As discussed previously on the Advantio blog, PCI DSS compliance is not a one-off event. It is a process of continuous improvement that seeks to identify and implement new safeguards wherever and whenever possible.

In order to understand current system status, and the effectiveness of each new iteration, your business will need to conduct a periodic PCI audit. Because of the amount of additional work generated by an audit many CTOs/CISOs may be tempted to avoid them – unless mandated by a third party.

With the right preparation however, your business can reduce the risk of failing an audit and make the process a lot less painful too.

Get your documentation in order

Requirement 3 of the PCI DSS compliance framework is primarily concerned with protecting stored cardholder data. Aside from actually implementing security provisions, your business is also expected to document each of those safeguards.

Documentation should contain full details of encryption protocols, key management processes, and the procedures for protecting stored card data (among others). These documents not only prove your business has met the required standards for compliance, but also provide a simplified way to test provisions continue to meet requirements.

Any PCI audit will also assess whether the documentation has been kept up-to-date. If the current processes are not recorded, you will fail the audit.

Create process diagrams

Creating visual representations of your processes helps to clarify the movement of sensitive personal data in and out of your business. It also provides a simple way to identify gaps and weaknesses in current processes.

With potential problems highlighted, your technical team can engineer a solution before the auditors arrive. Just make sure these flowcharts are updated regularly alongside the rest of your documentation.

Design and conduct risk assessments

Risk assessments are a crucial aspect of identifying and deploying new technologies. Your change management team will already assess every new system and the potential impact on existing infrastructure – but do they perform the same due diligence to assess impact on PCI DSS compliance.

Risk assessments allow you to consider and test the effect of system changes on a smaller scale than full PCI audits. You should conduct risk assessments whenever the system is changed as they provide early warning of potential breaches – and provide an opportunity to resolve those issues before a breach can occur.

Partner with a third party expert

Partnering with a third party PCI DSS makes sense on several levels. First, they offer a fresh perspective of systems that your own staff may be too familiar with, leaving them unable to provide objective assessments. Second, they bring wider industry experience, allowing them to recommend improvements and enhancements that have been seen to deliver genuine benefits elsewhere.

You may also be able to outsource tasks like firewalls reviews, source code analysis, vulnerability and patching management, documentation updates and so on.

PCI audits are an unavoidable aspect of compliance if you have a role in online payments. It is far more preferable to conduct a voluntary semi-annual check than to be subject to one in the aftermath of a non-compliant audit or even a breach. Audits prove that your business is consistently meeting its obligations to take security safely.

To learn more about PCI audit preparations, and how Advantio can help your business get its systems and processes in order, please get in touch.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA