Source of the PCI Security Audit
|
|
|
The security audit is essential in ensuring PCI compliance. PCI DSS security audit procedures, as opposed to many other industry standards and regulations, are directed single-purposely towards data security. The opening sentence in the standard states its purpose to enhance and encourage the security of payment card-holder data and to provide a means of wide-scale adoption of consistent data security measures.
|
|
What the PCI Security Standards Include
|
|
|
Including its appendixes, the PCI-DSS (Payment Card Industry Data Security Standard) covers over 70 pages, amounting to over 20,000 words. It is divided into 6 categories defining 12 requirements as follows:
|
- Build and Maintain a Secure Network (covering firewalls and vendor-supplied passwords)
- Protect Cardholder Data (covering protection of stored data and encryption)
- Maintain a Vulnerability Management Program (covering anti-virus software and application development methods)
- Implement Strong Access Control Measures (incorporating access by need to know, unique user IDs and physical access control)
- Monitor and Test Networks (incorporating tracking and monitoring and security testing)
- Maintain an Information Security Policy
|
|
|
|
|
These requirements collectively define three essential components of implementing data security, all of which must ultimately be verified by a PCI security audit.
|
- Policy
- Protection (controlling access)
- Monitoring and auditing
|
|
Auditing of PCI-DSS
|
|
|
The PCI security audit (also referred to as the PCI compliance audit) is all about checking whether or not these things are implemented. Fortunately, in the PCI standard, each requirement is broken down into detail, something that facilitates the execution of such checks when making the PCI audit .Moreover, the requirement document is conveniently laid out with the audit task in mind. First the sub-requirement is listed, followed by a column describing the testing procedures, instructions for the checks that need to be done to ensure compliance with the requirement.
|
|
|
Next, come two columns - ‘In Place' and ‘Not In Place' - alongside each testing procedure, which can be marked as necessary, and there is a final column for entering the target date or any other comments the auditor considers necessary. This can be seen in the example below, taken from the beginning of the category Implement Strong Access Control Measures in which section 7 is the first part.
|
|
|
|
|
The PCI Security Audit and Checking Your Audit Trails
|
|
|
As some of PCI's requirements are themselves monitoring or auditing, auditing them requires verification that the said information is logged. One of the means of confirming this in the framework of the PCI security audit is to actually examine the audit logs to confirm their existence and content. Auditing of activity is expressly mentioned in the PCI standard in a number of places, see examples below.
|
|
|
3.4.d Examine a sample of audit logs to confirm that the PAN (primary account number) is sanitized (altered) or removed from the logs.
|
|
|
5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.
|
|
|
9.4 Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor's name, the firm represented, and the employee authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.
|
|
|
10.2 Implement automated audit trails for all system components (partially shown below).
|
|
|
|
|
|
|
