A PCI audit is an essential step toward becoming PCI compliant for Level 1 and some Level 2 merchants and service providers.

While the journey to PCI compliance is often thought of as long and tedious, the benefits of a PCI audit far outweigh the time they require. 

A PCI audit helps businesses identify and understand the potential threats facing cardholder data and implement security controls to better protect it. 

Ready to learn more about PCI audits and what they entail? We dig into the specifics and who needs to conduct an audit below.

What is a PCI DSS audit?

A PCI DSS audit, led by a Qualified Security Assessor (QSA), examines how your business handles customer payment information in accordance with the regulations outlined in the PCI DSS. 

The audit has three primary goals:

1. Examine current PCI controls and identify any gaps 
2. Provide guidance on how to fix non-conformities
3. Verify you’ve addressed all issues

For businesses that require a PCI audit (also called an assessment), the QSA looks at your current business practices to see whether you meet the 12 PCI requirements, either directly or through compensating controls. The QSA then completes a Report on Compliance (RoC) to verify your organization's compliance.

How long a PCI audit will take depends on a few factors. For businesses undergoing the PCI compliance process for the first time (which includes setting up security controls), the entire process can last roughly six months. 

The fieldwork portion of an audit, which involves a QSA interviewing team members and conducting relevant testing, can take about six to eight weeks. However, working with a compliance automation company like Secureframe can help shorten that process.

Who needs a PCI audit?

Not all businesses will need to undergo a PCI audit. Level 1 merchants and service providers are the only organizations required to undergo a QSA-led audit and complete an RoC. 

Level 1 merchants and service providers handle the highest volume of card payments of all four PCI levels. Here’s what that breakdown looks like:

• PCI DSS Merchant Level 1: Accepts card payments in exchange for goods and services and processes over 6 million transactions per year
• PCI DSS Service Provider Level 1: Processes cardholder data on behalf of another company and processes over 300,000 transactions per year 

Level 2 merchants and service providers may also be required to perform an annual audit and RoC. 

However, all merchants and service providers that have experienced a data breach that compromised cardholder data (CHD) are required to undergo an annual onsite audit.

What does the QSA do?

Your QSA will examine all of your systems, policies, and procedures against the PCI DSS requirements. 

QSAs will also:

• Double-check the information provided by your company 
• Approve (or direct you to make changes to) your PCI scope
• Evaluate your compensatory controls, which are alternative controls to satisfy a requirement that the company is unable to implement at that point
• Support your organization throughout the entire audit process
• Verify whether PCI DSS standards are being met
• Produce and submit a comprehensive final report (PCI AoC and RoC)

6 steps of a PCI audit

To help you understand what’s involved in a PCI audit, we walk through six steps from the initial scoping all the way through to ongoing PCI compliance monitoring. 

1. Define your scope 

When determining what’s in scope for your PCI assessment, you must identify all of the people, processes, and technologies that could impact the security of cardholder data. 

To understand what’s in scope for your business, consider all the locations and flows of CHD as well as the systems CHD are connected to (such as third parties and service providers) that, if compromised, could impact the integrity of that information. 

PCI scope needs to be re-evaluated annually to ensure its accuracy. Keeping detailed documentation of how the PCI scope was determined will help your auditor confirm whether scoping was done correctly.  

2. Find a Qualified Security Assessor (QSA)

Qualified Security Assessors (QSAs) are the only assessors licensed to perform a PCI audit. You can find a QSA by searching the official PCI website’s list of QSAs. 

While many companies outsource audits to a QSA, if your organization has its own internal auditor you may wish to have them receive PCI Security Standards Council training and certification as an Internal Security Assessor (ISA). ISAs are also able to complete annual PCI audits. 

3. Conduct a gap analysis

If you’re undergoing first-time compliance with PCI DSS, it can be helpful to do an initial gap analysis to make the compliance journey a little bit easier. 

A gap analysis helps merchants and service providers understand their current compliance status before undertaking the more extensive PCI audit. 

Similar to an official audit, a QSA or ISA leads the gap analysis to proactively address gaps in your security controls to potentially make the audit process faster and more efficient. 

4. Complete a QSA-led assessment

After a gap analysis, the next step will be for your QSA to conduct a thorough assessment. 

The assessment will involve:

• Reviewing documentation provided by the business
• Validating that required security controls are in place
• Interviewing relevant team members
• Inspecting physical security controls

5. Address security issues 

Once your QSA has completed their assessment, they will work with you to resolve any vulnerabilities or missing controls in order for you to receive a Report on Compliance (RoC). 

Once those non-conformities are addressed and reviewed by your QSA, they will send over a final RoC for you to sign. Once approved, your RoC will signify to your stakeholders and clients that you are PCI compliant. 

6. Continue to monitor PCI security standards

An approved RoC is not the final step of your PCI compliance journey. Businesses that are required to complete QSA-led audits will need to do so annually. 

Between audits, you’re responsible for continually monitoring security controls to ensure all PCI standards are being met. If your business changes and your PCI scope evolves, you’ll need to update that, as well. 

Ongoing PCI compliance can be overwhelming. However, there are tools and tips to help make the process easier, such as:

• Undergo penetration testing
• Utilize PCI scanning
• Use automatic evidence collection
• Invest in event log monitoring and management
• Employ network segmentation
• Ensure your third-party vendors are also PCI compliant
• Encrypt all cardholder data

PCI audit FAQ

Still have a few lingering PCI audit questions? We answer some of the most common questions below. 

How often do I need to undergo a PCI audit?

A Level 1 merchant or service provider will need to undergo a QSA- or ISA-led audit annually. 

If you’re a Level 2, 3, or 4 merchant or service provider that has experienced a data breach that compromised your customer’s card data, you will also need to complete a PCI audit. 

What happens if you fail a PCI audit?

Unlike a math test, a PCI audit is not a pass/fail test. Rather, think of a PCI audit as an opportunity to assess the effectiveness of your current security controls — and make them stronger.

If your QSA finds vulnerabilities within your cardholder data security practices, you might fail that particular section of the audit. However, your QSA will give you a “study guide” to help you make the necessary changes to achieve PCI compliance. 

While it would be nice not to find issues during the audit, identifying them during this phase can save you from larger non-compliance issues down the road. These include costly financial and reputational consequences.

How Secureframe can help you prepare for and pass a PCI audit

Unsure how you’ll fare in a PCI audit? 

Secureframe offers businesses the chance to complete a PCI readiness assessment to help you identify and correct weaknesses before a QSA ever looks into your security practices. 

Request a demo today to see how Secureframe can help you achieve and maintain PCI compliance.