Preparing for a PCI Compliance Audit

An FRSecure Self-Help Document of Guidelines and Best Practices

If you take credit card information, your organization is responsible for ensuring the payment card data you accept is kept safe. The Payment Card Industry Data Security Standard (PCI DSS) requires this Report on Compliance (ROC) audit to confirm policies and procedures to protect cardholder data

This guide is meant to be a starting point for your business. It paints a picture of what things you need to be thinking about when preparing for a Payment Card Industry Data Security Standard (PCI DSS) ROC Audit, and allows you to mold and shape policies and procedures from its recommendations.

This document will help you:

  • Understand what a PCI DSS ROC is
  • Prepare your team for a PCI ROC Audit
  • Shape recommendations into actions and policies while logging the changes
PCI Compliance Audit Prep

Preparing for a Payment Card Industry Data Security Standard (PCI DSS) ROC Audit

The PCI DSS ROC – An Overview

The purpose of the Payment Card Industry Data Security Standard (PCI DSS) ROC (Report on Compliance) is to verify that the organization being audited is compliant with the PCI Data Security Standard. The ROC must be filled out by a PCI Qualified Security Assessor (QSA) who audits the organization to verify that executive management has created policies and procedures to protect cardholder data and that the people responsible for performing tasks related to the protection of the data are following those policies and procedures.

The ROC largely involves a QSA interviewing subject matter experts (SME) about their role in PCI DSS within the organization. QSAs ask questions, observe processes and collect evidence in order validate whether the organization has or has not satisfied the requirements.

How to Prepare Your Team for a PCI ROC Audit

1. Know the Test Material – One of the best ways you can prepare for a ROC and avoid the common fears and complaints around an audit is to review the current Payment Card Industry Data Security Standard (PCI DSS), version 3.2.1. It’s like having all the answers to the test in advance! This document lists each requirement, the testing procedures and guidance. Reading this document provide everything you’ll need to know about what questions the QSA will ask, why they will ask them and what evidence they’ll be looking to gather.

AUDIT TIP: The best preparation tactic is to walk through the PCI requirements and testing procedures with staff that will be part of the ROC and make sure they understand the questions they will be asked and how they should be answered.

Have each SME review the document to prepare:

  • What observations, if any, need to be performed and documented.
  • What documents, if any, need to be collected and reviewed and what information needs to be identified in those documents.
  • What people, if any, need to be interviewed and about what topic(s).
  • What processes, actions taken or states of equipment, if any, need to be observed and documented.
  • Whether or not sampling can be used.

You can find this and other useful PCI-related document in the document library (https://www.pcisecuritystandards.org/document_library)

Also, if you’ve conducted practice ROCs, focus on preparing answers to the questions you were tasked with or that were highlighted during that exercise.

2. Answer the Question (and only the question) – Keep your answers short and simple. Long, rambling answers (usually a byproduct of nerves) tend to expose more information than you were planning to give and potentially open up issues.

AUDIT TIP: Be prepared for unexpected questions. Auditors are supposed to look for flaws, weaknesses and exceptions to the rule – they will ask follow-up questions you haven’t prepared for. Be thoughtful in your response to these questions and take time to formulate answers (again, remembering that anything from the audit can end up on the report).

When in doubt, refer back to your internal PCI lead to help address a question you aren’t sure how to answer. There is nothing wrong with saying, “I do not know” or “I will have to look into that question and get back to you.”

And remember, this audit is not intended to be a venue to air grievances or point out flaws. Whatever is discussed during these audits has the potential to be reported.

3. Back Up Your Claims – The PCI DSS is largely based on trust that organizations are complying with the PCI DSS. However, QSAs are used to verify that an organization is, in fact, complying with the PCI DSS. As a result, the organization being assessed not only has to produce documentation to support their compliance, but the QSA must also observe that the PCI DSS requirements are being followed. Simply stating something is being done does not make it true to an auditor. The QSA must substantiate your statements (often with documentation, visual inspection, follow-up interviews with related parties, etc.) so that they, too, will treat them as fact.

AUDIT TIP: Keep your laptop at your workspace if you are nervous or new to audits. The auditor may ask you to provide additional evidence to support a claim and it is OK to take the time to walk back to your workspace, where you are more comfortable, to find the information.

4. Stay Calm – This audit is meant to help confirm the things your organization is doing well to help protect your customers and your organization, and you play an important role in making that happen.

AUDIT TIP: Be open and considerate of the auditor – as with any person to person interaction, if you set a tone of hostility, superiority, or close-mindedness, they will likely match it. Ask your QSA questions and show a genuine interest in improvement and they could become a valuable resource in your continued success with PCI DSS implementation.

Waivers

Waivers from certain policy provisions may be sought following the FRSecure Waiver Process.

Enforcement

Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.

Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.