In late 2008, the Payment Card Industry Security Standards Council (PCI SSC) — American Express, Discover Card, JCB International, MasterCard Worldwide, and Visa — updated Data Security Standards (DSS) which guide merchants in securing credit card information. And now, a recent move by MasterCard demonstrates that credit card companies believe internal auditors can play a valuable role in protecting cardholder data by assessing compliance with the standards.
“Having standards in place is the first step toward ensuring operational effectiveness and information security,” says Richard Chambers, CIA, CGAP, CCSA, president and CEO of The Institute of Internal Auditors. “And internal auditors can play an important role in assessing whether their organisations are keeping customers’ information secure.”
In June 2009, MasterCard Worldwide issued a notification to its merchants saying that beginning January 2011, the required annual “Level 1” (more than 6 million annual transactions) and “Level 2” (1 to 6 million annual transactions) merchant validations of PCI DDS compliance must be completed by certified Qualified Security Assessors – which are trained and credentialed by the PCI SSC. Based on these new requirements, internal auditors would not have been able to participate in PSC DSS compliance validation as the certification program has not been available to internal auditors.
In a September 2009 letter to MasterCard, The IIA emphasized the independence, objectivity, competency and accountability of internal auditors that well positions them to conduct PCI DDS annual compliance assessments. MasterCard Worldwide responded by saying that to enable organisations to leverage internal auditors to the fullest extent possible, they requested the PCI SSC to consider implementing a means by which internal auditors could become certified to conduct the annual assessments required by PCI DSS. And subsequently, MasterCard Worldwide notified its merchants in December 2009 that effective June 30, 2011, Level 1 merchants conducting an annual onsite assessment of DSS compliance may utilize internal auditors who have obtained PCI SSC-offered training and certification. The PCI SSC has introduced its intention to offer the training and accreditation to internal auditors in 2010 and is expected to share additional information as the program develops.
According to Chambers, there are many reasons that internal auditors can and should be involved in the data security standards compliance process. “Effective data security is an ongoing process of assessment remediation, and reporting – and internal auditors have the ability to provide this continuous assurance,” he says. “And, merchants who involve their internal auditors may also realize cost-savings that demonstrate additional value.”
As the internal audit profession’s principal educator, The IIA strongly advocates for the educational development and professionalism of internal auditors. “MasterCard’s announcement means that internal auditors now will have the opportunity to expand and document their knowledge of information security through the PCI SSC certification program,” says Chambers. He believes the move will pave the way for merchants around the world to tap into the skills and experience of their internal auditors to assess compliance with the PCI standards that guide the credit card industry. “And this is excellent news for customers who may worry about the security of their credit card information,” he added.
Recent case studies published by The IIA outlines how internal auditors can use the Guide to the Assessment of IT (GAIT) for Business and IT Risk methodology to enhance PCI compliance efforts. The case studies demonstrate how to document the thought process for scoping and substantiating the IT controls that are included as part of PCI compliance audits. It is recommended that internal auditors follow eight steps to determine the scope for PCI compliance audits:
- Identify the business process and objectives for which the controls are to be assessed.
- Identify the key business controls required to provide reasonable assurance that the business objectives will be achieved.
- Identify the critical IT functionality relied upon from among key business controls.
- Identify the significant applications in which IT General Controls (ITGCs) need to be tested.
- Identify IT general control process risks and related control objectives.
- Identify the key IT general controls to test risks and related control objectives.
- Conduct a holistic review of all key controls.
- Determine the scope of the review and build an appropriate design and effectiveness testing program.
The IIA is internationally recognized as a trustworthy guidance-setting body. Serving members in 165 countries, The IIA is the internal audit profession's global voice, chief advocate, recognized authority, acknowledged leader, and principal educator.