What is a PCI DSS RoC?
Under the PCI DSS (Payment Card Industry Data Security Standard), certain organisations must undergo an annual external audit, conducted by a QSA (Qualified Security Assessor), to prove their compliance. As a rule of thumb, the more transactions you process, the more likely you’ll need to be audited.
After completing your audit, the QSA will write a RoC (Report on Compliance). This provides a summary of the information collected during the audit and compares it against the PCI DSS requirements. It’ll provide enough detail to show that you are either meeting each requirement or can justify why certain requirements are not applicable to you.
PCI DSS compliance helps your organisation protect payment card and cardholder information, helping you meet your obligations and facilitate customer confidence.
Our QSAs can help you determine the most cost-efficient way to achieve compliance with the PCI DSS.
Did you know?
Verizon’s 2022 Payment Security Report found that 43.4% of businesses surveyed in 2020 had maintained their compliance with the PCI DSS at their interim audit, an increase from 27.9% in 2019.
Benefits of PCI DSS scoping and gap analysis
By conducting scoping and gap analysis, you can help your organisation:
- Identify and understand the potential risks to its CDE (cardholder data environment);
- Identify cardholder data you have no business reason to store;
- Identify ways to reduce the scope of the CDE;
- Gain insight into changing environments and their impact on PCI DSS scope; and
- Identify what controls to implement.
Do you need to be audited for PCI DSS compliance?
Whether you are required to undergo a formal assessment is down to your acquiring bank.
As a rule, you will need to employ a QSA to carry out an assessment if you process more than one million transactions annually or have had a card data breach in the past.
However, even if you do not need to be audited, you might welcome prefer the assurance that you gain from an independent assessment of your compliance.
Our engagement process
Our QSAs typically spend several days on-site, meeting the PCI DSS programme lead, key staff involved in managing relevant networks and systems, and other relevant staff.
The audit process typically follows these steps:
- Opening meeting with management
We will explain to the management team what to expect from the audit and discuss the scope at a high level.
- Gather and review documentation
We will gather and review all relevant documentation that can help demonstrate your compliance with the PCI DSS requirements.
- Review and confirm scope
We will review the documented scope of the assessment to ensure it includes all assets that are part of or connected to the CDE.
- Select samples for testing
If many system components are in scope, we will take a representative sample to test to make sure they meet the Standard’s requirements.
- Conduct interviews
We will interview key staff to validate the evidence provided, and determine whether they know what assets are within the audit scope and how the PCI DSS controls have been implemented.
- Validate samples
We will check the measures implemented within the samples selected earlier, and verify that they are consistent with what the documentation and staff interviews state. We will also check logs to determine that these measures are sustained throughout the year.
- Wrap-up meting with PCI DSS lead
Before we finalise the RoC, we will hold a meeting with the auditee’s PCI DSS lead to discuss any outstanding remediation actions.
- Complete the RoC
We will then complete the RoC to provide a summary of the information collected during the audit, compared with the Standard’s requirements.
- Produce the AoC
Finally, we will prepare the AoC for formal submission, certifying that your organisation is PCI DSS compliant.
Find out more about our PCI Compliance Audit and RoC >>
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree