"We've had fairly decent interactions with our auditors," Kintigh said. "They've been willing to talk over issues with us before giving us the big red X. We are a small company and their processes are built for rather large companies."

Since there are only a small number of people signing off on different software changes and the like, auditors seem to have an easier time pinpointing strengths and weaknesses in the companies PCI security program. In this case, they recommended a more formalized software update process.

"They wanted to see tighter control over our procedures for software tracking, patch management and change management," he said. "We had a system in place but not under a formalized process. They wanted more documented, formal procedures and they wanted us to be more consistent about it."

At the beginning of the auditing process, they also examined the company's firewall rules and suggested changes. "We had various firewalls on different machines and the auditors suggested they wanted to see more of a commercial box for that," he said.

Each year, he said, the auditing process gets easier because the company gains a better understanding of what auditors tend to look at.