PCI Compliance Audit Requirements and Checklist from an Expert PCI-QSA | Part I
View the PCI compliance audit requirements and checklist that’s been put together by PCI-QSA Charles Denyer, a leading Qualified Security Assessor with NDB Advisory. The PCI compliance audit requirements and checklist is a must-read for any merchant or service provider embarking on an actual Level 1 Onsite Assessment by a QSA or even the in-depth SAQ D requirements. Because PCI compliance can be an incredibly expensive, taxing, and time-consuming process, it’s important to clearly understand all necessary issues for becoming compliant in an efficient, cost-effective, yet comprehensive manner. Take note of the following items from NDB’s PCI compliance audit requirements and checklist:
1. Identify the Applicable Merchant and Service Provider Level. It’s important first and foremost to identity your merchant and service provider level – why – because that ultimately dictates if you are eligible for SAQ reporting or require an actual Level 1 Onsite Assessment by a Qualified Security Assessor (QSA). View the merchant and service provider levels and then determine which route to go.
2. If SAQ, determine which SAQ. If it’s an SAQ you need to be compliant with, then visit pcisecuriystandards.org and determine which of the SAQ platforms (i.e. SAQ A, B, C, C-VT, D, P2PE-HW) to comply with. Each of the SAQ documents – located for download at pcisecuriystandards.org – offer scenarios and examples of credit card payment flows for giving you a better illustration of each respective reporting platform. Additionally, while at the site, you’ll need to download all the necessary material for the applicable SAQ, such as the reporting requirements, along with the Attestation of Compliance (AoC).
4. Thoroughly review all material. Getting compliant means READING and DOING everything that the applicable Payment Card Industry Data Security Standards require – specifically – putting in place policies, procedures, processes, and other supporting practices. PCI DSS compliance is technical – no question about it – but it also requires numerous operational and policy writing activities for becoming compliant, so keep that in mind.
5. Purchase PCI DSS policies and procedures. Becoming compliant with any of the SAQ mandates, along with the dreaded Level 1 onsite assessments, requires merchants and service providers to put in place a significant amount of documented information security policies and procedures throughout all of the PCI DSS sections.
Read Part II of the PCI Compliance Audit Requirements and Checklist
Author: Charles Denyer