For the last six years, any company that accepts credit card payments has been required to be in compliance with PCI DSS standards. Although the requirements aren’t new, many businesses still have trouble meeting all the 12 major requirements and 221 sub-requirements. In fact, only 21% of businesses passed their PCI audits on their first attempt last year. 75% of those that had passed an audit the previous year were not in compliance next year. Lengthy audits and remediation processes cost businesses time and money. Here are some tips to help you make sure that your organization is PCI complaint at your next audit.
- Be prepared. It seems like it would be common sense, but many Qualified Security Assessors say that one of the biggest wasters of time and money they find are companies who haven’t adequately done their homework before an audit. Gather documentation ahead of time and make sure that the people the auditor will need to talk to will actually be there and not on vacation. Get things set up with legal and IT so the auditor can access needed information. Best of all, talk to the auditor before the audit and get a list of everything your QSA will need to have access to before he or she arrives. Demonstrating a general atmosphere of preparedness and competency will communicate that your organization is also handling customer data well.
- Make sure you understand the requirements and how your organization is meeting them. The PCI council has tried to strike the difficult balance of adequately clarifying the requirements while still allowing the flexibility for businesses to handle security issues in a way that is appropriate for their business. Sometimes that flexibility can lead to misunderstandings, however. Prior to the audit, you might consider talking over PCI requirement with a PCI expert. You should also be familiar enough with your business’s own policies and procedures to know how they are helping you stay in compliance.
- Know where your data is going. It’s very easy for cardholder data to wind-up being stored somewhere it doesn’t belong. You may think that your credit card program is handling information a certain way, but you need to verify thats actually how data is being stored before your auditor arrives. The best practice is keeping the cardholder data system isolated from the rest of your IT systems. The more systems that interact with the data, the longer and more expensive your audit will be.
AbleCommerce is one of the first PCI compliant shopping cart programs to be certified under stricter PCI-DSS standards. We offer a powerful yet economic solution to your e-commerce needs. Contact us to learn how our award winning software can help your business achieve PCI compliance.