When It Comes to PCI Audits, the Best Defense is a Good Offense

    When It Comes to PCI Audits, the Best Defense is a Good Offense

    Understandably, audits have a bad rap. The word “audit” alone may strike fear into the heart of most business owners. So if you’ve gotten a call from a retail client who’s been informed of an upcoming PCI audit, chances are, they’re more than a little concerned about the process ahead of them. They’re looking for you, as an MSP or IT service provider, to help them get on track to full PCI compliance.

    A good place to start with such a client? Reassurance.

    PCI DSS Audits: Not Always Scary

    The truth is, PCI audits aren’t all that bad. Even businesses that are found to be in non-compliant with PCI are given a substantial “probation” period before facing any real repercussions (i.e. fines or loss of credit card transactions). With this probation period, a business is given ample time to get their act together and their networks up to PCI standards. Should your client be found to be in violation of PCI guidelines, the auditor will give them time to fix any problems.

    All that being said, it’s very important that your client get up to speed on PCI requirements. While first-time PCI offenses carry only mild repercussions, further incidents could result in hefty fines, or (more likely) banks refusing to process your client’s credit card transactions altogether. Worse still, not adhering to PCI standards puts each and every credit card transaction processed by your client at risk. Hackers and malicious software are getting more advanced every day, and there’s no worse PR than a company admitting to accidentally compromising the credit card information of their customer base.

    Whether your client is clueless about PCI compliance or just needs some help to become fully compliant, an advanced security and password management system can help you ensure they’re ready to use PCI best practices for their audit and beyond. After all, the best defense is good offense. Complying ahead of time, and keeping those best practices going, ensures that your client won’t have to worry about another audit around the corner. With well-designed security software, PCI compliance—and peace of mind— is easy.

    Regardless of where your client is in terms of PCI compliance, you’ll need to check that all PCI requirements are being met. Here are some of the major ones to watch out for:

    Password strength: Do not use vendor-supplied defaults for system passwords or other security parameters

    • With a strong password management system, you can easily enforce a strong password policy and monitor users with poor password practices.

    Restrict access to cardholder data to business need-to-know.

    • Use your password management system to assign permissions based on job role, ensuring that only users who need access to cardholder data for their jobs have access to it.

    Incorporate two-factor authentication for remote network access originating outside the network by personnel and all third parties.

    • This means that anyone trying to access the network off-site will have to present not only a password, but also another security “factor,” like a fingerprint scan or a one-time access code. In the past, many businesses have tried to avoid two-factor authentication because of the cost associated with it. But today, there are very affordable solutions, like using a secure mobile app on the user’s smartphone to generate a unique one-time code. Two-factor authentication is a key element to PCI compliance, because it makes a network nearly impenetrable to an outside attack.

    Track and monitor all access to network resources and cardholder data.

    • Your password management system should be capable of generating and storing detailed audit logs in an easy-to-access form. That way, any security-related event can be tracked back to a time, date, and user.

    Ready to Get Started?

    Let's Talk