Preparing for a PCI compliance audit is a tedious process, but it doesn’t have to be complicated and stressful. The key is to develop processes and procedures that make it easy to gather all required documentation well before the auditor’s visit.
After working in a variety of industries that adhere to many regulations – payments, securities, loans, retail – I have discovered organizations of all sizes experience the same pain. I’ve witnessed companies panic as they scramble to gather all the required information, and it’s not a fun environment to be in.
So let’s break down the process into three stages: Design, Organize and Plan
Note: During this process, I recommend creating folders in your organization’s document repository and always keep your review findings in one place. These folders/files should break down each requirement and all the documents, reports, emails, approvals, correspondence, etc. that were used to ensure the requirement was met.
Compliance takes a clear design based on your organization’s systems/applications, internal and external connections, and user role responsibilities and the data they can access. This design stage takes time and experts to efficiently complete the analysis and documentation required.
Your design should include the following components:
- All compliance requirements to which your organization must adhere. Break down the requirements by which areas of your organization they affect (some may affect multiple areas) and assign those requirements to those specific areas.
- Physical access to systems, such as through telecommunications, access to the buildings that house the systems, and user access
- An illustration that shows everything that’s contained within the systems, input, output and all access points
- Architecture and telecommunications designs
It’s not easy to organize after you have been running day-to-day business activities without it so I always tell our clients to use their past to create the process for the future.
Step 1: Gather all evidence from previous audits.
Even if your compliance requirements have changed, this step provides a good starting point to build upon.
Step 2: Assign requirements to specific groups.
Determine whether the same groups within your organization are responsible for evidence gathering for those requirements.
If nothing’s changed since the last audit, then great! If not, this is the time to determine which groups are responsible for which requirements and review them with everyone involved.
As I mentioned above, create folders in your organization’s document repository and always keep your review findings in one place. These folders/files should break down each requirement and all the documents, reports, emails, approvals, correspondence, etc. that were used to ensure the requirement was met.
Move all prior audit documents to these new folders to keep your archived data up to date.
Step 3: Create a map.
Every compliance manager (whether full-time or part-time) will need to create a map that identifies which requirements apply to which groups within your organization.
Contacts within those groups should be updated periodically, which will keep you from having to find the responsible groups at the last minute.
Step 4: Schedule periodic reviews of systems.
Scheduling periodic reviews of systems ensures your architecture documents are updated whenever a change is made. Your business will change so your compliance reviews should be updated where necessary.
Ideally, you should assign a person or group who will ensure those reviews are occurring and documentation is updated. However, if you don’t have the resources, then your internal audit reviews should start months in advance of your next audit.
If you are trying to create an organized repository for evidence, process and procedure documents, Visio system illustrations and responsibility listings, breaking them down by requirement will help your auditors.
Planning for your next audit will help your organization avoid the last-minute scramble that often leads to increased stress and costly mistakes.
- Take time to organize all necessary evidences.
- Document any deficiencies and track the work required to remediate them.
- Break down the work required by requirement and by group responsible.
- Stay on target. Most audits take weeks if not months so there may be overlap that you can use to continue to gather your evidence.
- Automate as much as possible. Get your developers involved because they are one of your most valuable resources. When you report and gather data, set up jobs to run periodically and email them to the groups required to review. Document them for future use.
How Odyssey can help
If your company needs help navigating the ever-changing compliance landscape, reach out to us. Our team of experts will work with your IT team to identify gaps, organize all documents and create a proactive plan that have you prepared for an audit at any time. Click here to learn more.
About the Author