Officially known as an annual PCI DSS assessment, this annual audit is required for Level 1 merchants and recently breached merchants to maintain PCI compliance. These assessments can only be performed by a qualified security assessor (QSA). Read on to learn what you, the merchant, should expect from the audit and how to prepare for it.
Top Reasons to Become PCI DSS Compliant
PCI DSS refers to Payment Card Industry Data Security Standards, and it is required for any store that accepts credit cards as payment. This applies both to stores that process credit cards, and stores that limit themselves to transmitting card data to third party payment gateways like PayPal and others.
The case for “why PCI compliance” is two-fold:
- The five major credit card companies on the PCI Council (Visa, MasterCard, American Express, Discover, JCB) say it is.
- PCI-compliant merchants are more effective at protecting their customers’ data than merchants that are non-compliant.
Or, as a third argument for the merchants unmoved by the first two: PCI DSS helps prevent breaches, and breaches cause downtime and lost revenue.
For a more detailed breakdown of PCI compliance, see How Hostdedi Helps Your Store Stay PCI Compliant.
PCI DSS Risks
Only 29 percent of companies remain compliant a year after their initial validation because they pass once, then drift into complacency.
Auditing is a required component of compliance for larger merchants, and it may be tempting to wonder about the consequences for non-compliance. Some might resent what they perceive as the credit card’s stranglehold on ecommerce. Others might just “have better things to do with my time, like run my business.”
What’s the worst that could happen?
The short answer is non-compliant merchants can be fined, audited, breached, and suffer damage to their brand reputation. The longer answer is that PCI compliance is the beginning of security, not the end. It’s best to consider it as the “minimum acceptable standard” for securing your customers’ data.
How Much Does a PCI Audit Cost?
On average, a typical PCI audit for a smaller merchant costs about $15,000. This adds to other factors influencing PCI DSS certification cost, which usually relate to infrastructure and paying qualified personnel to apply and maintain best practices of data security. While this is not insignificant, the cost of ignoring compliance is far greater.
Beyond ethical concerns, failure to comply can result in:
- Fines by credit card companies ranging between $5000—$100,000
- Security breaches, which often involve downtime to resolve
- Legal action by endangered customers and third parties
- Damaged reputation and loss of consumer trust
- Loss of revenue
- Federal audits
How Does a PCI DSS Audit Work?
If you’re facing an upcoming audit, then you’re either a level 1 merchant with more than 6 million credit card transactions per year, or a merchant from lower PCI compliance levels (2–4) that suffered a recent data breach. Merchants on the lower PCI compliance levels (2The central goal of the audit find non-compliance, provide guidance on how to fix it, and verify you’ve addressed any and all issues.
The first step is finding a Qualified Security Assessor (QSA) to perform the audit. Only QSAs are licensed to perform the audits, as these organizations are certified by the PCI council to understand their data security standards.
The simplest way to find a QSA is by choosing one from the list on the PCI website. As with any service, it is usually wise to talk to a few, as not all are created equal. Never hire a company claiming to be a QSA if not present on the PCI list; these companies are either outsourcing your request, or planning to sell you other services.
Once onsite, the auditor will assess multiple areas of your business. As you might expect, this includes your cardholder data environment (CDE), defined as any device, component, network, or application that stores, processes, or transmits cardholder data. It also includes your policies and procedures surrounding your use of these systems.
PCI Audit Requirements
- Transparency and cooperation
- Completed PCI audit checklist
- Understanding of current PCI DSS
- Your printed copy of your Report on Compliance (ROC) from the previous year
- Evidence of quarterly scanning and penetration testing
- Evidence of regular event log checks
- Documentation on how you handle third party vulnerabilities
Remember: the role of the auditor is to prevent the compromise of cardholder data, not to punish your company. As long as you’re cooperative and vested, the auditor will explain where you need to improve and help you do it. To execute these changes efficiently, consider appointing a compliance leader within your organization. This individual takes responsibility for compliance efforts, but also should have the authority to compel change across your team.
9 Common PCI Mistakes Revealed by PCI Audits
If you care enough about PCI compliance to read this article, then you’re on the right track. Following are nine common mistakes for merchants undergoing audit, though your experience may vary according to your business needs and PCI compliance level.
Hiring a PCI compliant hosting provider like Hostdedi will go a long way toward preventing these mistakes, but it’s not a magic bullet. Merchants must do their part as well, but most hosting providers can assist you in this task.
Reminder: CDE, or cardholder data environment, refers to any device, component, network, or application that stores, processes, or transmits cardholder data.
Unnecessary storage of credit card data
As a general rule, you should take every reasonable step to avoid storing credit card data, and never store CVV numbers for any reason. Many merchants choose to store data to accelerate their customers’ checkout process without fully understanding the implications for compliance. Don’t be one of them.
Failure to separate the CDE network from rest the organization’s IT infrastructure
The key phrase to remember in PCI-compliance and access to cardholder data is “as-needed.” Make it your mantra. This applies more so to sub-networks within your organization. When applied to your network, it is known as “network segmentation,” though it usually applies to sub-networks within your organization. Sub-networks used for internal office communications should have no access—direct or indirect—to the sub-networks with access to the CDE.
Failure to restrict access to the CDE to only those employees that need it
Once again, only employees needing access should have it. This refers both to physical access to areas housing devices within the CDE, but also permissions and passwords.
Insufficient training and security awareness
This extends to your team as well as yourself. If you employ a team, consider appointing someone as a Compliance Officer to take responsibility for training efforts, and give them enough authority to get the job done.
Weak password security policy
Passwords to any system within the CDE should be unique, complex, and never shared between employees. Password managers like LastPass, Zoho, 1Password, and many others are invaluable for safely generating and storing complex passwords. If your team isn’t using one, then it’s a red flag for your security practices. Two-factor authentication for any CDE system is likewise essential, whether Google Authenticator, Duo, or something similar.
Missing web application firewall (WAF)
A web application firewall (WAF) identifies and interrupts malicious activity and exploits. Most merchants don’t use one in their infrastructure. You can pass a PCI assessment without, but it requires a code audit any time you make changes to your application (Magento, WordPress, and so on). Most hosting providers can provide a WAF solution, or you can use a cloud-based one, which will increase security and simplify PCI compliance.
Inadequate network activity logs
A network log is a record of events, and is crucial for identifying and tracking the efforts of bad actors attempting to gain access. Again, if you’re a level 1 merchant that processes millions of credit card transactions per year, you’re an inviting target and likely have a network administrator in place. If you’re not a Level 1 merchant and you’re facing audit, then it means you were recently breached
Missing or poorly configured firewalls and routers
The security of a network firewall (not to be confused with web application firewall) or router is only as good as the person configuring it. Know your stuff or employ someone that does.
Unclear or outdated security incident response procedures
Whether you use Magento, WooCommerce, or any other platform, you or your system administrator should take great pains to stay current on the latest vulnerabilities. Have a plan to respond to exploits when—not if, but when—they occur.
Don’t Wait for Your Audit to Get Started
As a final point, never forget that PCI compliance is an ongoing effort. Annual audits are only one component of compliance, but a proactive approach with upcoming changes to your CDE will often pay dividends. Engage your QSA about these changes well before they happen, as they can provide sage advice about maintaining compliance.
For guidance with PCI compliance, contact our sales team between 9 a.m.–5 p.m. eastern time, Monday to Friday.
Our technical writer of 4 years and counting, Jay tends to our knowledge base garden at docs.nexcess.net, where he drives away pests like passive voice and logorrhea . He also contributes to our blog, misses his middlin’ performances at chess tournaments, and can’t remember what life was like before children.