Detailed Analysis of PCI Audits for Financial Security and Compliance

Verified

Added on 2021/06/18

AI Summary

This report provides a comprehensive overview of PCI audits, essential for businesses handling customer credit card information. It details the process, starting with appointing a Qualified Security Assessor (QSA) and evaluating payment systems, procedures, and company policies. The report emphasizes the importance of risk assessment, addressing identified weaknesses, and regular security testing. It highlights staff training on security awareness and the need to understand data locations through data flow diagrams. The report emphasizes how to successfully pass an audit by finding a reputable assessor, being prepared with documentation, and consistently testing the network. The ultimate goal is to ensure all transactions are safe and data is safeguarded. The report references several sources to support its claims and provide further insight into the subject matter.

Running head: AUDITING THEORY AND PRACTICE 1
Auditing Theory and Practice
Name
Institution

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

AUDITING THEORY AND PRACTICE 2
A PCI is a Payment Card Industry. A business is required to conduct a PCI audit to
ensure that their entire customer’s credit card security is taken good care of. Therefore, all the
transactions in the company must be safe and also the data stored by the company must be
safeguarded. It thus assesses the business side of the company.
A PCI audit involves the following processes
Appointing a Qualified Security Assessor (QSA)
It is important to find a QSA that has been trained in building a PCI audit. The QSI must
be approved by the PCI SSC (Payment Card Industry Security Standards Council). Credit card
data is crucial information and thus it is essential to find a person that is trained that can evaluate
this information.
Evaluating the information
In this step, the QSA will look at the networks and systems for payments and also the
procedures for payment and the policies of the company. The staff of the company is required to
also help in providing information about the company (Sabillon, Serra-Ruiz, Cavaller & Cano,
2017).
Risk assessment
After evaluation, the assessor will provide a PCI risk assessment. This document
basically is a summary of your company’s data security. It shows the weak and strong areas in
your data security system. This way the company knows which areas to focus on in order to
improve their data security.
Act on the risk assessment
Here the problems found in the data security system should be solved by addressing the
crucial areas first. The assessor can give advice on how to improve and conduct the PCI audit.

AUDITING THEORY AND PRACTICE 3
How to ‘pass’ an audit
Find a reputable assessor
It is important to find an assessor that is qualified and that your company can work with.
Find an assessor that offers consistent advice and one that can back up any claims with
references.
Be prepared
As accompany ensure that you have all the information and documentation required for
the process before the assessor comes. This saves time and also guarantees that the assessor will
review all the information before making a final report.
Always conduct regular testing
It is important for the company to conduct a security test every now and then to
determine areas of the network that might not be secure. Assessors look for regular testing in a
company when conducting a PCI audit (King, 2017).
Training staff on security awareness
The company needs to train their staff on security and its importance and how to achieve
it. This way the staff will be aware of security and once a security test is run they are able to
know what to correct and how to correct (Nanda, Popat & Vimalkumar, 2017). This avoids
future problems on the security system.
Know where your company’s data resides
Many companies at times do not know where their data is ‘hidden’ in their networks. It is
important to know this and this can be done by creating a data flow diagram. This helps identify
all the locations of the data and also its flows.

AUDITING THEORY AND PRACTICE 4
References
King, D. (2017). Payment security and compliance: a primer for revenue cycle decision
makers. Healthcare Financial Management, 71(9), 84-89.
Nanda, A., Popat, P., & Vimalkumar, D. (2017). Navigating Through Choppy Waters of PCI
DSS Compliance. Information Technology Risk Management and Compliance in Modern
Organizations, 99.
Sabillon, R., Serra-Ruiz, J., Cavaller, V., & Cano, J. (2017, November). A Comprehensive
Cybersecurity Audit Model to Improve Cybersecurity Assurance: The CyberSecurity
Audit Model (CSAM). In Information Systems and Computer Science (INCISCOS), 2017
International Conference on (pp. 253-259). IEEE.
Sabin, J. A., Jorgensen, M. J., Burch, L. L., Brown, J. R., Kranendonk, N. B., Larsen, K. A., ... &
Holt, M. (2017). U.S. Patent No. 9,619,262. Washington, DC: U.S. Patent and Trademark
Office.