PCI DSS Audit
Our Payment Card Industry Data Security Standard (PCI DSS) audit conducted by a Qualified Security Assessor (QSA) provides a thorough assessment of the controls you have implemented and establishes whether they meet the requirements of the Standard.
Receive a fully documented RoC that is accepted by your business partners
A PCI DSS Report on Compliance (ROC) is required by organizations with large transaction volumes and must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organization is in full compliance.
Level 1 merchants must have an external audit performed by a QSA and submit a RoC to their acquiring banks to prove their compliance. By demonstrating compliance, organizations not only meet their obligations but also establish a baseline for information security.
Why conduct an audit?
There are a number of circumstances that determine whether your organization needs to undergo a formal assessment of its compliance with the Standard. The definition of who must undergo a formal assessment is determined by the card brands. You might need a formal assessment if any of the following apply:
- You are a Level 1 merchant processing large volumes of transactions annually (more than six million) with Mastercard or Visa.
- You are a merchant processing large volumes of transactions annually (more than one million) with Mastercard and you do not have a PCI DSS-trained internal assessor on staff.
- You are a merchant that has been breached in the past or otherwise deemed to represent exceptional risk.
- You are a service provider to merchants that can impact the security of their payment transactions and you have access to large volumes of transactions annually.
The value of completing a PCI DSS audit
A PCI DSS audit is a detailed review of an organization’s cardholder data environment (CDE) using a standard methodology and reporting format that results in an RoC. PCI DSS compliance as demonstrated by an RoC gives companies a competitive advantage by helping them secure infrastructure and increase their overall trading credibility. Maintaining PCI DSS compliance helps protect credit card information and facilitates customer confidence.
Our QSAs can:
- Provide a consultative approach to your compliance and work in partnership with you and your stakeholders to understand your business. They’ll explain the intent of the PCI DSS requirements and help you interpret them in the context of your business.
- Identify opportunities to lower the cost and reduce the complexity of what’s in scope for compliance.
- Make provisions for the use of valid compensating controls, or architect a solution that includes them.
Our PCI DSS audit service
A PCI DSS audit conducted by an IT Governance QSA provides a thorough assessment of the controls you have implemented and establishes whether they meet the requirements of the Standard.
What can you expect from a PCI DSS audit?
Our service starts with a pre-assessment of your scope and compliance requirements. Our QSAs will then conduct a complete review of the CDE against the 12 PCI DSS requirements and evidence that your controls are implemented and working correctly.
We review and analyse your organization’s policies, procedures, configurations and data flow diagrams as required for validating PCI DSS compliance. We also conduct interviews and observe systems and processes to validate your compliance.
Our team delivers a full RoC against the current version of the Standard. We also provide a completed Attestation of Compliance (AoC) form.
What will my service cover?
- Our QSA will gather documentation for the audit, before conducting a number of on-site interviews with the relevant resource.
- During the interviews, our QSA will review each of the PCI DSS requirements and sub-requirements to establish if they are currently complied with.
- We then submit the completed RoC to our internal QA process, before preparing the AoC ready for the formal submission, certifying your organization as compliant.
Get in contact
We have a team of account managers and security consultants to discuss your PCI DSS challenges. For more information, please contact us.