In late 2008, the Payment Card Industry Security Standards Council (PCI SSC)  — American Express, Discover Card, JCB International, MasterCard Worldwide, and Visa — updated Data Security Standards (DSS) which guide merchants in securing credit card information. And now, a recent move by MasterCard demonstrates that credit card companies believe internal auditors can play a valuable role in protecting cardholder data by assessing compliance with the standards.

“Having standards in place is the first step toward ensuring operational effectiveness and information security,” says Richard Chambers, CIA, CGAP, CCSA, president and CEO of The Institute of Internal Auditors. “And internal auditors can play an important role in assessing whether their organisations are keeping customers’ information secure.”
 
In June 2009, MasterCard Worldwide issued a notification to its merchants saying that beginning  January 2011, the required annual “Level 1” (more than 6 million annual transactions) and “Level 2” (1 to 6 million annual transactions) merchant validations of PCI DDS compliance must be completed by certified Qualified Security Assessors – which are trained and credentialed by the PCI SSC. Based on these new requirements, internal auditors would not have been able to participate in PSC DSS compliance validation as the certification program has not been available to internal auditors.
 
In a September 2009 letter to MasterCard, The IIA emphasized the independence, objectivity, competency and accountability of internal auditors that well positions them to conduct PCI DDS annual compliance assessments. MasterCard Worldwide responded by saying that to enable organisations to leverage internal auditors to the fullest extent possible, they requested the PCI SSC to consider implementing a means by which internal auditors could become certified to conduct the annual assessments required by PCI DSS. And subsequently, MasterCard Worldwide notified its merchants in December 2009 that effective June 30, 2011, Level 1 merchants conducting an annual onsite assessment of DSS compliance may utilize internal auditors who have obtained PCI SSC-offered training and certification. The PCI SSC has introduced its intention to offer the training and accreditation to internal auditors in 2010 and is expected to share additional information as the program develops.
 
According to Chambers, there are many reasons that internal auditors can and should be involved in the data security standards compliance process. “Effective data security is an ongoing process of assessment remediation, and reporting – and internal auditors have the ability to provide this continuous assurance,” he says. “And, merchants who involve their internal auditors may also realize cost-savings that demonstrate additional value.”

As the internal audit profession’s principal educator, The IIA strongly advocates for the educational development and professionalism of internal auditors. “MasterCard’s announcement means that internal auditors now will have the opportunity to expand and document their knowledge of information security through the PCI SSC certification program,” says Chambers. He believes the move will pave the way for merchants around the world to tap into the skills and experience of their internal auditors to assess compliance with the PCI standards that guide the credit card industry. “And this is excellent news for customers who may worry about the security of their credit card information,” he added.