Sunday, March 30, 2014

7 Tips For Successful PCI DSS Audit

In the light of my recent experience leading Instart Logic through the process of PCI DSS Level-1 certification, and some experience implementing a PCI environment in Cotendo, I would like to share my recommendations how to successfully pass an on-site audit for PCI DSS compliance.

1. Select the right QSA

There are many PCI Qualified Security Assessors (QSA) around in the wild, and all of them will tell you many nice stories how great they are in the PCI audit process. Look for a QSA with experience in your field/industry and with good recommendations. Ideally, the QSA will not only audit your environment for PCI compliance, but also will be a great source of information and suggestions on how to properly implement the hundreds of PCI requirements.

2. Learn from other people’s experience

The PCI thing requires a lot of learning, and thanks to the Internet you can learn from experience of others. The web is full of articles from PCI auditors/experts about what they expect to see in audited companies, and also from PCI implementers who share their technical experience building PCI-compliant systems. Pay your attention to how-tos about system audit service, central user management systems, file consistency monitoring tools, log tampering protection and monitoring systems, cardholder data encryption methods. These are the requirements which can be tricky to implement, but thanks to the Internet you can pick the brain of others.

3. Invest in gap analysis

Invest in full scale PCI DSS gap analysis with the QSA you plan to hire for on-site audit. Come to the gap analysis prepared with:
1) your own view about what should be included in the PCI scope (more about this later)
2) which requirements are not applicable to your specific case
3) which specific implementation methods/approaches you plan to use for each PCI requirement.

During the gap analysis process clearly communicate information about what you have and what you plan to do, and make sure that the QSA clearly understands your business, the PCI scope of your environment and your high-level implementation plan.

In the worst case the gap report will tell you only what you are missing (consider this a failed gap analysis process), and in the best case you will create a strong implementation high-level plan approved by the QSA. During the gap analysis process you will also receive a better understanding about technical and communication skills of the QSA company, and may decide to not use this QSA for on-site audit. If you will switch to another QSA please do yourself a favor and go through the gap analysis process again with the new company (the money will be well spent), and use the gap report produced and approved by the QSA who will do the on-site audit.

4. Minimize the PCI scope

This can be taken to the level of art, and using proper arguments to support your position you can significantly reduce the scope of your PCI-compliant environment (especially when it comes to service provider networks like Instart Logic where we don’t process or store cardholder data). Smart people say that one hour of planning saves seven hours of work, but I can say that one hour spent on minimizing your PCI scope will save you 7 days of work spent on implementing PCI requirements!

5. Write a detailed implementation plan

After the initial reading of all PCI DSS requirements (more than 200 of them) and coping with the expected panic attack (how a sane company/team can implement all the crazy requirements?) do the following: start re-reading the PCI requirements and writing a detailed implementation plan. For every requirement which is still applicable to your environment specify what change is required to be done, which new system/component should be deployment, which configuration change should be performed, and which document/procedure should be written. It will require time, effort, research, consultations with the QSA and many iterations to complete the detailed implementation plan (but still expect to change it a lot later down the road).

Once you’ve finalized the detailed implementation plan make sure that your QSA will review and approve the plan, and only after that start the implementation process. Without having the QSA involved in the planning process you will significantly increase the risk of “surprises” during the on-site PCI audit stage.

6. Hire someone to write your PCI DSS Information Security Policy document

PCI is a lot about procedures and documentation, and many of the documentation requirements are quite generic from company to company. I would strongly suggest hiring your QSA (or another company recommended by your QSA) to write the required PCI DSS Information Security Policy, Incident Response Plan, Risks Assessment Report, and other PCI-related paperwork. Preparing your system for PCI audit requires a lot of technical effort which you cannot outsource, and hiring an external company to run the documentation project will significantly shorten your PCI implementation stage.

You still will need to write the very technical part of the PCI documentation project describing your specific network and service components, so some technical writing effort is not avoidable.

7. Keep your team involved in the PCI assessment process

Depending on the size of your technical team involved in implementation and management of the future PCI-compliant service you may want to have the team involved in regular PCI reviews and gap analysis performed during the implementation process. Ask your team to review the PCI DSS standard, the latest official gap analysis report produced by the QSA and your current implementation of the PCI standard from both technical and documentation points of view. This will produce the following positive results:
1) Your team will learn about the PCI standard and your specific PCI environment (anyway PCI DSS requires to train the staff who will have an access to cardholder data)
2) Your team will provide very valuable feedback about any missing or incorrectly implemented PCI requirements
3) Your team will be more involved in decision making process (and normally will feel good about this)

Do the internal audit several times until no one from the staff can find a single discrepancy from the PCI standard - this will significantly boost your confidence about the coming PCI on-site audit, and also make your team ready for interviews with the QSA (which are a part of PCI audit process).


