Retail merchants who are processing over 1 million Master Card or VISA transactions annually now have to either have Internal Security Assessors (ISAs) or have to engage Qualified Security Assessors (QSAs) to complete a PCI audit (Payment Card Industry) to get a Report on Compliance (ROC). This is a process that acquiring banks and card processors are pushing rather hard on merchants who are clueless. Compliance is not a short process and the responsibility lies squarely on the Retail merchants.
‘Compliance Auditing’ is a worrisome exercise and a valid fear for several reasons.
1. Dollars involved
2. Discovery of the many gaps that you may not even be aware existed
3. Remediation process which by itself could be a journey
4. Time away from normal work routines as it could require dedicated staff to provide answers to an auditor’s questions
5. Interference with running your business
However, a QSA’s goal is to help keep your business running smoothly and make sure your network environment is protected from a possible breach ever happening. They need the retailers’ help as well for the auditing to be successful.
Here are basic mistakes you can avoid before you even get a Qualified Security Assessor (QSA) in.
1. Looking at the process as a ‘how’ versus ‘why’.
Do not lose sight of why a security audit is needed. It is to protect your business, your customers’ data. Not just to answer a list of requirements and get a ‘Report on Compliance’. A compliance audit is to evaluate your point of sale systems.
The intentions are to:
- Inspect and analyze your systems to establish compliance with 286 PCI requirements
- Identify weak points that could cause a breach from inside and outside your stores
- Prevent data from falling into the hands of a hacker
- Keep the card companies and acquiring banks happy with your data security
2. Look at the large picture – Helping you stay in business.
The second mistake is – Not getting your ducks in a row, which means first understanding your environment’s weaknesses and gaps, and next addressing them completely. Both technology and people play an important role here. Technology can be used to address the gaps but the burden of understanding what those gaps are and the responsibility of bringing in the right solution falls on the data security experts within the company.
Not all companies have that expertise. In those situations, it is best to hire a partner who has the experience and knowledge to take you through the journey step by step.
3. Rushing into an audit process because it needs to be done.
This is mostly applicable to Level 1 and Level 2 merchants, and Level 4 merchants who have been breached.
Do not hire a Qualified Security Assessor (QSA) without any preparation. This involves first going through step 2 above. Then, set up your own screening process such as qualifications of the QSA, competence and also their personality. You would want to work with a QSA who willingly guides you through a remediation process if there is necessary.
4. Not having enough logs and documentation to show that your organization has been on top of the PCI DSS requirements.
QSAs need proof of compliance. They need to validate everything you do and the best way is via logs and documentation. Companies can train people internally so they are well prepared prior to bringing in a QSA. Smaller companies can even do the assessment themselves with this training says Bob Russo, General Manager of the PCI Security Standards Council.
5. Not having an internally trained person or a consultant who understands the 286 SAQ requirements.
If you go with a service provider, find the right Managed Security Service Provider (MSSP). Be sure the MSSP has a proven track record of having worked in similar environments as yours, who understands data security inside and out, who has dealt with breached cases, and can work in the best interest of your company.
A compliance audit is serious and you need a serious partner to work with.
A QSA audit will go smoothly if you can try and avoid the 5 mistakes mentioned above. Partner with Omega. Not only can Omega help you with the entire data security and compliance process, but also get you prepared for an audit and help you stay compliant.
Remember compliance is ongoing and not a one-time effort. Just a new addition of a device if not installed correctly can throw you out of compliance. The best way to stay compliant is to partner with an expert who will keep track of your network’s security and compliance every step of the way. Call us at 636-557-7777.