How deep do your PCI auditors need to go?
September 15th, 2007 by admin Posted in Merchant, QSA, Service Provider
One of the more difficult questions to answer about PCI is how to define the scope of a project. This is a topic that does not receive much conversation because it is so very specific to the actual environment. There are things to consider such as:
- Network and operational segmentation
- Type of data stored (i.e. track data vs. just PAN)
- Volume of data stored
- Who has access and how often do they have access
- Format of the data (flat file, database, audio/image file)
- Online vs. offline data stores
As you can see the factors are many, but how deep does an auditor need to look when performing an audit? Here are some factors they may examine:
- Can they sample similar systems?
- Will they rely on third-party reports?
- Do they need to inspect the security of every application?
- Will you need to give them copies of sensitive data for their work papers?
- Who will send the final report to the acquirer or card brand?
Each auditor will vary in how deep they need to go when auditing a company, but most will need to review and examine all settings, configurations, and documents on their own. The reason for this is because they are promising that everything they write in the report is true and accurate at the time of the audit.
This means that a QSA may need to review your system settings even if you had those settings reviewed as part of a different audit several months ago. Also, if the time between the ‘gap analysis’ and the ‘compliance audit’ is very long they may need to update their work papers. This means you will provide them updated copied of the material you gave them previously. The reason for this is to confirm you still have all of the required controls in place.
If you do not want to give them copies of your sensitive data (i.e. firewall rules) they may ask you to sign work papers stating that they reviewed the information and documented any findings. This is an alternative to forking over a large volume of secret information, but comes with the price of filling out large volumes of paperwork.
Sampling is something at the discretion of the auditor, but something that almost everyone does. You need to check with your QSA during the pricing and planning phase to confirm they understand the need for sampling of similar systems. Some companies may price an audit high if they do not know they can sample your similar systems. We could spend another post talking about the details of sampling, but here we will just remind you that it is an option and one you should examine.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
One Response to “How deep do your PCI auditors need to go?”
By Ola on Apr 2, 2009
I agree that sampling should be used in situations where you have similar systems and processes.
You did not address what a representative sample size should be. There are situations where QSAs are taking a sample size that is unreasonably not representative and the clients are falling for this because of the lower pricing.
I have a situation where some QSAs have proposed to only be look at 5 stores out of 3600 stores located throughout US and Canada(0.15%). I do not think this is representative of the population even if they have configured all 3600 stores similarly.
In this scenerio, where you are still at the proposal stage, what sample size would you propose. We proposed 3% and they thought that was too high taking us out of the bid.
I am also wondering if some organizations are going through this PCI compliance process for compliance sake or for security. The Council needs to give more guidance on sampling, it is too subjective right now. We need a definition on what is representative or at least sample scenerios.