What Are the PCI Audit Requirements?

If your organization is mandated to pass an on-site audit and submit a Report on Compliance under the Payment Card Industry Data Security Standard (PCI DSS), there are certain requirements to which you must adhere. You must either:

  1. Hire a Qualified Security Assessor certified by the PCI Security Standards Council (PCI DSS) to conduct an on-site audit of your information security controls, policies, and practices related to the Cardholder Data Environment (CDE), or
  2. Sponsor your organization’s internal auditor for PCI SSC training and certification as an Internal Security Assessor so that person can perform the yearly PCI DSS audits.
  3. Pass the audit so the QSA or ISA can submit a Report on Compliance (ROC) to your acquiring bank.
  4. Maintain compliance until your next annual audit, performing vulnerability scans, controls testing, and penetration tests frequently to ensure that your systems and networks are keeping credit and debit card and cardholder data secure and private.

Who Must Obtain a PCI DSS Audit

All merchants and service providers that accept, process, store, or transmit credit card or debit card data must comply with PCI DSS requirements, an information security framework with 12 requirements and 281 directives.

Only merchants processing more than 1 million or 6 million payment card transactions per year (depending on which card brands you accept) and service providers processing, storing, or transmitting more than 300,000 card transactions per year are required to be audited for PCI DSS compliance.

For smaller merchants, completing a self-assessment questionnaire (SAQ) and submitting an Attestation of Compliance (AOC) will usually suffice.

However, all merchants and service providers that have experienced data breaches that compromised payment card data must also pass a yearly on-site audit for PCI compliance.

How To Pass the Audit With Ease

To make obtaining the ROC as smooth and worry-free as possible, follow these steps pre-audit to avoid non-compliance:

  •     Complete the self-assessment questionnaire relevant to your business and remedy any compliance gaps you find.
  •     Use firewalls to segment your CDE from the rest of your system to narrow the scope of the auditor’s examination.
  •     Test the controls relevant to your CDE, even if you have already done so. Evidence that they are working as they should be current.
  •     Have your security policy, IT architecture diagrams, CDE card-data flow charts, and other relevant documents on hand for the auditor.
  •     Use a quality PSS DSI compliance software to assess your compliance, track compliance efforts, monitor your systems and service providers, collect and store all your compliance documentation, and more.