This website uses cookies. View our cookie policy
United Kingdom
Select regional store:


Our Payment Card Industry Data Security Standard (PCI DSS) audit conducted by a Qualified Security Assessor (QSA) provides a thorough assessment of the controls you have implemented and establishes whether they meet the requirements of the Standard.


Receive a fully documented RoC that is accepted by your business partners

A PCI DSS Report on Compliance (ROC) is required by organisations with large transaction volumes and must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organisation is in full compliance.

Level 1 merchants must have an external audit performed by a QSA and submit a RoC to their acquiring banks to prove their compliance. By demonstrating compliance, organisations not only meet their obligations but also establish a baseline for information security.

Why conduct an audit?

There are a number of circumstances that determine whether your organisation needs to undergo a formal assessment of its compliance with the Standard. The definition of who must undergo a formal assessment is determined by the card brands. You might need a formal assessment if any of the following apply:

  • You are a Level 1 merchant processing large volumes of transactions annually (more than six million) with Mastercard or Visa.
  • You are a merchant processing large volumes of transactions annually (more than one million) with Mastercard and you do not have a PCI DSS-trained internal assessor on staff.
  • You are a merchant that has been breached in the past or otherwise deemed to represent exceptional risk.
  • You are a service provider to merchants that can impact the security of their payment transactions and you have access to large volumes of transactions annually.

Why choose IT Governance for PCI consultancy?

Our services provide a tailored route to PCI compliance, scalable to your budget and needs.


We go further than a simple ‘yes/ no’ approach to understand better how security measures work.

We work in partnership to help you understand what is required and why giving you control.

We can offer expertise to vet compensating controls and determine whether they are acceptable.

Companies using our PCI DSS products and services:

"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.” Damien Everard, COO of Appletree.

The value of completing a PCI DSS audit

A PCI DSS audit is a detailed review of an organisation’s cardholder data environment (CDE) using a standard methodology and reporting format that results in an RoC. PCI DSS compliance as demonstrated by an RoC gives companies a competitive advantage by helping them secure infrastructure and increase their overall trading credibility. Maintaining PCI DSS compliance helps protect credit card information and facilitates customer confidence.

Our QSAs can:

  • Provide a consultative approach to your compliance and work in partnership with you and your stakeholders to understand your business. They’ll explain the intent of the PCI DSS requirements and help you interpret them in the context of your business.
  • Identify opportunities to lower the cost and reduce the complexity of what’s in scope for compliance.
  • Make provisions for the use of valid compensating controls, or architect a solution that includes them.

Our PCI DSS audit service (click here to see our service description)

  • A PCI audit conducted by an IT Governance QSA provides a thorough assessment of the controls you have implemented and establishes whether they meet the requirements of the standard.

Free PCI DSS resources

Get in contact

We have a team of account managers and security consultants to discuss your PCI DSS challenges. For more information, please contact us.

Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us