How can businesses streamline the Report on Compliance process? As a Qualified Security Assessor, we’ve identified a handful of steps that make a PCI compliance audit run as smoothly as possible for merchants.
3 Steps to a Successful PCI Compliance Audit
Typically, a successful RoC process consists of three basic steps:
1. Identify a collaborative QSA
For the process to be as efficient as possible, it needs to be a collaborative process. Try to identify and partner with a QSA that demonstrates a solid understanding of your business environment. The QSA should also be able to explain its fieldwork protocol clearly.
2. Get the documents in order
A Report on Compliance requires documentation for every control – which adds up to quite a lot of documentation indeed. Look for your QSA to give you plenty of time to get the documents together. Six weeks is an appropriate amount of lead time.
3. Talk ahead of time
A QSA should schedule interviews with your key personnel a few weeks before they come on-site, so they can be conscious of your people’s time while gathering the data they need. Regular communication is fundamental, so when the QSA identifies areas of noncompliance, you can address it as quickly as possible. As long as an issue is addressed before the QSA writes its report, you should get credit for compliance. Make certain that you have a key internal contact regularly managing potential issues and handling requests for artifacts or documentation from your QSA. What you don’t want in a partner is a QSA who flies out an assessor who spends a week onsite, never speaking to you before or after. Make sure you find a partner who can educate you throughout the process, helping to strengthen your security and your confidence.
The PCI DSS is an evolving set of standards. Among the most important rules for choosing a QSA is finding an organization that is in tune with the direction of the standards, and can help you prepare for the future – not simply check off the boxes for today. For merchants currently tracking their security measures to Version 2.0 of the DSS (which is permitted until 2015), it would be wise to identify items they will need to change for Version 3.0. An up-to-date QSA will help you be future-aware. The overarching trajectory of DSS Version 3.0 is to help organizations get to the point where security as a whole, including PCI compliance, is business as usual. The priority shouldn’t be getting the council off your back – rather, you want a thoughtful security strategy to permeate your organization, managing risk for its own sake.