How to Pass a PCI Compliance Audit Quickly, While Also Becoming More Secure

At Armor, we’ve helped many companies over the years become PCI compliant and pass their audits. We’ve learned that while PCI compliance is complicated, you can become compliant in a decent amount of time.

Furthermore, becoming PCI compliant can help your business become more secure, which is the whole point of PCI compliance.

If you primarily focus on securing your tech infrastructure and use the PCI compliance rules as guidelines, you’re likely to fulfill most of the PCI compliance rules. 

In this article, we’ll review what the requirements are and how to approach PCI compliance so you can become secure in less time.

While most articles will only tell you what the audit requirements are, here, we actually outline the specific tactics and nuances of becoming PCI compliant.

Note: Our Armor Anywhere product has helped over 1,000 customers over the years, many of whom became PCI compliant. If you want to learn more, then click here to get a free quote.

PCI Compliance Audit Requirements 

First off, let’s define what a PCI compliance audit is:

A PCI compliance audit is an audit required on certain merchants that process and/or store credit card information to make sure they comply with the Payment Card Industry Data Security Standard (PCI Data Security Standard).

Here are the twelve requirements of achieving PCI DSS compliance:

  1. Have a firewall in place
  2. Do not use vendor-supplied defaults for system passwords
  3. Protect any and all cardholder data
  4. Encrypt transmission of cardholder data across open networks
  5. Regularly update anti-virus software
  6. Develop and maintain secure systems
  7. Restrict access to cardholder data so only relevant employees have access
  8. Create a unique ID for each person with access
  9. Restrict physical access to servers with data
  10. Track and monitor all access to cardholder data
  11. Regularly test security systems and processes
  12. Maintain a security policy for all employees that results in a formal risk assessment

Additionally, the PCI DSS classifies merchants by different levels based on how much credit card data they process. Each level has additional requirements on top of the twelve requirements listed above:

Level 1 Merchants

Level 1 merchants process over 6 million credit card transactions annually.

Level 1 merchants must do the following:

  • Complete an annual Report on Compliance (ROC) in conjunction with a Qualified Security Assessor (QSA)
  • Have an Approved Scanning Vendor (ASV) conduct quarterly scans
  • Complete an Attestation of Compliance Form

Level 2 Merchants

Level 2 merchants process 1 to 6 million credit card transactions annually.

Level 2 merchants must do the following:

  • Complete an Annual SAQ
  • Have an ASV conduct quarterly scans
  • Complete an Attestation of Compliance Form

Level 3 Merchants

Level 3 merchants process 20,000 to 1 million credit card transactions annually.

Level 3 merchants must do the following:

  • Complete an Annual Self-Assessment Questionnaire (SAQ)
  • Have an ASV conduct quarterly scans
  • Complete an Attestation of Compliance Form

Level 4 Merchants

Level 4 merchants process up to 20,000 credit card transactions annually.

Level 4 merchants must do the following:

  • Complete an Annual Self-Assessment Questionnaire (SAQ)
  • Have an ASV conduct quarterly scans
  • Complete an Attestation of Compliance Form

So, in short, what you have to do to pass a PCI audit is to:

  1. Figure out what level of merchant you are
  2. Make sure you have a process to follow the requirements of that level
  3. Make sure you comply with all 12 PCI DSS requirements

You Can Be PCI Compliant Without Being Secure

It might seem like the next step after figuring out your merchant level is to just start changing your setup to become PCI compliant.

Instead, we think it’s better to think about becoming secure, and then worry about becoming compliant second. Here’s why:

The whole point of PCI compliance is to make sure that companies that process credit card data are doing so in a secure way.

Instead of just making changes so you comply with PCI requirements, make sure you follow industry best practices on securing your infrastructure — these aren’t the same thing. That should get you most of the way to PCI compliance.

Plus, you’ll actually become more secure. While PCI compliance is important, it doesn’t mean that you’re truly secure.

A major example of this is the 2013 Target data breach, where Target was hacked and didn’t realize it for months. Target was PCI compliant at the time of the breach, but their security wasn’t up to par.

Part of PCI compliance is that you have logging and monitoring for all of your credit card data. Target had this, but the logging tools were releasing so many warnings that their security analysts were forced to ignore some of them (alert fatigue like this is a common problem, and one we’ve been very intentional in trying to fix, more on that below).

While almost all of the warnings were false positives, the warnings from actual hackers were not. So even though their tools were able to detect a breach, the analysts weren’t able to process the breach until months later.

This is why we say that there’s a clear difference between being compliant and being secure. 

Advanced Approaches to Lessen the Work of Becoming PCI Compliant

Once you do decide to become more secure (and become PCI compliant as a step along the way), there are ways to do so with less work.

The first thing you want to do is to segment out your environment that stores and processes sensitive credit card data. This is because PCI requirements only apply to the Cardholder Data Environment (CDE).

