Why you should perform a PCI Compliance Readiness Assessment

A Payment Card Industry Data Security Standard (PCI DSS) readiness assessment can help your organization determine whether you are ready to undergo a full PCI DSS audit or self-assessment. 

Before scheduling a PCI audit, many organizations will opt to conduct a PCI Readiness assessment. This is often referred to as a pre-audit or a gap analysis and is designed to help uncover any security issues to remediate them before your QSA arrives. This pre-audit will help you develop a strategy and remediation plan to ensure successfully achieving PCI compliance.  

 

Who needs a PCI audit? 

While entities who accept, transmit, store, or process credit cards are not mandated by law or regulation to adopt PCI standards, the major card brands do mandate its use via the banks and other organizations who process all credit card transactions. Failure to comply with the applicable standards can result in fines and being unable to accept credit card transactions at all, along with the associated financial impact of such a ban. Therefore, PCI standards are a requirement for all merchants to follow without exception. 

Merchants are classified into levels based on the number of transactions processed each year. An on-site PCI audit and resulting Report on Compliance (ROC) are required for Level 1 merchants—those that process more than six million transactions per year, depending on the cards accepted. 

Level 2, Level 3, and Level 4 entities/merchants need only to complete a self-assessment questionnaire (SAQ), but many Level 2 and Level 3 organizations elect to undergo the audit and obtain their ROC. 

What a PCI readiness assessment entails 

A PCI readiness assessment is intended to find holes in your PCI compliance program—deficiencies that could prevent your enterprise from attaining PCI DSS compliance. A readiness assessment can involve the following: 

  • Define and minimize your scope. Selecting a framework and deciding which directives apply to your environment is key. Simply placing firewalls around your Cardholder Data Environment, among other things, can reduce your vulnerability to cybercrime and limit the systems the PCI Auditor will need to examine. 
  • Determine how well you meet each applicable PCI DSS requirement. Your risk assessment document may help with this step. Where you do not comply, apply needed controls. 
  • Testing your controls. PCI compliance is an ongoing process, requiring constant care and feeding. Testing your controls before each audit or assessment can help ensure you are meeting the requirements. 
  • Gathering your evidence. PCI Audits are all about documentation and having your evidence and documents in order before the auditor arrive can save you a lot of time, money, and headache.  

With on-site PCI DSS audits costing upwards of $70,000 depending on your environment, performing a readiness assessment can save your enterprise time and money—by identifying and remediating gaps prior to the on-site audit. 

 

How Brockton Point Solutions Can Help 

Brockton Point Solutions can be your trusted partner to build or improve on your cyber security maturity. We will help build metrics to effectively measure your security program. Whether your organization is establishing a cyber security program or wish to improve your existing program, we are here to help. With our risk assessment, governance, and compliance services, we can assess your current program, identify what works and what does not work, and build a more mature program with you. Members of the Brockton Point team have over 15 years’ experience in Cyber Security. We are excited to help organizations further mature their security program. Reducing your cyber-risk to a manageable level is important when running a business. Having an effective way to measure your program helps reduce that risk. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top