A PCI compliance audit assesses a merchant’s point-of-sale (POS) system by examining it, identifying vulnerabilities and instituting precautions to prevent data from being compromised. There are two basic reasons that a business that accepts credit cards would be required to have an onsite assessment of their cardholder data environment:
- The Payment Card Industry Data Security Standard (PCI DSS) requires that Level 1 merchants (primarily big-box stores and major corporations) undergo an annual internal audit as part of the PCI compliance process.
- Merchants in Levels 2 through 4 are required to undergo a PCI compliance audit if they suffer a data security breach, or if their merchant services provider determines that they have an increased risk of data breach.
A PCI compliance audit must be conducted by a Qualified Security Assessor (QSA) approved by the Payment Card Industry Security Standards Council (PCI SSC). He or she evaluates all aspects of your security infrastructure — from policies and procedures to systems and networks — and provides you with a risk assessment that is the basis for improving your data security. Think of it as your roadmap for achieving or reclaiming your PCI compliance.
After reviewing the assessment and prioritizing the points that need attention, the QSA will provide you and your employees with security awareness training to bring you up to date with current PCI standards.
As part of the ongoing PCI compliance process, it is your responsibility to implement the changes noted in the QSA’s audit report, known as the Report on Compliance (ROC). The QSA can act as a consultant or manage the process. This is part of the 3-step Assess/Remediate/Report approach to PCI DSS compliance process advocated by the PCI SSC:
Assess: Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.
Remediate: Fix vulnerabilities and do not store cardholder data unless you need it.
Report: Compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.
Rather than being something you should dread, a PCI compliance audit with a QSA can be a valuable tool to keep your business and your customers safe from a payment card data breach. TransFirst® is standing by to help you reach and maintain the highest level of PCI compliance.