By segmenting out this sensitive enviornment, you can lessen the work you need to do (which will make the process of becoming compliant and passing subsequent audits quicker and cheaper).

The next thing you want to do is to figure out whether that sensitive data is actually needed. If you don’t need all or some of that data, then you can save yourself time and money by not storing it.

Having less sensitive data to protect will make the process of becoming compliant easier.

Next, we suggest you set up a “security onion” so that your data has multiple levels of protection. The idea is that you want to protect every layer of your infrastructure so that even if one level is breached, the levels below it are still secure.

Here’s a simple example of some of the layers of the security onion:

  • Encrypt credit card data
  • Put access management around that data
  • Secure infrastructure at the database level
  • Secure infrastructure at the application level
  • Secure infrastructure at the server level
  • Secure infrastructure at the network level

Why We Chose a Unique Approach to Lessen the Time to Become PCI Compliant and Secure

Part of our mission at Armor is to help companies spend less time on security so they can focus on their own applications.

That’s why our solutions have several protections set up automatically. As opposed to a DIY approach, you won’t have to reinvent the wheel. You’ll get best-in-class tools automatically.

We have two solutions: Armor Complete and Armor Anywhere.

Armor Complete is our public cloud solution coupled with best of breed security solutions. You bring the application, we’ll provide the virtual servers and all the necessary security to protect your data and your customers.

Armor Anywhere is our agent based security solution that goes wherever your app goes (public cloud, private cloud, hybrid, or on-premise).

Here are some of the different features that they offer:

Armor Complete Armor Anywhere
Vulnerability Scans X X
Operating System X X
Intrusion Detection X X
File Integrity Monitoring X X
Log Collection & Management X X
Malware Protection X X
Patch Monitoring X X
Compute X
Storage, Database, & Networking X
Regions, Availability Zones, & Edge Locations X
Identity & Access Management
Data Management
Encryption

All of these features are important in making your infrastructure secure and PCI compliant.

Hosting with Armor Complete means that there’s less work for you to become secure. However, Armor Anywhere is more flexible and can run on any cloud or on-premise server. 

Also, we’ve noticed over the years that keeping up with the changes the PCI security standards council makes as well as the state-of-the-art in security tools can be a challenge for our customers. That’s why one of the ways that Armor helps you become and stay PCI compliant is by constantly updating, adding new tools, and changing to comply with the latest PCI standards.

One thing no one can do for you is to secure your application since that’s dependent on your specific circumstances.

However, we have a team of PCI compliance experts with years of experience in securing applications like yours.

We offer advice to all of our clients on best practices in information security and PCI compliance. You can be confident that you’re getting great advice on the best strategy for securing your application.

Let’s say that you wanted to become PCI compliant on your own, what would that entail?

Depending on your current practices, it could be a massive undertaking. Just consider log management as an example.

In order to become PCI compliant, you need to log any access to the CDE and store those logs along with logs from critical infrastructure (OS, FW, DB, and Routers) in a central location. Doing this could be a substantial amount of work and expense.

While it’s certainly possible to do this correctly on your own, it’s possible that you might make a mistake. This is more likely if no one in your business has any experience in setting up a log management system like this.

There are several other requirements like this in the PCI DSS. You’re going to have to make sure you correctly implement them all in order to pass your audit.

Armor takes care of log management by automatically using state-of-the-art tools to ingest your logs into our correlation engine. Here we store and monitor your log files. Armor also fulfills other requirements to become PCI compliant.

We’ve seen customers who cut the work they need to do to become PCI compliant in half by choosing Armor.

Plus, all of our customers are protected by our 24/7/365 SOC (Security Operation Center). That means there are humans that put eyes on every alert and are always ready to help protect your infrastructure in case of a breach.

Remember how Target didn’t respond to its breach because it was overwhelmed with security messages?

That wouldn’t happen with Armor, since we have tools to specifically manage the amount of notifications that you see.

We filter out most of the false positives, but we don’t do so at the expense of missing actual breaches. We’re proud to say that we detect 99.999% of threats.

The key to how we detect so many threats without too many false positives is our correlation engine. We make sure that threats are detected by multiple tools before raising an alert (this reduces the false positive rate). All alerts are looked at by a set of human eyes.

That’s why Armor isn’t just about making your business compliant, it’s about making your business secure.

In Conclusion…

We know that a PCI compliance audit can be a stressful experience, especially if you’ve never been audited before.

However, the process can be easier if you remember that it’s just about security. Follow industry best practices and you’ll likely get most of the way to passing your audit.

A few tricks you can use are to segment out your sensitive credit card data, discard any unneeded data, and create a security onion with layers of protection.

It can also help to partner with someone who has years of experience with PCI compliance and can lessen the effort of becoming compliant.

If you need a partner who can help advise you on how to become more compliant in less time, reach out to us.

We’d be happy to help you become PCI compliant. To find out more about how Armor can help you become secure and compliant, go here to get a free quote.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals