Scroll Top

What is a PCI Audit: A Full Breakdown

What is a PCI Audit
What is a PCI Audit

What is a PCI Audit?

Simply put, a PCI audit tests the security of your organization’s debit and credit card processing system. The Payment Card Industry Data Security Standards (PCI DSS) exist to help protect the safety of consumers’, merchants’ and financial institutions’ cardholder data. By adhering to the strict standards set out by the requirements of the PCI DSS. To perform a PCI DSS Audit, a Qualified Security Assessor (QSA) or your own Internal Security Assessor (ISA) conducts a test of your payment card system using 12 main criteria:

  1. That you have and maintain a firewall properly configured to protect cardholder data
  2. You don’t use vendor-supplied defaults for system passwords and security parameters
  3. You protect stored cardholder data
  4. You encrypt the transmission of cardholder data across open and public networks
  5. You use and update regularly anti-virus software and/or programs
  6. You’ve developed and continue to maintain secure systems and applications
  7. You restrict access to cardholder data by business, as need-to-know
  8. You assign a unique ID to each person with computer access
  9. You restrict physical access to cardholder data
  10. You track and monitor all access to network resources and cardholder data
  11. You regularly test your security systems and processes
  12. You maintain a policy that addresses information security for employees and contractors

Why is PCI DSS Important? The PCI Security Standards Council was founded in 2006 by the major credit card companies of the world including American Express, Discover, JCB International, Mastercard and Visa. The Council has two main priorities for the work they do:

  1. “Help merchants and Financial Institutions (FI)  understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data”
  2. “Help vendors understand and implement standards for creating secure payment solutions.”

Overall, they exist to enforce standards aimed at keeping cyber defenses primed against attacks aimed at stealing cardholder data.  

Do You Need to Become PCI-Compliant, but Don’t Know Where to Start?

Our PCI Compliance Services make everything easier for you!

Learn More


Why is it Important to Maintain PCI DSS Compliance

In broad strokes, it’s important to maintain PCI DSS compliance to protect the integrity of your payment card system and retain the trust of your clients and consumers. On a more direct level, it’s important to pass your PCI compliance auditing to avoid paying a hefty fine. While banks have the luxury of shifting the cost of their fines to their customer base (usually in the form of heightened account or transaction fees), merchants must pay for it out-of-pocket. Fines can range anywhere from $5,000 to $100,000 a month, lasting until the merchant has achieved compliance. Again, while this fine can be relatively well-absorbed by a big bank, fines of that size for smaller merchants can put them out of business. However, even these fines are nothing compared to the potential costs brought on by data breaches, reputation damage, lawsuits, monitoring fees and actions on behalf of state and federal governments that come about when you’re really not PCI compliant. For example, Target was forced to pay an $18.5 million settlement because of a massive 2013 breach.

PCI compliance auditing

What are PCI Compliance Levels? For merchants, there are 4 levels they could fall into, each of which is based solely on the amount of credit card transaction volume they experience over a 12-months. Here’s a chart breaking down the 4 merchant levels, as outlined by Visa (as one credit card type example):  

Merchant Level Description
1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

Depending on your merchant level, you will require a different level of audit compliance, according to what the PCI DSS requires.  

Want to Learn Even More Ways of Protecting Your Business and Clients’ Data? Read these Articles Today.

The Risks of Performing Your Own PCI Audit Self-Assessment

Performing your own PCI Audit/Risk Assessment is an option that small merchants may take. There are several different questionnaires available, depending on the type of merchant you are. However, if the PCI Audit is not done perfectly, the potential costs that results from a data breach or not being in compliance often far outweigh the costs you might save by conducting the audit yourself. More often than not, hiring experts to help you achieve PCI compliance is the best way to go.  

The PCI Audit Compliance Process

The PCI DSS recommends breaking down your Audit into three separate steps:

  • Assessment Here you’ll want to identify cardholder data, take an inventory of all your IT assets and business processes that you use for processing payment via payment card, then analyze them for vulnerabilities.
  • Remediation This is where you’ll fix vulnerabilities and eliminate the storage of cardholder data unless keeping it is strictly necessary.
  • Reporting On this last step, you’ll be compiling and submitting the required reports the audit has generated to the correct bank and card brands.


Choosing the Right IT Consultant Company to Help with Your PCI Audit

If this article has given you more questions than answers (like “what is a PCI audit for a computer network”), don’t worry, you’re not alone. Conducting a PCI Audit is a very lengthy, complicated and potentially expensive process. And what’s worse, is that getting the audit wrong can be even more costly. No matter what size of merchant you are, you need the right help to make sure your annual PCI Audit goes well, and you pass with flying colors. Here at Power Consulting, we have helped hundreds of merchants and businesses achieve PCI DSS compliance, and we can help you too. Talk to us today about our PCI compliance services, so that you avoid having to pay hefty fines and deal with endless headaches. We’ll make it easy for you.