Ignore either at your peril.
Whether it be the damages that could result from a data breach caused by lax security or the operational inefficiencies—and thus competitive disadvantages—that could be caused by cumbersome policies and procedures, your organization must mitigate risks on multiple fronts as you seek to satisfy regulators, customers, and stakeholders alike.
The myriad of challenges is evident in a Payment Card Industry Data Security Standard (PCI DSS) audit, in which you may have to comply with as many as 250 to 300 controls in order to continue handling payment card data. With so many potential pitfalls, choosing the right partner from among numerous PCI audit companies is crucial to ensuring that you comply with the PCI DSS and that you compete for customers efficiently.
In addition to providing the assessment itself, the right PCI audit partner can show you how you can be compliant and help you design your cardholder data environment correctly, thereby helping you to both comply and compete.
PCI compliance assures customers that their data is safe because a PCI DSS compliance audit examines your security measures to see whether you adhere to the latest standards for protecting your customers’ data.
A compliance partner can help you prepare for a PCI DSS compliance audit by setting expectations and clarifying responsibilities. They can help you learn what you need to know if your business is being subjected to PCI DSS compliance requirements for the first time and you don’t know what is required to pass the new audit. Or, if you have been through PCI audits before, they can help you better protect cardholder data by improving security holistically, including through operational improvements with bottom-line benefits.
Look for these seven things when considering PCI audit companies.
Your audit partner should bring insight gained through experience. The more they have seen and done, the more they can help you prepare for a PCI compliance audit.
Your auditors should have at least 10 years of relevant experience. They also should perform several audits a year and focus solely on auditing.
Also, consider the diversity of their experience, such as whether they have previously worked with companies in your industry and of your size. Confirm that you will work with the auditors you meet with instead of less experienced professionals after you begin your engagement. With some firms, senior partners may sign you up only to turn you over to junior associates who lack the necessary experience.
Ask questions like:
How many audits has the firm conducted?
Do the auditors that you would work with have relevant experience and references?
What is the experience of your auditor(s) in particular?
What is the collective experience of the team?
You don’t necessarily need to know everything your organization must do to comply with the PCI DSS, but your auditors should know. Certifications imply that auditors can guide you through the latest in compliance changes by remaining current with standards and regulations.
For example, when it comes to protecting customer data, your audit partner should be able to explain to you how measures that were previously considered best practices became requirements when version 3.2 of the PCI Data Security Standard took effect in February 2018. Now, service providers must perform at least quarterly reviews of the personnel charged with maintaining their organization’s adherence to security policies and procedures.
A PCI audit will require you and your team to work closely with your auditors as you move through an abundance of procedures and collect lots of information. You will work with your auditors for several weeks, sometimes dealing with sensitive issues and tight deadlines. Your auditors should be timely and responsive when issues arise.
Your PCI audit partner should be:
a good communicator;
able to speak your industry’s language; and
able to resolve issues quickly.
Look for a firm that will work closely and collaboratively with you to ensure all service-related risks are addressed appropriately.
4) A Proven Approach
Knowing your organization and understanding its needs positions you and your auditors for a successful engagement. Your audit partners should begin by taking the time to get to know your company, asking detailed questions and probing intently for nuances.
Your audit firm should also have a proven methodology they apply to produce the best results possible. An effective methodology typically includes three phases:
Planning and scoping
Reporting of results
5) Business Insight
The right PCI audit partner will help you compete and comply by helping you run your business more efficiently. A business-focused auditor can identify issues that affect your company’s bottom line, such as IT inefficiencies. Your auditor should then be able to explain how leveraging IT can enhance product innovation and increase customer retention while improving internal organizational efficiencies, according to a SearchSecurity.com article on best practices for choosing an outside IT auditor.
Your audit partner should be known for doing good work. Find the right audit partner by asking your professional advisors if they have an audit firm that they would recommend. Contact representatives from any trade groups that you belong to, as well. Get contact information for any possible partners with good reputations among people whose opinions you respect.
7) Security First
Don’t just look at a PCI audit as a means to get a certificate. Maintaining PCI compliance should be a byproduct of your security. Your audit partner should be able to help you shape a broader cybersecurity strategy that protects against threats from multiple fronts.
Experienced audit partners can keep you at the forefront of security by helping you stay abreast of evolving technologies. They may even be able to help you cut costs by reducing overhead as you tighten security.
Keep your business running and growing by maintaining PCI compliance and assuring customers that they can trust you with their data. Many PCI audit companies will tell you that they can help you comply, but the right PCI audit partner will help you comply and compete—and do so efficiently.