NDB Advisory What Is PCI? PCI Compliance Audit Requirements and Checklist | Part II

PCI Compliance Audit Requirements and Checklist from an Expert PCI-QSA | Part II

6. Become compliant. Easier said than done, it’s important to roll up those sleeves and put in place policies, procedures, practices, and all other supporting initiatives for helping ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS). Anyone can say they are compliant, but actually undertaking the necessary steps for becoming compliant, now that’s entirely different, all the more reason to use the trusted services of NDB Advisory, under the direction of security specialist and PCI-QSA Charles Denyer. Contact him today at This email address is being protected from spambots. You need JavaScript enabled to view it. . or call him at 214-298-8532 today. From policies and procedures to Level 1 Onsite assessments, NDB Advisory is there to help every step of the way.

7. If necessary, undertake vulnerability scans and penetration testing. Most of the PCI Self-Assessment Questionnaires do NOT require scanning and penetration testing, unless it’s SAQ D. Furthermore, PCI Level 1 Onsite Assessments require both scanning (external and internal) and penetration testing (network layer and application layer), so please keep that in mind. The actual costs for such services are largely determined by scope – that is – the number of IP’s and relevant target hosts that are in scope for a particular PCI DSS assessment. Call PCI-QSA Charles Denyer of NDB Advisory at 1-800-277-5415, ext. 705 or email him at This email address is being protected from spambots. You need JavaScript enabled to view it. to receive a competitively priced fee.

8. Fill out the Attestation of Compliance (AoC). Clients, prospects, payment gateways – and many other interested parties – often will want some type of assurance of PCI DSS compliance, which is often sufficed for by providing them the Attestation of Compliance (AoC). The AoC is filled out by management and generally signed off by a senior officer if conducting an SAQ. For Level 1 Onsite Assessments, the actual Payment Card Industry Qualified Security Assessor (PCI-QSA) will then sign off on it. You can expect the AoC to become your “proof” of being PCI
DSS compliant.

9. Provide documentation to all interested parties. As stated, parties interested in your PCI compliance mandates will often ask for the AoC, but beware, they may also seek out additional evidence, such as your documented information security policies and procedures. It’s important to keep all audit evidence readily available for auditors and other entities seeking more information on your PCI compliance activities. For starters, make sure all PCI policies and procedures are easy to locate and have been distributed to all employees for reading material.

10. Stay compliant. Easier said than done, but PCI DSS compliance is really about the “moving target” – the challenges organizations face for staying compliant with the Payment Card Industry Data Security Standards. It’s about keeping policies and procedures up to date, undertaking scanning and penetration testing, if applicable, along with performing annual security awareness training for all employees and workforce members. There’s much to be done, no question about it, but remember one important thing – being PCI compliant – truly compliant – says a lot about an organization’s information security posture.

Read Part I of the PCI Compliance Audit Requirements and Checklist

Author: Charles Denyer

 

 

Sample image

Send us an This email address is being protected from spambots. You need JavaScript enabled to view it. or give us a call at (800) 277-5415 x705

 

Location

  • (800) 277-5415, ext. 705
PCI DSS Compliance Experts

 

Contact Us