Website compliance can be a challenge. With so many different frameworks, ranging from privacy regulations to broader security frameworks, online stores must comply with more regulatory standards than ever before.
The Payment Card Industry Data Security Standard (PCI-DSS) is one of the most common frameworks required for e-Commerce stores. PCI compliance requires businesses to follow a specific set of regulations when handling credit card information.
With this in mind, businesses looking to become PCI-DSS compliant must pass an audit of their technology stack to ensure it conforms with the framework’s requirements. These requirements range from structural aspects to process components, all of which aim to ensure customer’s credit card information remains secure.
With the PCI compliance process taking upwards of two years, it’s vital businesses take the necessary steps to prepare. Through this process, businesses should consider the 12 objectives highlighted by the framework and understand the many individual directives associated with these objectives.
With 281 individual directives, this is a lot of information though!
Luckily for businesses beginning the audit process, the PCI framework outlines precisely how to comply with each directive.
Keeping the end goal in mind while working through the audit saves time and energy throughout the long process. Read more below for an overview of how e-Commerce stores can prepare for a PCI audit.
Different Levels of PCI Security
Before starting the preparation process, businesses should first understand what level of compliance they need. Since the different levels also require different amounts of review, gaining an understanding of these differences empowers the decision-making process to be more efficient. According to Michael Coulson, selecting the precise framework level your business requires, can save time and money preparing for the audit process.
Thankfully, the different levels of PCI compliance directly relate to the amount of transaction volume your business does online, making it easy to determine which level is best for your business.
Level 1: 6+ Million Yearly Transaction Volume Level 2: 1 - 2 Million Yearly Transaction Volume Level 3: 20,000 - 1 Million Yearly Transaction Volume Level 4: Less than 20,000 Yearly Transaction Volume
With these different levels in mind, businesses can then determine what changes should occur to meet their compliance obligations. All PCI levels require businesses to conduct quarterly PCI scans. This automated process can lead to finding security vulnerabilities related to payment processing. Furthermore, all levels of compliance require businesses to complete an Attestation of Compliance (AoC) form.
Next, businesses in the highest tier of compliance, level 1 will also need to have a Report on Compliance (RoC) completed by their auditor.
Finally, at the highest level of compliance, level 1, businesses need to complete an external security audit. For levels 2-4, businesses are only required to complete an internal audit of their systems.
Preparing for a PCI-DSS Audit
Regardless of the compliance level, the core component all businesses must complete is the assessment. For level 1 compliance, businesses will have an approved external auditor complete this portion of the audit.
For smaller businesses at levels 2-4, this will be a self-assessment questionnaire with a variety of different questionnaires available to fit your business needs. With 8 different Self-Assessment Questionnaires (SAQ) available, businesses can determine which questionnaire is best for them based upon precisely how transaction data is handled online.
Practical Tips to Prepare for the Audit
1. Don’t assume you’re compliant
A common mistake e-Commerce stores will make is to assume their system already meets the requirements. Don’t make this mistake and instead look at your systems from an objective perspective (as the auditor will do) and ensure you have the necessary controls in place.
2. Conduct an internal review before the external audit
With the auditing process taking over a year to complete, businesses should aim to conduct an internal review of their systems before the external audit. This empowers businesses to proactively conduct any changes to their network in blatant violation of the framework’s controls.
3. Recognize and mitigate your risks
Every digital environment undertakes some level of risk. To this point, businesses should aim to not only understand their system’s risks but also work to proactively mitigate them. Through this process, businesses often gain a better understanding of the number of changes needed to meet the necessary PCI compliance requirements.
4. Understand your network structure
Aside from the fact that businesses need to understand their network structure to properly secure it, this understanding will also open up faster turnaround times during the audit. Through this process, businesses should aim to illuminate aspects of the network structure that are vulnerable and develop a plan to mitigate the associated risk.
5. Stakeholder involvement
Business owners should not rely on their development or internal teams to complete the audit process. With so much importance placed on PCI compliance, it’s important that stakeholders get involved in the auditing process as well.
6. Keep documentation updated
With documentation being a core component of PCI compliance, businesses should implement processes and procedures to ensure the related documentation remains up to date. This will ensure no out-of-date information slowing down the auditing process.
7. Communicate proactively with the auditor
Finally, once the audit begins, businesses should proactively communicate with their auditor. Remember, the auditor wants your business to succeed with all the different compliance controls required by the framework. Use this information to proactively communicate with them and ensure your website’s audit isn't delayed.
PCI Compliance Pentesting Requirements
The PCI compliance framework requires businesses to test their internal systems on an annual basis or "anytime there is a significant infrastructure or application upgrade or modification." While this test may be completed by an internal employee, they must be an experienced pentester to do so. After a completed pentest, remember to hold onto the pentest report as businesses will need to submit it as a part of their compliance application.
In closing, remember that any business that processes online transactions should consider applying for PCI compliance. Businesses should start by understanding precisely what compliance level fits their specific needs based upon the above guidelines and then implement the necessary changes to become compliant.
Finally, as businesses prepare to complete the PCI-DSS compliance process, remember Cobalt offers an easy-to-use solution for pentesting with a Pentest as a Service (PtaaS) platform to fulfill your compliance pentesting needs.