PCI Audit - What Does The PCI DSS Audit Look Like
PCI stands for Payment Card Industry. What does a PCI Audit look like? Even though there are only six main areas of PCI DSS compliance as explained in the PCI DSS section, these main areas are comprised of total of 12 main points, and these are further divided into over 200 subpoints! PCI security audit based on PCI standardsis highly comprehensive!
We will just present a sample of the PCI DSS audit testing procedure which pertains to maintaining secure systems and applications. The PCI DSS Requirement 6 ensures that the software systems are kept up to date, free of vulnerabilities that could expose cardholder information, either to unauthorized employees, outside hackers, or the viruses that could have penetrated the firewall. The Point 6 pertains both to outside software and systems as well as to software developed in house.
Audit of secure external and internal systems and applications
Here are the components of the PCI Audit, Requirement 6 out of 12 PCI requirements:
- The auditor must confirm that all the patches of all external software have been applied within one month from the patch release. To this end, auditor must inspect a sample of system component software, and verify the patches by comparing it to the list of published patches, and verify that all patches were installed within 30 days from release.
- The auditor must interview security personnel to verify that they are keeping up to date on new security patches through email alerts or similar updates.
- The auditor must obtain the document detailing the programming practices internal to the company that documents that security considerations are present during the entire software life cycle, from the initial design to deployment, and maintenance throughout the lifetime of the software.
- The auditor must verify that, before patching any software, the patches are independently tested.
- The auditor must verify that the testing environment is completely separate from the production environment, including completely separate login usernames.
- Production data must not be used in testing, unless they are modified appropriately, and any test data must be removed before moving the patched system into production.
- The duties of employees responsible for testing must be completely separate from the duties of employees assigned to production systems.
- The auditor must verify that, for in house software, a separate person from the author is responsible for security validation of the newly written software, and that software reviews are regularly scheduled.
As you can see, PCI Data Security Standard contains quite a handful of subpoints. And these are just subpoints pertaining to point 6 out of total of 12! While making sure all the auditor's requirements are met is not a simple matter, and does take time, the good news is that, much of the PCI security compliance work can be outsourced to qualified PCI compliance service companies.
We will present more information on the ways to minimize the extra load in fulfilling the PCI DSS Audit requirements and becoming PCI compliant in the section on PCI compliance solutions.