Skip to content

When is a PCI Audit Required?

Spreadsheets and calculations on paper in orange glow

Unless you’ve been hiding inside a cave or stranded on a remote island somewhere in the middle of the ocean for the past decade, you are likely aware that the prevalence of cybersecurity attacks has increased exponentially.

The latest breach saw HSBC financial organization as the target. The attack resulted in the exposure of personally identifiable information of an as-yet-undisclosed number of accounts. It’s likely that solid figures will be announced once the scope of the attack is fully understood.

Attacks on the financial sector are sadly becoming the norm. In fact, a new report sponsored by IBM pointed out that the financial services sector is the most attacked industrial vertical today. That’s because breaches within this market vertical are financially lucrative—costing businesses an average of around $3.7 million in 2017.

If you are a business that processes customer card data, you are likely aware of compliance requirements designed to ensure the safety and security of cardholder data. If you have been the target of a breach or have not examined your PCI compliance posture in a while, you may be required to undergo a PCI compliance audit. Here’s what you need to know.

What is a PCI DSS compliance audit?

A PCI DSS compliance audit assesses how robust the security of your point of sale system is. The audit focuses primarily on identifying system vulnerabilities and outlining security procedures and best practices for your systems. The audit will also provide recommendations on how to prevent data from being compromised.

PCI DSS was established by the major credit card companies. A set of standards was established to not only protect customer data, but provide a framework for organizations accepting or processing card data to follow.

What are the levels of compliance and what are easy ways to know which level, if any, you fit in?

Luckily, the PCI DSS council has made it fairly easy for merchants to figure out what category of compliance they fit into. It’s all generally based on the number of transactions a merchant processes.

There are currently four levels of PCI compliance:

Level 1: Merchants processing over 6 million card transactions per year.

Level 2: Merchants processing 1-6 million transactions per year.

Level 3: Merchants handling 20,000-1 million transactions per year.

Level 4: Merchants handling fewer than 20,000 transactions per year.

All four levels require merchants to undergo a self-assessment questionnaire (SAQ), a quarterly network scan by an approved scanning vendor, and an attestation of compliance form. Level 1 requires all of the above plus a report on compliance by a qualified security assessor (QSA).  

Who conducts a compliance audit for you?

You will need to contract with a qualified and approved PCI Security Standards Council security assessor (QSA) to conduct your audit. QSAs start by evaluating security infrastructure—procedures, policies, networks, and systems—then give you a risk assessment, providing you with suggestions on how to improve your data security.

The QSA will review your risk assessment with you and prioritize the areas that need to be addressed.  This outline is necessary to improve your data security policies and guide your staff by providing security awareness training.

How can you get ready for an audit?

The easiest way to prepare for an audit is to assess your existing data security policies and practices before the audit takes place. Start by examining the security of things such as your network firewall and file monitoring integrity systems for any unusual or critical changes.

If you are unsure of how or where to start on the road toward PCI Compliance, click here for some useful guidance.

Be aware that noncompliance may result in a fine of $5,000-$500,000 for the acquiring bank, who is highly likely to pass along the fines to the non-compliant merchant. In addition, if you are already PCI compliant and suffer a data breach, you could face suspension of credit card acceptance by your bank, not the PCI council.