Help for Internal Auditors on PCI Compliance

Melissa Aguilar

July 23, 2009

Print
Email
Reprint
Text: A | A | A

More The Filing Cabinet

RELATED TOPICS

A new report from the Institute of Internal Auditors says compliance with credit-card security standards is still sputtering, despite a coordinated push to bring retailers and merchant banks into compliance with the Payment Card Industry Data Security Standard.

The recent survey of internal auditors, “Moving Toward PCI Compliance,” indicates that only 56 percent of companies are in compliance with PCI DSS, even though the standard was first unveiled in 2004. Nearly 90 percent did say they are trying to implement a PCI compliance process, however.

Survey respondents offered a variety of suggestions to help companies ensure an effective and efficient compliance process. Among the ideas:

Train and educate staff about data security breach risks, and how to help achieve compliance.

Prohibit storing and tracking credit card information.

Avoid unsecured wireless access.

Perform an internal audit to determine high-risk areas.

Establish network security controls, compartmentalizing the network areas that process credit card information and segregating PCI data from the rest of the network.

Establish compensating controls need to be implemented for compliance.

Create a steering committee, representing areas that can enhance compliance within the organization.

As part of the survey, the IT Compliance Institute also gave some tips on what internal auditors can do to help ensure PCI compliance:

Provide reports to the board and management that state whether key information assets and systems are protected, business units are adhering to policies, programs are in place for continually updating and strengthening safeguards against network assaults, and existing security policies are reasonable.

Assess the state of the information control environment and recommend improvements.

Compare current organizational practices with industry practices and regulatory guidelines to validate that the organization’s PCI efforts are proactive and effective against current and emerging threats.

Download the full report at www.theIIA.org.

Compliance Week Podcasts ...

Every week we chat with leading thinkers in compliance, auditing, risk management, public policy and more. These short (10-15 minutes) interviews are free to all. Follow Compliance Week podcasts on iTunes.

Compliance Week LinkedIn Group

Compliance Week now has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day. Open to all compliance professionals, free to join.

Survey of the Week

Deloitte is conducting their annual Look Before You Leap: Managing Risks in Global Investments survey to better understand the approaches companies are taking to address compliance and integrity-related risks in emerging markets.