  1. Really very nice blog information for this one and more technical skills are improve,i like that kind of post.

    SAP training in Chennai


  2. That is very interesting; you are a very skilled blogger. I have shared your website in my social networks!

    SAP training in Chennai

  3. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do it! Your writing style has been surprised me. Thanks, very nice article.

    Digital marketing company in Chennai


    Situs judi online saat ini sudah menjadi hal yang sangat banyak di jumpai di dunia internet. Salah satu permainan judi online yang paling digemari saat ini adalah poker online dan casino online. Oleh sebab itu kini hadir situs judi poker dan dominoqq online yang bernama Dompetcasino. Kami kini ikut hadir untuk membantu memenuhi permintaan para pejudi online. Dompetcasino sendiri juga menyediakan 7 jenis games yang bisa anda mainkan cukup dengan 1 User ID saja. Game tersebut adalah sabung ayam, baccarat, sicbo, rulette, dragon tiger, slot game dan casino online. Permainan yang kami sediakan tentunya cukup lengkap dong ya.


    Untuk menjadi sebuah situs judi online yang berkualitas, tentunya pelayanan yang kita berikan juga tidak perlu dipertanyakan lagi. Karena kami Dompetcasino selalu berusaha memberikan yang terbaik untuk member kami. Jika tanpa member setia yang bermain Bersama kami, kami tidak ada apa apanya. Karena itu, bagi kami setiap member adalah raja bagi kami. Oleh sebab itu kami menyediakan layanan livechat dan CS 24jam nonstop. CS yang kami sediakan juga siap melayani semua keluhan atau pun saran anda. Mulai dari persoalan transaksi,games mulai dari poker online hingga casino online. Intinya adalah CS kami bersedia membantu anda kapan pun dan apa pun permasalahan yang anda hadapi.


    Kami juga memberikan beberapa jenis bonus untuk member kami. Hal tersebut tentu saja sebagai komitmen buat member kami yang sudah sangat setia bermain Bersama kami. Bonus tersebut seperti bonus cashback 2%. Kami juga menawarkan bonus referral sebesar 2%. Bonus referral bisa di dapatkan dengan mengajak teman anda bermain di situs judi online Dompetcasino. Bonus referral akan masuk secara otomatis ke akun anda setiap teman anda bermain. Jadi apalagi yang anda tunggu? Ayo coba peruntungan anda hari ini dan menang sebanyak-banyaknya di Dompetcasino. Mari daftar sekarang dengan menekan tombol daftar di atas atau menguhubungi livechat kami. Dompetcasino situs judi online, casino online dan casino online terbaik di Indonesia.

    casino online
    situs judi
    judi online terpecaya
    sabung ayam online
    situs poker
    poker online

  5. Poker online | Poker Uang Asli | Situs Poker | Agen Poker
    Dompetpoker Adalah Situs Agen Judi Poker Online Uang Asli Dengan Server Terbaik,Permainan Poker 7 game Dalam 1 Website Bermain Poker Uang Asli Dengan Kualitas Server Terbaik Serta Tampilan Terbaru Hanya Di DompetPoker. Agen Poker Yang Memberikan Jaminan Keamanan Dalam Bermain Poker Online Tanpa Bot, Admin Serta Kami Selalu Memberikan Pelayanan Terbaik Selama 24 Jam Setiap Harinya, Kini Semua Member Dapat Bermain Agen Poker Online | Domino QQ | Ceme Keliling | Live Poker | Capsa Susun Kapan Pun Dan Di manapun Karena Kami Menyediakan Aplikasi Android Dan Iphone Sehingga Anda Dapat Bermain Dewa Poker Di SmartPhone Anda.
    dompetpoker tbk adalah site/situs agen judi poker online uang asli dengan server terbaik di dukung oleh customer service yang sopan dan ramah
    Proses Deposit withdraw Mudah dan cepat, tidak bertele – tele (wd tidak ada batas). Segera daftarkan diri di dan ajak kerabat bermain bersama kami & ada bonus referal. Kami Melakukan Dengan Transaksi Cepat, Mudah, Aman & Terpercaya. Agen DOMPET POKER bermain 100% FAIRPLAY dan Tidak Ada BOT, Jika Ada, Uang Kami Kembalikan Full
    poker online
    agen poker
    agen poker terbaik
    agen poker terpercaya
    poker uang asli
    situs poker

  6. Thanks for taking time to upgrade our knowledge in this subject. Keep posting. If anyone wants to know about PCI DSS Compliance Security visit Accel PCI.