to complete the annual audit on their behalf. The process will be as above – the business identifies and completes the appropriate SAQ, which is retained as a record of compliance.

Level 1 businesses
A level 1 business must be audited by a QSA every year. The QSA will complete the appropriate SAQ and lodge it with the appropriate parties (usually your bank and the payment service provider).

How rigorous is the audit process?
Following a number of high profile breaches[2], the SSC has become more rigorous about enforcing compliance. In practical terms, this has meant that many organisations which have been self-assessing have been asked to undergo (at their own expense) a formal audit by a QSA. Most Level 1 organisations have undergone an intense scrutiny over the past two years – the focus appears to moving to Level 2 and Level 3 organisations. It is expected that this intense focus will continue until the card providers are comfortable that the risk has been reduced to manageable levels.

What if I don’t comply with all the requirements?

If your organisation does not meet a requirement, you will usually be given some time to resolve the issue.

However, if your organisation continues not to meet the PCI DSS requirements, your payment card service provider may decide that your organisation is too high a risk. They may terminate their contract with you, effectively preventing you from accepting card payments.

To avoid this, we recommend:

  • Seeking professional help to establish a structure that is compliant and straightforward to maintain. This may be more cost effective than you think.
  • Frequent reviews of your systems and processes to ensure ongoing compliance. It is not unknown for an organisation to become non-compliant as the result of a poorly implemented system change, for example.
  • Strong change management processes to mitigate the risk of your business accidentally becoming non-compliant following a badly thought out change.
  • Consider going above and beyond – implement a higher standard of security where possible to minimise your risk of a breach.

 

 

[1] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard accessed 29/7/2016
[2] For examples of recent breaches, see:

Zetter, K., “Will Target’s Lawsuit Finally Expose the Failings of Security Audits?”, https://www.wired.com/2014/03/trustwave-target-audit/, accessed 15/2/2017

Marks, J., “Most credit card breaches unnoticed”, http://www.politico.com/story/2014/10/data-hack-credit-cards-111665, accessed 15/2/2017

Miller, J., “PCI Compliance Under Scrutiny Following Big Data Breaches”, http://www.cio.com/article/2836035/data-breach/pci-compliance-under-scrutiny-following-big-data-breaches.html, accessed 15/2/2017