Did You Fail Your PCI Audit? Here’s What to Do Next

Did You Fail Your PCI Audit?

Here’s What to Do Next

Did You Fail Your PCI Audit? Here’s What to Do Next

In a previous post, we discussed version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS). All organizations that store, process or transmit payment card data must comply with PCI DSS, which requires minimum levels of security for all IT systems that are “in scope.” Version 4.0, launched on March 31, 2022, provides for a more flexible approach to compliance that can be customized to the organization’s specific needs. It also requires “continuous compliance” with the standard rather than a once-a-year, box-checking exercise.

At this point most organizations have had to file their first audit, and it was likely eye-opening. Given the traditionally low levels of PCI compliance, it’s likely that many organizations were not fully prepared for the changes implemented in PCI DSS 4.0. Full compliance won’t be mandated until March 31, 2025, but that offers a limited time to modify existing security controls.

Furthermore, auditors are allowed to tell you that you have an issue, but they cannot tell you how to resolve it. DeSeMa specializes in helping organizations identify the root cause of these issues so that they can maintain compliance for the long term.

The DeSeMa ‘Mock Audit’

DeSeMa starts by conducting a mock audit. It cannot be filed, but it looks exactly like an audit. Our auditors, who used to work for major compliance firms, use the same protocols as Qualified Security Assessors (QSA). By going through the mock audit process, our team can identify issues and tell you how to repair the issues that we discover.

Our auditors take that feedback to our design and engineering team, which allows us to give you very specific and strategically appropriate ways of resolving any issues that would appear in an actual audit report. We can then help you implement any new technologies, fine-tune your existing systems and modify your processes so that you will pass your next assessment.

If you’ve already been audited, we’ll still go through the mock audit but use the audit report to reduce the time we spend auditing. It’s important to note, however, that our mock audit takes a different approach. When a QSA performs the audit, it’s pass-fail. Did you meet this objective, yes or no? When we conduct the mock audit it’s more nuanced. Instead of pass-fail, we look at why a particular control did not meet the standard and what we can modify to make it pass.

Broad Compliance Capabilities

PCI DSS is just one regulation that DeSeMa can assist you with. Our team can perform mock audits for other compliance requirements, including the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the Federal Information Security Management Act (FISMA) and many others. We can also assist with the data privacy standards of California, New York and the European Union. In each case, the mock audit is conducted by an auditor who specializes in that particular field.

This broad capability is particularly beneficial for organizations that must comply with multiple standards. For example, a healthcare organization may be required to comply with HIPAA, SOX and PCI DSS. In that instance, we can do a combined audit so the customer doesn’t have to pay for overlapping points.

Failing a PCI audit can be a frustrating experience because the auditor cannot tell you why you failed. And PCI DSS is just the tip of the iceberg — there are countless other regulations that require similar security controls. DeSeMa is here to help you pinpoint and correct compliance issues so that you can pass your audits and better protect your systems and data.