PCI DSS audit

Each company working with payment cards is obliged to do its utmost to prevent the user data loss when making transactions, in other words, comply with PCI DSS standard. This is one of the key conditions for working with the world's leading payment operators, organizing support for all PCI DSS.

Payment Card Industry Data Security Standard is a special document that specifies the rules for storing, transferring and managing user data in corporate databases.

PCI DSS is designed to enhance security of your user database infrastructure.

The standard consists of 12 rules, which are divided into six categories:

1. Formation, maintenance and management of protected space and information storages;
2. Bank cards protection;
3. Control over vulnerabilities and their timely elimination;
4. Definition of strict parameters of access control;
5. Checking and tracking the system status;
6. Compliance with data security requirements.

All PCI DSS regulations are mandatory.

However, there are the regulations that cannot be implemented in some types of companies due to the lack of relevant components. The lack of wireless networks would be one of such examples. In such a case, the company is not subject to the “ensure wireless security” requirement. In such cases, it is allowed using compensatory measures to minimize the risks of vulnerabilities.

To sum it up, PCI DSS regulates modern requirements for the user information security.

The payment services have established separate certification requirements for different organizations.

• Trading and service companies (merchants) – the companies are obliged to undergo the annual PCI DSS audit. The companies conducting more than 6 million financial transactions in 12 months must do it;
• Service providers - the requirements for such organizations are different for different payment operators. For example, the VISA provider's transaction limit for annual audit is 300 thousand financial transactions annually. MasterCard has more loyal requirements - a mandatory PCI DSS audit is carried out subject to processing at least 1 million financial transactions in 12 months;

The payment systems are entitled to impose sanctions on the companies that must undergo annual PCI DSS audit, but evade the obligation.

We should not forget that PCI DSS audits are only authorized to be performed by the specialists who have received QSA (Qualified Security Assessor) status, whose staff has QSA auditors.

On average, a PCI DSS audit of the company takes about 3 days. The result of QSA auditor work is a special report, the so-called Report on Compliance, in which the expert describes in detail the compliance or non-compliance of legal entity with PCI DSS standards for each item.

Based on the work results, there may be two scenarios:

1. If the specialist finds significant discrepancies with user protection requirements, a Remediation Plan is prepared;
2. If the QSA-auditor has not identified any violations, a PCI DSS Compliance Certificate is issued.

The organizations cooperating with leading payment operators are required to scan the external perimeter of payment services. This operation is carried out every 3 months and is considered an essential part of PCI DSS compliance audit.

The specialists of Law & Trust International will help you fulfill all PCI DSS requirements, which will enhance your user information security. With our services, you can minimize the risks associated with information security. At the same time, your company will help you implement solutions that provide the necessary protection and allow you to cooperate with leading payment operators.