What is a PCI Audit on Compliance?
A PCI DSS Report on Compliance (ROC) is required by organisations with large transaction volumes.
It must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organisation is in full compliance.
A PCI DSS audit is a detailed review of an organisation’s cardholder data environment (CDE) using a standard methodology and reporting format that results in an RoC.
PCI DSS compliance, as demonstrated by a RoC, gives companies a competitive advantage by helping them secure infrastructure and increase their overall trading credibility. Maintaining PCI DSS compliance helps protect credit card information and facilitates customer confidence.
Our Qualified Security Assessors are ready to help identify the best and most cost-effective approach to assessing your payment processes and systems, and confirm they meet the standards set by the PCI Security Standards Council (PCI SSC).
Did you know?
Verizon’s 2018 Payment Security Report identified that 52.5 per cent of businesses surveyed were fully compliant with the PCI DSS, compared to 55.4 per cent in a previous study in 2016.
Data gathered by Verizon’s QSAs during 2017 identified that PCI compliance is decreasing among global businesses, with only 52.4 per cent of organisations maintaining full compliance in 2017, compared to 55.4 per cent in 2016.
Benefits of a PCI DSS audit
By conducting a PCI DSS risk assessment, you can help your organisation to:
- Identify and understand the potential risks to its CDE.
- Identify the presence of cardholder data that is not required for your business to function optimally.
- Determine how to segment environments to isolate sensitive networks (CDE) from non-sensitive networks.
- Provide your organisation with insight into changing environments and ongoing discovery of emerging threats and vulnerabilities.
- Identify where mitigation controls need to tighten.
Do you need to conduct a PCI audit?
You might need a formal assessment if any of the following apply:
- You are a Level 1 merchant processing large volumes of transactions annually (more than six million) with Mastercard or Visa.
- You are a merchant processing large volumes of transactions annually (more than one million) with Mastercard, and you do not have a PCI DSS-trained internal assessor on staff.
- You are a merchant that has been breached in the past or otherwise deemed to represent exceptional risk.
- You are a service provider to merchants that can impact the security of their payment transactions, and you have access to large volumes of transactions annually.
Our engagement process
The service typically involves several days on-site for our QSAs to meet with the managers who oversee the PCI DSS programme, key staff involved in network administration and cardholder systems, and the individuals responsible for company procedures and policies.
- Scoping: An engagement begins with a pre-assessment of your scope and compliance requirements.
- Pre-assessment information gathering: During this step, our PCI DSS QSA will conduct a pre-assessment, which includes reviewing the network design, security policy review and on-site visit preparation.
- QSA PCI DSS audit: We will conduct a complete review of your cardholder data environment against the 12 PCI DSS requirements, and gather evidence that your controls are in place and working effectively
- Completed PCI DSS AoC: After completing all the remediation items, we will submit the completed RoC to our internal QA process before preparing the AoC ready for formal submission, certifying your organisation as compliant.
Find out more about our PCI Compliance Audit and ROC >>
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.