NDB Advisory What Is PCI? PCI Compliance Audit Requirements and Checklist | Part I

PCI Compliance Audit Requirements and Checklist from an Expert PCI-QSA | Part I

View the PCI compliance audit requirements and checklist that’s been put together by PCI-QSA Charles Denyer, a leading Qualified Security Assessor with NDB Advisory. The PCI compliance audit requirements and checklist is a must-read for any merchant or service provider embarking on an actual Level 1 Onsite Assessment by a QSA or even the in-depth SAQ D requirements. Because PCI compliance can be an incredibly expensive, taxing, and time-consuming process, it’s important to clearly understand all necessary issues for becoming compliant in an efficient, cost-effective, yet comprehensive manner. Take note of the following items from NDB’s PCI compliance audit requirements and checklist:

1. Identify the Applicable Merchant and Service Provider Level. It’s important first and foremost to identity your merchant and service provider level – why – because that ultimately dictates if you are eligible for SAQ reporting or require an actual Level 1 Onsite Assessment by a Qualified Security Assessor (QSA). View the merchant and service provider levels and then determine which route to go.

2. If SAQ, determine which SAQ. If it’s an SAQ you need to be compliant with, then visit pcisecuriystandards.org and determine which of the SAQ platforms (i.e. SAQ A, B, C, C-VT, D, P2PE-HW) to comply with. Each of the SAQ documents – located for download at pcisecuriystandards.org – offer scenarios and examples of credit card payment flows for giving you a better illustration of each respective reporting platform. Additionally, while at the site, you’ll need to download all the necessary material for the applicable SAQ, such as the reporting requirements, along with the Attestation of Compliance (AoC).

3. If a Level 1 Onsite Assessment, find a QSA. Fees, and the quality of work, can vary greatly from one QSA to another, so seek out three (3) proposals from Qualified Security Assessor firms, one that includes a fixed fee for pricing. Call PCI-QSA Charles Denyer of NDB Advisory at 1-800-277-5415, ext. 705 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to receive a competitively priced fee. Level 1 Onsite Assessments can be extremely time-consuming and operationally challenging, all the more reason to hire an experienced PCI-QSA, and one that also offers a fixed fee.

4. Thoroughly review all material. Getting compliant means READING and DOING everything that the applicable Payment Card Industry Data Security Standards require – specifically – putting in place policies, procedures, processes, and other supporting practices. PCI DSS compliance is technical – no question about it – but it also requires numerous operational and policy writing activities for becoming compliant, so keep that in mind.

5. Purchase PCI DSS policies and procedures. Becoming compliant with any of the SAQ mandates, along with the dreaded Level 1 onsite assessments, requires merchants and service providers to put in place a significant amount of documented information security policies and procedures throughout all of the PCI DSS sections.

Read Part II of the PCI Compliance Audit Requirements and Checklist

Author: Charles Denyer

Sample image

Send us an This email address is being protected from spambots. You need JavaScript enabled to view it. or give us a call at (800) 277-5415 x705

 

Location

  • (800) 277-5415, ext. 705
PCI DSS Compliance Experts

 

Contact Us