Internal Auditors to Ensure Credit Card Information Security

January 22, 2010

Altamonte Springs, Fla. — In late 2008, the Payment Card Industry Security Standards Council (PCI SSC)  — American Express, Discover Card, JCB International, MasterCard Worldwide, and Visa — updated Data Security Standards (DSS) which guide merchants in securing credit card information. And now, a recent move by MasterCard demonstrates that credit card companies believe internal auditors can play a valuable role in protecting cardholder data by assessing compliance with the standards.

In a September 2009 letter to MasterCard, The IIA emphasized the independence, objectivity, competency and accountability of internal auditors that well positions them to conduct PCI DDS annual compliance assessments. MasterCard Worldwide responded by saying that to enable organizations to leverage internal auditors to the fullest extent possible, they requested the PCI SSC to consider implementing a means by which internal auditors could become certified to conduct the annual assessments required by PCI DSS. And subsequently, MasterCard Worldwide notified its merchants in December 2009 that effective June 30, 2011,Level 1 merchants conducting an annual onsite assessment of DSS compliance may utilize internal auditors who have obtained PCI SSC-offered training and certification. The PCI SSC has introduced its intention to offer the training and accreditation to internal auditors in 2010 and is expected to share additional information as the program develops. 

According to Chambers, there are many reasons that internal auditors can and should be involved in the data security standards compliance process. “Effective data security is an ongoing process of assessment remediation, and reporting – and internal auditors have the ability to provide this continuous assurance,” he says. “And, merchants who involve their internal auditors may also realize cost-savings that demonstrate additional value.” 

As the internal audit profession’s principal educator, The IIA strongly advocates for the educational development and professionalism of internal auditors. “MasterCard’s announcement means that internal auditors now will have the opportunity to expand and document their knowledge of information security through the PCI SSC certification program,” says Chambers. He believes the move will pave the way for merchants around the world to tap into the skills and experience of their internal auditors to assess compliance with the PCI standards that guide the credit card industry. “And this is excellent news for customers who may worry about the security of their credit card information,” he added. 

###