Problem solve Get help with specific problems with your technologies, process and projects.

How to leverage your legal team in the PCI compliance audit process

As part of the PCI compliance process, financial institutions will usually conduct a pre-assessment review. But proceed with caution: the pre-assessment findings can become a liability if not properly protected. In this tip, Rick Lawhorn explains how information security and IT teams should partner with their legal counterparts on PCI pre-analysis and audit to avoid trouble.

Financial institutions that handle credit card transactions are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). As part of the compliance process, most companies will conduct a pre-assessment review prior to the official PCI audit so the findings can be reviewed and remediated early. The pre-assessment becomes an important part in building a baseline to ensure that compliance is achieved as efficiently as possible, but the findings can also become a liability for your company if not protected properly.

This is where it is critical to partner with your legal team. Once a pre-assessment is conducted and the findings are accepted by your organization, they can't be ignored. The liability and responsibility is placed with the executive team to correct or mitigate the issues identified in the pre-assessment documentation.

If the executive team accepts certain risks, the analysis and decisions must be documented along with any discrepancies about control objectives noted by the PCI auditors. If the pre-assessment findings are not protected appropriately, they can wind up as "Exhibit A" in a future lawsuit, especially if you receive a discovery request related to a breach or identity theft. The same holds true for any proactive activity, such as code reviews or vulnerability assessments that provide audited results of your technology infrastructure and processes.

To provide the best protection for PCI audits and pre-assessments, information security and technology teams need to establish a partnership with the their internal legal group and include them every time an audit or pre-assessment results in officially documenting the state of technology. The legal teams can provide great value and insight into properly balancing the requested due diligence activity while limiting liabilities to the institution.

This balance is crucial for protecting the company's interests and being able to provide meaningful information to the technology teams that need to remediate any security gaps. The legal teams can review the potential activity and determine if they would like to be the stakeholder in order to manage the flow of information. I am not a lawyer, but in many cases certain activities can be proactively evaluated as a candidate for certain legal privileges, such as attorney work product, attorney-client and critical self-evaluating privileges, which can provide additional protection for the pre-assessment findings. That is why it is important to always include a legal expert who can review pre-assessment activity and determine the best course of action in protecting the assessment activity and potential findings.

In order to place your institution in a position of control, a best practice is to have the legal team sponsor the pre-assessment activity or be included in the earliest stages of the vendor selection and project development process. By including them in your company's auditing framework, you will discover that your PCI compliance objectives can be met while limiting the liabilities to your company.

About the author:
Rick Lawhorn, CISSP, CISA, has over 18 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. Rick has served as the chief information security officer for GE Financial Assurance and Genworth Financial and served in information technology leadership roles within Hunton & Williams law firm and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and serves on several advisory boards at security technology firms.. He can be reached at

Dig Deeper on PCI DSS: Audits and requirements

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.