PCI DSS Audit and Report on Compliance (RoC)
What is a PCI audit?
A PCI DSS Report on Compliance (ROC) is required by organisations with large transaction volumes and must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organisation is in full compliance.
A PCI DSS audit is a detailed review of an organisation’s cardholder data environment (CDE) using a standard methodology and reporting format that results in an RoC.
PCI DSS compliance as demonstrated by a RoC gives companies a competitive advantage by helping them secure infrastructure and increase their overall trading credibility. Maintaining PCI DSS compliance helps protect credit card information and facilitates customer confidence.
Our Qualified Security Assessors are ready to help identify the best and most cost effective approach to assessing your payment processes and systems, and confirm they meet the standards set by the PCI Security Standards Council (PCI SSC).
Speak to an expert
Did you know?
Verizon’s 2018 Payment Security Report identified that 52.5 percent of businesses surveyed were fully compliant with the PCI DSS, compared to 55.4 percent in a previous study in 2016.
Data gathered by Verizon’s QSAs during 2017 identified that PCI compliance is decreasing among global businesses, with only 52.4 percent of organisations maintaining full compliance in 2017, compared to 55.4 percent in 2016.
Benefits of a PCI DSS audit
By conducting a PCI DSS risk assessment, you can help your organisation to:
- identify and understand the potential risks to its CDE;
- identify the presence of cardholder data that is not required for your business to function optimally;
- determine how to segment environments to isolate sensitive networks (CDE) from non-sensitive networks;
- provide your organisation with the insight into changing environments and ongoing discovery of emerging threats and vulnerabilities; and
- assist it to identify where mitigation controls need to tighten.
Do you need to conduct a PCI audit?
You might need a formal assessment if any of the following apply:
- You are a Level 1 merchant processing large volumes of transactions annually (more than six million) with Mastercard or Visa.
- You are a merchant processing large volumes of transactions annually (more than one million) with Mastercard and you do not have a PCI DSS-trained internal assessor on staff.
- You are a merchant that has been breached in the past or otherwise deemed to represent exceptional risk.
- You are a service provider to merchants that can impact the security of their payment transactions and you have access to large volumes of transactions annually.
Our engagement process
The service typically involves several days on-site for our QSAs to meet with the managers who oversee the PCI DSS programme; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.
- Scoping: An engagement begins with a pre-assessment of your scope and compliance requirements.
- Pre-assessment information gathering: During this step, our PCI DSS QSA will conduct a pre-assessment, which includes a review of the network design, security policy review and on-site visit preparation.
- QSA PCI DSS audit: We will conduct a complete review of your cardholder data environment against the 12 PCI DSS requirements, and gather evidence that your controls are in place and working effectively
- Completed PCI DSS AoC: With completion of all the remediation items, we will then submit the completed RoC to our internal QA process, before preparing the AoC ready for formal submission, certifying your organisation as compliant.
How IT Governance can help you
Our services provide a tailored route to PCI compliance, scalable to your budget and need.
We go further than a simple ‘yes/ no’ approach to understand better how security measures work.
We work in partnership to help you understand what is required and why giving you control.
We can offer expertise to vet compensating controls and determine whether they are acceptable.
Companies using our PCI DSS products and services
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.
Get a tailored quote for our PCI DSS Audit and RoC service
A PCI audit conducted by an IT Governance QSA provides a thorough assessment of the controls you have implemented and establishes whether they meet the requirements of the standard. We have a team of account managers and Qualified Security Assessors to discuss your PCI DSS challenges. For more information, please contact us.