A PCI DSS onsite audit involves being assessed against the entire PCI standard. The documentation used to perform the assessment centres on the Report on Compliance - affectionately known as the ROC.

The process behind the audit appears, on the face of it, to be pretty straight forward. The ROC is very similar to the Data Security Standard (and indeed self assessment questionnaire 'D). Assuming you are fully compliant, the audit completes successfully and is recorded in the ROC. Formal documentation, including an attestion of compliance is passed to either an Acquirer, or schemes for processing and official recognition.

Getting to the stage of a successful audit has often been described as a 'journey'. When undertaking an onsite audit, organisations need assistance - especially when understanding certain parts of the PCI standard. Every client is different and some can find the standard ambiguous and confusing in places.

We have been performing onsite audits for large and small clients for several years. During this time, we have developed a cost effective approach to PCI auditing that provides the right level of assistance to ensure you certify successfully.

Stage 1: Onsite Gap Analysis

Our QSA team performs an onsite assessment to help you understand your cardholder data environment and processing arrangements. All results are recorded in the ROC. All issues or 'gaps' are recorded for remediation purposes.

A key area we address is scope. The PCI DSS is only interested in your network(s) that store, process or transmit card data. For any organisation to comply against the PCI DSS, understanding where this network is and being able to separate it from non-card processing networks will ensure that you reduce the environment being audited.

Features:

• Performed onsite using our inhouse QSA team.
• Often used to confirm the scope of the PCI environment ready for the final audit.
• Recorded in the ROC - a detailed assessment of what is and is not in place.
• Recommendations made against gaps to achieve compliance.
• All findings peer reviewed by our QSA team.

Stage 2: Remediation Assistance

Once the Gap audit has been completed, you will have a detailed understanding of what needs to be fixed to ensure you successfully comply with the PCI DSS. We are frequently called upon to study designs, perform independent product selections and review progress.

You can also be sure that you will be working with one of our experienced QSA team. All recommendations are reviewed by our QSA team.

More here...

Stage 3: Final Audit

A Final Audit is normally conducted to confirm that your organisation is PCI compliant. This assumes that you have previously been measured against the PCI DSS and addressed all identified issues.

Our QSA team records all results in the ROC. Any issues or 'gaps' are recorded for remediation purposes. 30 days are allowed for remediation. If the 30 days limit is exceeded, too much time has elapsed and another full audit is used to measure compliance.

Our approach to performing an onsite audit follows strict Quality Assurance guidelines as set by the PCI Security Standards Council. To ensure a consistent approach to auditing, we adhere to set procedures when assessing if each individual section of the standard is 'in place'. This might include checking documentation, interviewing staff or sampling the network.

We are totally committed to quality. All ROC reports produced are reviewed by 2 other members of our QSA team before shipment.

Features:

• Performed onsite using our inhouse QSA team.
• Strict adherence to PCI Security Standards Council Quality Initiative.
• Recorded in the ROC - a detailed assessment of what is and is not in place.
• All findings peer reviewed by our QSA team.

Feel free to contact us to discuss any aspect of your security or compliance programme.

 

Some useful steps for Merchants and Service Providers when preparing for an onsite audit:

• If you work with an Acquirer, you should have received a request from them to demonstrate PCI compliance. Many Acquirers include advice on what Merchant level you are and how to demonstrate compliance.
• For Merchants, satisfying your Acquirer's requests is paramount. It will be working with payment card brands (Mastercard, Visa, Amex, JCB & Discover) to track the PCI compliance progress of its Merchant customer base. Keeping your Acquirer up to date on progress is therefore highly important.
• Tier 1 Service Providers that have undergone a successful onsite audit are registered online as such. For example - see the Compliant Service Provider listing at the Visa Account Information Security pages (VISA AIS).
• You can find out more about the PCI DSS at: http://www.pcisecuritystandards.org.
• Scoping your PCI network is key to a successful compliance audit. The more you are able to rationalise and segment this network - the smaller the target audit environment. Remember, PCI DSS is only interested in networks that store, process or transmit card data (and those networks directly connected to them).
• Identify any third parties that you work with that interact with your credit card data. This may be hosting providers, software developers, backup providers. Many of these organisations will need to demonstrate compliance to you to ensure that your data is protected (and of course compliant).