What to Expect When You're Expecting a PCI Compliance Audit

You received a letter from your payment gateway saying you must pass a PCI Compliance Audit. What now?

Well, before we get into the nitty gritty, let’s get some critical definitions out of the way.

What is PCI?

PCI compliance is a set of security standards designed to ensure that companies accepting, transmitting, or storing credit card information maintain a secure environment. It is crucial for protecting cardholder data and reducing the risk of data breaches.

To become PCI compliant, businesses must adhere to 12 requirements. Some of which include maintaining a secure network, protecting cardholder data, and regularly monitoring and testing networks.

There are four levels of compliance, based on the number of credit card transactions processed annually. PCI compliance is not a legal requirement, but it is widely recognized as a best practice for businesses handling credit card information. (source: Grok)

What is a compliance audit?

In a previous interview with BigCommerce I stated, “A PCI compliance audit is when your bank or merchant services provider requires you to prove that customer data is secure.” This is still true.

As a merchant, a PCI Compliance audit generally consists of two parts: an operational security (OpSec) questionnaire and a technical audit.

What is at stake?

Unfortunately, there is no way to sugarcoat this one. If you fail to pass the audit, you may lose your ability to collect payment on your website. Don’t panic, though. Before you get to that point you will usually have plenty of time to resolve issues. Unless your audit reveals a gross disregard for securing information and you are either unwilling or unable to change your ways, you should be able to get through the process without an interruption to business.

Do I need a developer to help me with the audit?

As mentioned, there is a technical part to the audit process. However, you may not need any developer help if:

• You are using a SaaS platform like BigCommerce or Shopify. If there are exceptions you should be able to refer them to the platform’s support team.
• You only process payments on a 3rd party platform like PayPal’s. This means that during the checkout process the shopper is redirected to PayPal’s website for payment and returns to your site’s checkout only for the confirmation page.
• You pass the automated audit system’s tests with no exceptions.

Audit steps

For most merchants the audit steps include the following:

1. Fill out the operational security questionnaire. If you are using a software that you host (open source or custom), you may need the hosting company to fill in some technical questions like if you have the appropriate firewall rules in place. However, most of these questions have to do with how your employees handle sensitive information (OpSec).

2. Communicate your plan to address OpSec exceptions. If your current processes are unconvincing to the PCI gods, you may have to write up a remediation plan. In some cases, they actually follow up to make sure you have implemented your plan and are now operationally compliant.

3. Address any exceptions from the technical audit. Most payment processors will run this audit on your website before contacting you. If the technical audit reveals some exceptions, it is not necessarily time to shout at your developer. Exceptions on the audit are not necessarily vulnerabilities. Think of it this way: The PCI auditor knows that if you set up your server in a specific way, it will be sufficiently secure. If you have the wrong version of server software or a different database than expected, for example, they flag it as an exception. Your developer just needs to provide proof that it is actually implemented securely. Of course, if there is an actual vulnerability, your developer may need to address the issue by changing server configurations, upgrading a programming language, applying security patches, or other steps.

4. Pass the technical audit. After you or your developers address real exceptions, the auditor will run the audit on your site again. This may take several iterations until they are satisfied.

Attitude is everything

Payment companies have a vested interest in you passing the audit. The more payments that flow through their system, the more money they make. In Razoyo’s experience, as long as you respond promptly to their questions, take steps in the timeframe you commit to, and are thorough and professional in your approach, chances are, you will have minimal disruption and pass the audit. If it makes you feel any better, PCI Compliance is a business requirement, part of the self-regulation of the financial technology industry — it is not a legal requirement. You will not go to jail for a bad audit.

It’s not your fault

Most merchants take security seriously. In most cases, you aren’t asked to pass the audit because of some glaring failure. Honestly, it is often just random selection. Just take a breath, read the documents carefully and work through the process. You’ve got this!!!!