Saturday, March 29, 2014

7 Tips For Successful PCI DSS Audit

In the light of my recent experience leading Instart Logic through the process of PCI DSS Level-1 certification, and some experience implementing a PCI environment in Cotendo, I would like to share my recommendations how to successfully pass an on-site audit for PCI DSS compliance.

1. Select the right QSA

There are many PCI Qualified Security Assessors (QSA) around in the wild, and all of them will tell you many nice stories how great they are in the PCI audit process. Look for a QSA with experience in your field/industry and with good recommendations. Ideally, the QSA will not only audit your environment for PCI compliance, but also will be a great source of information and suggestions on how to properly implement the hundreds of PCI requirements.

2. Learn from other people’s experience

The PCI thing requires a lot of learning, and thanks to the Internet you can learn from experience of others. The web is full of articles from PCI auditors/experts about what they expect to see in audited companies, and also from PCI implementers who share their technical experience building PCI-compliant systems. Pay your attention to how-tos about system audit service, central user management systems, file consistency monitoring tools, log tampering protection and monitoring systems, cardholder data encryption methods. These are the requirements which can be tricky to implement, but thanks to the Internet you can pick the brain of others.

3. Invest in gap analysis

Invest in full scale PCI DSS gap analysis with the QSA you plan to hire for on-site audit. Come to the gap analysis prepared with:
1) your own view about what should be included in the PCI scope (more about this later)
2) which requirements are not applicable to your specific case
3) which specific implementation methods/approaches you plan to use for each PCI requirement.

During the gap analysis process clearly communicate information about what you have and what you plan to do, and make sure that the QSA clearly understands your business, the PCI scope of your environment and your high-level implementation plan.

In the worst case the gap report will tell you only what you are missing (consider this a failed gap analysis process), and in the best case you will create a strong implementation high-level plan approved by the QSA. During the gap analysis process you will also receive a better understanding about technical and communication skills of the QSA company, and may decide to not use this QSA for on-site audit. If you will switch to another QSA please do yourself a favor and go through the gap analysis process again with the new company (the money will be well spent), and use the gap report produced and approved by the QSA who will do the on-site audit.

4. Minimize the PCI scope

This can be taken to the level of art, and using proper arguments to support your position you can significantly reduce the scope of your PCI-compliant environment (especially when it comes to service provider networks like Instart Logic where we don’t process or store cardholder data). Smart people say that one hour of planning saves seven hours of work, but I can say that one hour spent on minimizing your PCI scope will save you 7 days of work spent on implementing PCI requirements!

5. Write a detailed implementation plan

After the initial reading of all PCI DSS requirements (more than 200 of them) and coping with the expected panic attack (how a sane company/team can implement all the crazy requirements?) do the following: start re-reading the PCI requirements and writing a detailed implementation plan. For every requirement which is still applicable to your environment specify what change is required to be done, which new system/component should be deployment, which configuration change should be performed, and which document/procedure should be written. It will require time, effort, research, consultations with the QSA and many iterations to complete the detailed implementation plan (but still expect to change it a lot later down the road).

Once you’ve finalized the detailed implementation plan make sure that your QSA will review and approve the plan, and only after that start the implementation process. Without having the QSA involved in the planning process you will significantly increase the risk of “surprises” during the on-site PCI audit stage.

6. Hire someone to write your PCI DSS Information Security Policy document

PCI is a lot about procedures and documentation, and many of the documentation requirements are quite generic from company to company. I would strongly suggest hiring your QSA (or another company recommended by your QSA) to write the required PCI DSS Information Security Policy, Incident Response Plan, Risks Assessment Report, and other PCI-related paperwork. Preparing your system for PCI audit requires a lot of technical effort which you cannot outsource, and hiring an external company to run the documentation project will significantly shorten your PCI implementation stage.

You still will need to write the very technical part of the PCI documentation project describing your specific network and service components, so some technical writing effort is not avoidable.

7. Keep your team involved in the PCI assessment process

Depending on the size of your technical team involved in implementation and management of the future PCI-compliant service you may want to have the team involved in regular PCI reviews and gap analysis performed during the implementation process. Ask your team to review the PCI DSS standard, the latest official gap analysis report produced by the QSA and your current implementation of the PCI standard from both technical and documentation points of view. This will produce the following positive results:
1) Your team will learn about the PCI standard and your specific PCI environment (anyway PCI DSS requires to train the staff who will have an access to cardholder data)
2) Your team will provide very valuable feedback about any missing or incorrectly implemented PCI requirements
3) Your team will be more involved in decision making process (and normally will feel good about this)

Do the internal audit several times until no one from the staff can find a single discrepancy from the PCI standard - this will significantly boost your confidence about the coming PCI on-site audit, and also make your team ready for interviews with the QSA (which are a part of PCI audit process).


  1. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do it! Your writing style has been surprised me. Thanks, very nice article.

    Digital marketing company in Chennai

  2. Thanks for taking time to upgrade our knowledge in this subject. Keep posting. If anyone wants to know about PCI DSS Compliance Security visit Accel PCI.