Would you ever take an exam without a minimum of readiness? The answer will probably depend on your willingness to succeed it. In their PCI DSS compliance report Verizon underlines how challenging it is for organizations to maintain their compliance level. Causes are multiple. The Holy grail in pocket, organizations tempt to let down their guard and turn their attention and resources to more « Important and urgent » matters. Follow up with the ongoing and periodic PCI controls require dedicated resources and time, both in shortage. But in my opinion the most contributing factor is the absence or lack of audit tactic and readiness.
Audit process
An audit process encompasses the following phases:
- Audit Preparation (see further)
- On-site QSA’s audit. QSA’s perform interviews and review of evidences
- Report redaction and delivery. QSA's write and deliver the ROC (report on compliance)
- Internal review. Organization reviews the findings and if necessary draw up a remediation plan
- Remediation implementation. Organization fixes the findings
- QSA's validation. QSA’s validate the fixing and hopefully deliver the Holy grail!
Audit Preparation
This phase often shorten and neglected includes the following activities:
At the end of this phase, you should have ready the:
- Define audit timeline (see details further down)
- Validate the PCI DSS scope (together with the QSA)
- Validate third parties PCI Compliance such as hosting providers, payment gateways.
- Perform an internal gap analysis / review of your compliance status against the standard
- Fix deviations (if any)
- Collect and document evidences. As John Adams stated it: "Facts are stubborn things" - Properly executed this activity provides strong confidence both to the organization and QSA's of the readiness and carefulness of the organization for this audit. However due to its heaviness it is often neglected. Use our "Book of evidences" for this purpose.
At the end of this phase, you should have ready the:
- Validated PCI DSS scope
- Validated Third parties PCI Compliance
- Reviewed Policies and Procedures
- Reviewed network and data flow diagrams
- Completed your Evidence book.
Timing
The first element to consider in your audit tactic is TIME. Do not be stingy with your time. Give you sufficient slacks to accommodate your readiness. I recommend kicking off your audit preparation 90 days (3 months) before D-day (the first day of the QSA visit). Allocate you also sufficient time to remediate to any potential findings after the on-site. Here as well I suggest the 90 days period with the objective to be certified at the latest 90 days after the D-day (D0). This gives us 180 days to: Prepare, take the audit, review the audit report, draw up and execute the remediation plan, get them validated by the QSA and eventually receive of the so long expected AOC.
Milestones
Milestone |
Description |
D0-90 days |
The audit preparation phase starts 90 days prior the audit anniversary (date of latest AOC) |
D-day (D0) |
The on-site audit starts at the latest on D0 and lasts a defined number of days commonly agreed with the QSA. |
D1 = D0 + T days |
End of On-site Audit (Ouffff) |
D2 = D1 + U days |
Delivery of initial audit report and kick-off internal review |
D3 = D2 + V days |
End of Interval review |
D4 = D3 + W days |
Delivery of remediation plan and associated timeline to QSA |
D5 = D4 + X days |
Remediation plan is executed. Come on braced yourselves. |
D6 = D5 + Y days |
QSA validates fixing |
D7 = D6 + Z days |
QSA delivers final ROC and AOC |
D8 = D6 |
Champagne!! Cheering & Lauding |
D9= D8 + 1 |
Back to work |
Resources