PCI DSS Compliance Audits

What is PCI DSS?

The global acceleration of cashless transactions makes payment systems an obvious target for criminals. Vulnerabilities may appear anywhere in the payment processing ecosystem. The PCI Data Security Standard (PCI DSS) is a security framework for developing a robust payment account data security process. The framework is developed and maintained by the PCI Security Standards Council (PCI SSC), which was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc. (participating payment brands). The PCI SSC is responsible for developing and managing the PCI DSS and its related qualification programs, while the participating payment brands maintain their separate compliance enforcement programs. The participating payment brands determine which entities need to validate compliance, validation levels, whether an entity is eligible to complete a self-assessment questionnaire (SAQ) or must complete a Report on Compliance (ROC), and exact fines or penalties for non-compliance. 

The PCI DSS provides a baseline of technical and operational requirements designed to protect account data and is intended for all entities that store, process, or transmit account data or could impact the security of the cardholder data environment (CDE). The account data consists of cardholder data and sensitive authentication data, defined as follows (source):

The PCI DSS consists of 12 principal requirements (source):

What is a PCI DSS assessment?

There are two types of PCI DSS assessments: self-assessment questionnaire (SAQ) and report on compliance (ROC). The former can be completed by the entity on its own or with the assistance of a qualified security assessor (QSA) like Linford and Company, whereas the latter must be compiled by a QSA following an audit. Whether an entity is required to complete an SAQ or engage a QSA to perform a PCI audit and compile a ROC is at the discretion of the organizations that manage compliance programs, such as participating payment brands, acquirers, or other parties of interest. 

Whether an entity completes an SAQ or undergoes a QSA-validated assessment, an attestation of compliance (AOC) can be completed and signed by the entity that underwent the assessment and the QSA company (if involved) as a declaration of the results of a PCI DSS assessment.

An AOC is valid for one year from the date the AOC is signed.

What is the cost of a PCI DSS assessment?

The fees for a PCI DSS assessment are contingent upon the scope of the CDE and the complexity of the system components, people, and processes that could impact the security of the CDE. For a PCI audit resulting in a ROC, the fee can range from $30k to $200k. Fees for QSA-assisted SAQ assessments depend on the type of SAQ, and a QSA company may assess either a time-and-material or a fixed fee up to $40k. 

In addition to the aforementioned professional fees, entities should also take into account the costs associated with compliance, which includes, but not limited to:

1. Implementation of an intrusion detection/prevention system (IDS/IPS)
2. Implementation of a security information and event management system (SIEM)
3. Quarterly internal vulnerability scans 
4. Quarterly external vulnerability scans by an approved scanning vendor (ASV)
5. Malware protection and detection
6. Software security training for developers
7. Static code scans
8. Annual penetration testing
9. Quarter rogue wireless access point scans 
10. Implementation of a file integrity monitoring (FIM) tool to detect changes to critical files
11. Security awareness training for new hires and annually thereafter
12. Security policies development

Who needs a PCI DSS assessment?

The responsibility of mandating compliance with PCI DSS typically sits with the participating payment brands and acquirers. However, PCI DSS applies to any business that stores, transmits, or processes account data or could impact the security of the CDE. Two primary categories of businesses are often asked for attestation of PCI DSS compliance: merchants and service providers. 

A merchant is any business that accepts payment cards as payment for goods and/or services. A service provider is an entity directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity or providing a service that controls or could impact the security of cardholder data. A merchant may also function as a service provider if its services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. 

Note that participating payment brands and acquirers have different rules for merchants and service providers that are based on transaction volume, and are called merchant and service provider levels.

PCI DSS Assessment Process

How does a PCI DSS assessment begin?

The assessment process includes the following high-level steps (source):

1. Scope: Identify the people, processes, and technologies that interact with or could affect the security of account data. This also includes system components that could influence the security of the CDE. 
2. Assess: Review all in-scope system components to determine whether PCI DSS requirements have been met. The assessment activities may be performed remotely, in-person, or a combination of both. Prior to meetings, documentation including policies and procedures, data flow and network diagrams, and system inventories should be collected and reviewed in advance to ascertain that all evidence is ready and available to be assessed. Our QSA will set up secure storage repositories for evidence. 
3. Remediate: Bridge any gaps identified during the assessment to get ready for re-test. 
4. Report and Attest: Upon the completion of the assessment activities, our QSA will complete the report (SQA or ROC) and attestation (AOC). The reports will then be sent to the assessed entity for review, comments, feedback, and sign-off.
5. Submit: The assessed entity is responsible for sending the completed and signed reports (SAQ/ROC and AOC), along with other requested supporting documentation such as ASV scan reports, to the requesting entity.

What are the deliverables?

Validation documents are the official mechanism by which entities demonstrate their PCI DSS compliance status to the requesting entity. Depending on participating payment brand compliance programs, entities may be required to undergo a detailed PCI DSS assessment and submit a ROC or may be eligible to conduct a self-assessment and submit a SAQ. An AOC, signed by the entity and the QSA (if involved), accompanies the validation document.

Report on Compliance (ROC): This is a detailed report for QSAs to document the results of a PCI DSS assessment. The ROC contains more detailed information than the SAQ, including sample selection, inventory of interviews and evidence, and how each requirement was assessed and validated. 

Self-Assessment Questionnaire (SAQ): There are various types of SAQs depending on whether an entity is a merchant or a service provider and how merchants interact with the payment systems. SAQs can be completed by the assessed entities with or without the assistance of a QSA. To determine whether you are eligible to complete an SAQ and which SAQ type is appropriate, contact the participating payment brands, your acquiring bank, or the requesting entity.

Attestations of Compliance (AOC): AOC is a declaration of the results of a PCI DSS assessment, completed and signed by the entity that underwent the assessment and the QSA Company (if involved). The AOC reflects the results of a PCI DSS assessment documented in an associated ROC or SAQ.