What is a PCI Audit on Compliance?
A PCI DSS Report on Compliance (ROC) is required by organizations with large transaction volumes and must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organization is in full compliance.
A PCI DSS audit is a detailed review of an organization’s cardholder data environment (CDE) using a standard methodology and reporting format that results in an RoC.
PCI DSS compliance as demonstrated by a RoC gives companies a competitive advantage by helping them secure infrastructure and increase their overall trading credibility. Maintaining PCI DSS compliance helps protect credit card information and facilitates customer confidence.
Our Qualified Security Assessors are ready to help identify the best and most cost effective approach to assessing your payment processes and systems, and confirm they meet the standards set by the PCI Security Standards Council (PCI SSC).
Did you know?
Verizon’s 2018 Payment Security Report identified that 52.5% of businesses surveyed were fully compliant with the PCI DSS, compared to 55.4% in a previous study in 2016.
Data gathered by Verizon’s QSAs during 2017 identified that PCI compliance is decreasing among global businesses, with only 52.4% of organizations maintaining full compliance in 2017, compared to 55.4% in 2016.
Benefits of a PCI DSS audit
By conducting a PCI DSS risk assessment, you can help your organization to:
- Identify and understand the potential risks to its CDE
- Identify the presence of cardholder data that is not required for your business to function optimally
- Determine how to segment environments to isolate sensitive networks (CDE) from non-sensitive networks
- Provide your organization with the insight into changing environments and ongoing discovery of emerging threats and vulnerabilities
- Assist it to identify where mitigation controls need to tighten
Do you need to conduct a PCI audit?
You might need a formal assessment if any of the following apply:
- You are a Level 1 merchant processing large volumes of transactions annually (more than 6 million) with Mastercard or Visa
- You are a merchant processing large volumes of transactions annually (more than 1 million) with Mastercard and you do not have a PCI DSS-trained internal assessor on staff
- You are a merchant that has been breached in the past or otherwise deemed to represent exceptional risk
- You are a service provider to merchants that can impact the security of their payment transactions and you have access to large volumes of transactions annually
Our engagement process
The service typically involves several days on-site for our QSAs to meet with the managers who oversee the PCI DSS programme; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.
- Scoping: An engagement begins with a pre-assessment of your scope and compliance requirements
- Pre-assessment information gathering: During this step, our PCI DSS QSA will conduct a pre-assessment, which includes a review of the network design, security policy review and on-site visit preparation
- QSA PCI DSS audit: We will conduct a complete review of your cardholder data environment against the 12 PCI DSS requirements, and gather evidence that your controls are in place and working effectively
- Completed PCI DSS AoC: With completion of all the remediation items, we will then submit the completed RoC to our internal QA process, before preparing the AoC ready for formal submission, certifying your organization as compliant
Find out more about our PCI Compliance Audit and ROC >>
How IT Governance can help you
Our services provide a tailored route to PCI compliance, scalable to your budget and need.
We go further than a simple ‘yes/ no’ approach to understand better how security measures work.
We work in partnership to help you understand what is required and why giving you control.
We can offer expertise to vet compensating controls and determine whether they are acceptable.
Companies using our PCI DSS products and services:
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.