Make Your Auditor Happy: Follow This PCI Audit Checklist
How not to fail your next PCI DSS audit.
Check out the infographic here.No matter the type of business, whether a retail or service provider environment, similar problems materialize before or during an audit that ultimately slow audit progress. Aside from being experts on PCI DSS requirements, onsite PCI DSS auditors are attuned to quickly see the security problems in an environment.
See Also: How to Prepare for a PCI DSS Audit
PCI DSS auditor pet peeves
The job of a security auditor is to inspect and analyze what security methods, tools, and processes have already been implemented at a business. The key phrase being already implemented.Your auditor can tell if security isn’t a top priority at your company. That being said, most environments need a little TLC, and that’s just fine. Auditors love to see when IT or compliance managers try their hardest to keep on top of vulnerabilities to ensure security at their organization. If they require a little help to get over the last few bumps to clear their PCI DSS audit, an auditor will gladly help.
Every auditor wants to step into their audit environment to eager and determined employees ready to help them out at every turn. Obviously, that doesn’t always happen. Unfortunately for auditors, most people view an audit as a necessary evil.
PCI DSS auditors aren’t mean or evil. They want you to succeed! It’s the people who simply don’t care about security, and purely view their audit as an inconvenience that make auditors cranky.
What every auditor wants
In an ideal world, auditors want the audit liaison or compliance officer to have:- An understanding of audit security jargon.
- Transparent and eager attitudes to their questions and suggestions.
- An already-made PCI audit checklist complete with questions to ask the auditor.
- Last year’s ROC printed out for them.
- Documentation on how the environment is coping with recent vulnerabilities.
- Talked with key stakeholders to help them understand the organization’s risks.
- Checked event logs regularly.
- Documentation on how third party security risks are mitigated.
- An understanding of PCI DSS 3.1.
- An understanding of your PCI DSS scope.
Correct documentation and updated personnel help an auditor get up to speed on the environment as quickly as possible.The quicker an auditor gets up to speed, the quicker you get through your audit.