Our PCI Review Audit Work Program serves as a vital resource for organizations aiming to strengthen their compliance with the Payment Card Industry Data Security Standard (PCI DSS). This audit framework can be used to assess security measures, enabling businesses to effectively safeguard cardholder data. With a focus on identifying vulnerabilities and implementing best practices, this tool helps organizations ensure adherence to industry standards while fostering trust with customers and stakeholders. Its practical insights make it an indispensable asset for any organization committed to enhancing its security posture.

This document includes two samples, each focusing on critical aspects of PCI DSS compliance. Sample 1 delves into the high-level review of PIN processing and cryptographic key management, outlining essential controls for secure handling, encryption and storage of sensitive information. It emphasizes the importance of tamper-resistant security modules and robust key administration procedures. Sample 2 shifts the focus to technical and procedural controls within the network and IT environment, detailing the evaluation of firewall configurations, access control mechanisms and incident response planning. Together, these samples provide a holistic view of PCI compliance, offering actionable insights that organizations can leverage to fortify their security posture.

Audit work steps include:

• Unique cryptographic keys must be in use for each identifiable link between host computer systems.
• Backups of secret keys must exist only to reinstate keys that are accidentally destroyed.
• Firewall standards must be reviewed to ensure that standards include a formal process for all changes, testing and approval prior to implementation of rule or configuration changes.
• Evidence of quarterly firewall ruleset reviews must be obtained.