Table of Contents
Introduction to PCI4 What Are the Beneﬁts of PCI Compliance?
The Auditor’s Perspective on PCI5 Why Audit?6 Who Is Responsible for PCI?9 Management’s Role in the Audit Process10 What Auditors Want To See11 Auditors Like…11 Auditors Don’t Like…
11 How Companies (Inadvertently orIntentionally) Help or Hinder Auditors
Who Should Talk to the Auditors?
PCI Audit Checklist14 Theme 1: Building and Maintaininga Secure Network Audit Testing15 Theme 2: Protecting Cardholder Data19 Theme 3: Maintaining a VulnerabilityManagement Program20 Theme 4: Implementing Strong AccessControl Measures21 Theme 5: Regularly Monitoring andTesting Networks22 Theme 6: Maintaining an InformationSecurity Policy23 Audit Reporting
Preparing for an Audit
Communicating with Auditors
AppendicesAppendix A: Glossary of Terminologyand AbbreviationsAppendix B: PCI Data Security StandardAppendix C: PCI Security Audit ProceduresAppendix D: PCI Self-Assessment Questionnaire
All design elements, front matter, and content are copyright © 2007 IT ComplianceInstitute, a division of 1105 Media, Inc., unless otherwise noted. All rights arereserved for all copyright holders.
No part of this publication may be reproduced, stored in a retrieval system, ortransmitted in any form or by any means, electronic, mechanical, photocopying,recording, scanning, or otherwise, except as permitted under § 107 or 108 of the1976 United States Copyright Act, without the prior written permission of thecopyright holder.
Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers,and authors have used their best efforts in preparing this work, they make norepresentations or warranties with respect to the accuracy or completeness ofits contents and speciﬁcally disclaim any implied warranties of merchantability orﬁtness for a particular purpose. No warranty may be created or extended by salesrepresentatives or written sales materials. The advice and strategies containedherein may not be usable for your situation. You should consult with a professionalwhere appropriate. Neither the publishers nor authors shall be liable for any lossof proﬁt or any other commercial damages, including, but not limited to, special,incidental, consequential, or other damages.
All trademarks cited herein are the property of their respective owners.
IT AUDIT CHECKLIST SERIESPayment Card Industry (PCI)
About the IT Compliance Institute
The IT Compliance Institute (ITCi) strives to be aglobal authority on the role of technology in businessgovernance and regulatory compliance. Throughcomprehensive education, research, and analysisrelated to emerging government statutes and affectedbusiness and technology practices, we help organizationsovercome the challenges posed by today’s regulatory environment and ﬁnd new ways to turn complianceefforts into capital opportunities.ITCi’s primary goal is to be a useful and trusted resourcefor IT professionals seeking to help businesses meet privacy, security, ﬁnancial accountability, and otherregulatory requirements. Targeted at CIOs, CTOs,compliance managers, and information technology professionals, ITCi focuses on regional- and vertical-speciﬁc information that promotes awareness andpropagates best practices within the IT community.
For more information, please visit: www.itcinstitute.com
Comments and suggestions to improve the IT Audit Checklists are always encouraged. Please send yourrecommendations firstname.lastname@example.org.