10 Ways To Fail A PCI Audit

Retailers and other companies that accept credit card payments have had to comply with the Payment Card Industry Data Security Standard for over six years now. Included in PCI DSS are the 12 major requirements and 221 subrequirements that businesses must meet to protect credit card data from data theft. But even after years of refining these standards, undergoing exhaustive training, and facing the threat of financial penalties from the card brands, many businesses still fail to comply with the basic requirements.

According to Verizon's "2011 Payment Card Industry Compliance Report," only 21% of organizations met the more than 200 must-pass requirements for PCI during their first try at validation last year. The other 79% had to go through further remediation to show they were in compliance for the year. And more than likely, a year later they're out of compliance again--75% of organizations fell out of compliance after passing an audit the previous year.

This process is costing companies a pretty penny in consulting and auditing fees. So figuring out the root causes of failing a PCI audit would help a lot of businesses. Avoid these 10 common mistakes and your company will be well on the way to PCI compliance.

1) Picking First Auditor Who Comes Along

Businesses get to pick their own Qualified Security Assessors, the PCI Security Council-certified experts who conduct the PCI audit. Vet your auditor well, far in advance of any deadline. While the PCI Council has worked to even out the quality of its auditors, there's still a lot of variation in auditing and remediation philosophies, experience levels, and PCI knowledge.

"Choosing the right auditor can mean the difference between weeks of effort and months of effort to become compliant," says James Brown, CTO of StillSecure, a network access control and cloud security company. The best way to find the right auditor for your company is to get references and look into past audit performance.

One of the most important questions before hiring a QSA company is how many Reports of Compliance they've completed in the last year, says Dave Whitelegg, a security and compliance consultant for IT Security Expert, an IT security consultancy. Twenty or more and they probably have a good base of expertise in PCI DSS assessments. "Anything less than 10, then to be brutally honest, you're likely to be dealing with an amateur QSA organization," he warns.

Look for QSAs who offer consistent advice and interpretation of the rules, and whose personalities mesh with your own IT staff's. Make sure to ask about procedures they follow when remediation is needed and get a feel for their willingness to work with you to find solutions rather than jumping into an adversarial role.

Don't choose a QSA solely based on cost or the likelihood of getting an easy pass. And keep in mind why you're doing the audit.

"Institutions can spend so much time meeting requirements that they forget their first responsibility: protecting their customers' trust," says Bill Munroe, VP of Verdasys, a data security company. Don't get so in the weeds with the "hows" of passing a PCI audit that you forget the "whys," Munroe warns.

2) Skipping Pre-Audit Assessment

Are you really sure you're ready for your assessment? Companies can bring in a QSA company too early in the process, without enough checking on whether it has a handle on all of the PCI requirements, says Court Little, director of strategic security at Solutionary, a QSA firm.

"They'll just jump into this and say, 'I need an auditor to come in.' And we get there, and it's just a bloodbath of marking up red," Little says. In some cases, he says, his people are contracted for a four-day engagement that ends after two because they're wasting everyone's time. "That's when they say, 'Let's revisit this once you guys get a better handle on this because you're not even close to being ready for an audit,'" Little says.

One tactic is to have a qualified security consultant familiar with PCI conduct a gap analysis to assess whether you're meeting PCI requirements or are way off the mark.

"It's so much more cost-effective to do that gap analysis and do it right in the first place than getting a report dipped in red and having to go back in six months and have that person revalidate," Little says.

Once you think you're close to complying, another option is a pre-audit assessment over the phone with the QSA. Less comprehensive than a gap analysis, pre-audits go over compliance details before the QSA steps through the door.

3) Starting Without A Pre-Audit Checklist

Don't limit your preparation to just strategic gap analysis and pre-audit assessment. Companies that don't prepare for all the information, paperwork, and interviews that the QSA will want put their PCI status at risk.

Not having specific information at hand or the right executive available for an interview won't fail you outright, but it's guaranteed to lengthen the validation process, irritate the assessor, and cost your business money.

Auditors often go into a company and say, "I need this documentation, these logs, and to interview these people," and that can catch companies off guard, Little says. Make sure you ask the QSA what you must do to get ready for the audit.

Unprepared managers do things like have 15 people twiddling their thumbs in a room all day just in case the auditor needs to interview them, says Little, who has seen such time wasters firsthand.

Security via PCI Compliance?

Yes, If You Play Your Cards Right
Our full report on security and PCI compliance is free with registration. This report includes 19 pages of analysis.

What you'll find:

• Ways to get secrity and compliance to dovetail
• Reasons why differing goals can create complications, and how to get around them

Get This And All Our Reports