HOW OFTEN ARE PCI AUDITS REQUIRED?

Businesses that accept, process, store, or transmit credit card information of customers are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI SSC was established in 2006 to improve payment card security throughout the payment process.

The PCI DSS is a set of security standards developed by the Payment Card Industry Security Standard Council (PCI SSC) to ensure that the cardholder data within these businesses are safe from any breaches.

Businesses can fall into one of the four different levels for the PCI DSS based on the number of their payment card transactions within 12 months. Businesses are ranked as level 1 if they have 6 million or more transactions a year. Businesses with annual card transactions of between 1 million to 6 million are ranked as level 2.

Level 3 businesses are ones that have annual payment card transactions less than 1 million but more than 20,000. Finally, businesses with annual card transactions of 20,000 or less are classified as level 4.

The above ranking levels are provided by the PCI SSC. However, some payment card companies may have a ranking system of their own based on the annual number of transactions of business for the specific company.

For example, businesses that complete 2.5 million or more transactions within a year for American Express cards are classified as level 1 while business with 10,000 or below American Express transactions will be classified as level 4. Some companies may also have additional requirements for getting ranked within each level.

How often are PCI audits required?

The PCI DSS does not define how often businesses must perform PCI audits. Usually, all businesses are required to carry out their assessment annually. These assessments are done either through a Self-Assessment Questionnaire (SAQ) or by hiring an independent professional known as a Qualified Security Assessor (QSA).

Related article  [Update 2017] Summary of ISA 720: The Auditor's Responsibilities Relating to Other Information

However, the frequency of these audits is defined by the financial institution or payment card company the business is registered with rather than the PCI DSS. For example, American Express will have different rules for businesses as compared to VISA or Mastercard.

Similarly, some businesses may be required by these payment card companies to perform a network scan regularly. These are performed by scanning the payment card network of business for any vulnerabilities. If any vulnerabilities are identified, they are eliminated to ensure the network is safe from any breaches. These network scans are generally performed every quarter.

However, the payment card company, that the business is registered with, also dictate the time interval after which these scans must be performed.

Why is PCI DSS compliance required?

Compliance with PCI DSS is important for all businesses that deal with payment card transactions. The PCI SSC does not require businesses to comply with the standard. Therefore, some businesses may be tempted to not comply with the standards. However, there are many reasons why businesses need to comply with the standard.

First of all, businesses are contractually obligated to follow the standard. These contracts are made with the payment card companies or financial institutions that require the businesses to comply with the PCI DSS. In case these businesses do not comply with the standard, they will be imposed on fines by the relative payment card company.

Secondly, businesses that comply with the standard are more acceptable to customers. This means businesses that follow the standard will attract more customers and generate more sales as a result as compared to businesses that do not comply with the standard.

Related article  What Is Comfort Letter in Auditing? (Overview and Types)

Similarly, the PCI DSS safeguards businesses against any possible breaches and loss of customer data. Businesses that are affected by these breaches lose their brand value and customers as a result. In case of a breach, businesses that do not comply with the standard must face legal action and justify their non-compliance.

Furthermore, businesses that are found to be consistently non-compliant with the PCI DSS are banned by payment card companies and lose their ability to accept payments through cards. Therefore, complying with the standard is beneficial for all businesses that accept, process, store, or transmit cardholder data.

Conclusion

All businesses that deal with payment cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). These businesses are ranked according to the number of annual payment card transactions. Based on their ranking, businesses will have to demonstrate their compliance with the PCI DSS using either a Self-Assessment Questionnaire (SAQ) or obtain the services of a Qualified Security Assessor (QSA).

The frequency of PCI audits depends on the requirements of the financial institution or payment card company that a business is registered with. Usually, businesses are required to report on their compliance annually. Furthermore, businesses may be required to provide a network scan report every quarter.