Project Title: PCI DSS Compliance Review using Remote Auditing Techniques, Maidstone Borough Council (MBC)
Background
In Summer 2018 AMDS Consultants Ltd were invited to assist MBC achieve compliance with the PCI DSS international standard for debit and credit card transaction security. An intense programme of process and structural change was developed and delivered enabling the council to undertake a self-assessment of compliance which was submitted to the relevant accreditation body for endorsement.
In July 2020, MBC contacted us to conduct a review of compliance against the standard to ensure that no significant or detrimental change had occurred in the structures, systems and processes established two years previously.
As a consequence of the Covid-19 pandemic, which required both parties to protect their staff from needless exposure to the virus, it was agreed that the compliance review should be conducted remotely, and planning proceeded accordingly.
Work Completed
A remote audit of the systems, structures and processes applicable to PCI DSS compliance operating in MBC was designed and delivered by our trained audit staff. The review was prepared and conducted in accordance with the requirements of ISO19011:2018 “Guidelines for auditing management systems”with particular attention to Annex A Table A1.
The review fell into three short phases:
- Preparation and planning including preliminary review to agree scope, agenda, timings and report format
- Review Conduct
- Preparation and delivery of formal compliance report
Within the design evidence of compliance was obtained by a combination of remote desktop process review, audio interviews and a transaction “walk-through”.
Once the evidence was collated and curated, we prepared an appropriate review report which confirmed the continued compliance of MBC with the PCI DSS standard
Issues Addressed
The primary issue addressed was the efficacy of the remote review. To facilitate both the desktop process review and the staff interviews we ensured both parties had access to compatible video conferencing software, in this case Zoom, and a secure backup, Microsoft Teams. We also made arrangements for an audio only conference call should there be any problems with the primary application.
Any areas for immediate action were discussed before the review concluded and details of the various processes and procedures were incorporated into the final report.
One other element of the remote approach which required attention was ensuring the interviewees were put at ease and felt comfortable throughout the part of the video conference they were engaged with.
Outcomes Achieved
The compliance report was delivered on time and the remote approach did not significantly compromise the efficacy of the review.
The design and approach proved popular with the client enabling both parties to remain safe from possible exposure to the Covid-19 virus
Importantly, MBC were able to demonstrate continued adherence to the requirements of PCI DSS and while the review suggested a number of minor improvements these were achieved quickly in advance of the release of the final report.
Client Assessment
The client viewed the remote process very favourably and found our approach to both the review and the coverage of the report comprehensive and accurate.
