By undergoing a PCI audit, Level 1 and some Level 2 merchants and service providers can better identify and help you understand the controls needed to be put into place to protect against potential threats facing cardholder data and systems that impact cardholder data. 

Ready to learn more about PCI audits and what they entail? Find the specifics on who needs to conduct an audit and how to prepare for one below.

What is a PCI DSS audit?

A PCI DSS audit, led by a Qualified Security Assessor (QSA), examines how your business handles customer payment information in accordance with the requirements outlined in the PCI DSS. 

The audit has three primary goals:

  1. Examine current PCI controls and identify any gaps 
  2. Document the gaps and provide a list of remediation items
  3. Verify you’ve addressed all issues

During a PCI audit, the QSA looks at your current controls to see whether you meet the 12 PCI requirements, either directly or through compensating controls. The QSA then completes a Report on Compliance (RoC) or attests against your SAQ to verify your organization's compliance.

Who needs a PCI audit?

Not all businesses will need to undergo a PCI audit. Level 1 merchants and service providers are the only organizations required to undergo a QSA-led audit and complete an RoC (unless specifically requested of your organization). 

Level 1 merchants and service providers handle the highest volume of card payments of all four PCI levels. Here’s what that breakdown looks like:

  • PCI DSS Merchant Level 1: Accepts card payments in exchange for goods and services and processes over 6 million transactions per year
  • PCI DSS Service Provider Level 1: Processes cardholder data on behalf of another company and processes over 300,000 transactions per year 

Level 2 merchants and service providers may also be required to perform an annual audit and attested SAQ. 

However, all merchants and service providers that have experienced a data breach that compromised cardholder data (CHD) could be required to undergo an annual audit.

What does the QSA do?

Your QSA will examine all of your controls, policies, and procedures against the PCI DSS requirements. 

QSAs will also:

  • Review evidence provided by your company 
  • Approve (or direct you to make changes to) your PCI scope
  • Evaluate your compensating controls, which are alternative controls to satisfy a requirement that the company is unable to implement at that point
  • Verify whether PCI DSS standards are being met
  • Produce and submit a comprehensive final report (PCI AoC and RoC)

6 steps of a PCI audit

To help you understand what’s involved in a PCI audit, we walk through six steps from the initial scoping all the way through to ongoing PCI compliance monitoring. 

1. Define your scope 

When determining what’s in scope for your PCI assessment, you must identify all of the people, processes, and technologies that could impact the security of cardholder data. 

To understand what’s in scope for your business, consider all the locations and flows of CHD as well as the systems CHD are connected to (such as third parties and service providers) that, if compromised, could impact the integrity of that information. 

PCI scope needs to be re-evaluated annually to ensure its accuracy. Keeping detailed documentation of how the PCI scope was determined will help your auditor confirm whether scoping was done correctly.  

2. Find a Qualified Security Assessor (QSA)

Qualified Security Assessors (QSAs) are the only assessors licensed to perform a PCI audit. You can find a QSA here or by searching the official PCI website’s list of QSAs

While many companies outsource audits to a QSA, if your organization has its own internal auditor you may wish to have them receive PCI Security Standards Council training and certification as an Internal Security Assessor (ISA). ISAs are also able to complete annual PCI audits. 

3. Conduct a gap analysis

If you’re undergoing first-time compliance with PCI DSS, it can be helpful to do an initial gap analysis to make the compliance journey a little bit easier. 

A gap analysis helps merchants and service providers understand their current compliance status before undertaking the more extensive PCI audit. 

Similar to an official audit, a QSA, ISA, or experienced person leads the gap analysis to generate a report which states findings allowing you as an organization to proactively address gaps in your security controls to potentially make the audit process faster and more efficient. 

4. Complete a QSA-led assessment

After a gap analysis, the next step will be for your QSA to conduct a thorough assessment. 

The assessment will involve:

  • Reviewing documentation provided by the business
  • Validating that required security controls are in place
  • Interviewing relevant team members
  • Inspecting physical security controls

5. Address security issues 

Once your QSA has completed their assessment, they will provide a documented list of findings and allow you to potentially resolve any vulnerabilities or missing controls in order for you to receive a Report on Compliance (RoC). 

Once those non-conformities are addressed and reviewed by your QSA, they will send over a final RoC for you to review. Once approved, your RoC will signify to your stakeholders and clients that you are PCI compliant. 

6. Continue to monitor PCI security standards

An approved RoC is not the final step of your PCI compliance journey. Businesses that are required to complete QSA-led audits will need to do so annually. 

Between audits, you’re responsible for continually monitoring security controls to ensure all PCI standards are being met. If your business changes and your PCI scope evolves, you’ll need to update that, as well. 

Ongoing PCI compliance can be overwhelming. However, there are tools and tips to help make the process easier, such as:

  • Perform ASV scanning
  • Use automatic evidence collection
  • Continually monitor your systems and internal controls
  • Fill out and store vendor risk assessments

PCI audit FAQ

Still have a few lingering PCI audit questions? We answer some of the most common questions below. 

How long does a PCI audit take?

How long a PCI audit will take depends on a few factors. For businesses undergoing the PCI compliance process for the first time (which includes setting up security controls), the entire process can last roughly six months. 

The fieldwork portion of an audit, which involves a QSA interviewing team members and conducting relevant testing, can take about six to eight weeks. However, working with a compliance automation company like Secureframe can help shorten that process.

How often do I need to undergo a PCI audit?

A Level 1 merchant or service provider will need to undergo a QSA- or ISA-led audit annually. 

If you’re a Level 2, 3, or 4 merchant or service provider that has experienced a data breach that compromised your customer’s card data, you will also need to complete a PCI audit. 

What happens if you fail a PCI audit?

Unlike a math test, a PCI audit is not a pass/fail test. Rather, think of a PCI audit as an opportunity to assess the effectiveness of your current security controls — and make them stronger.

If your QSA finds vulnerabilities within your cardholder data security practices, you might fail that particular section of the audit. However, your QSA will give you a “study guide” to help you make the necessary changes to achieve PCI compliance. 

While it would be nice not to find issues during the audit, identifying them during this phase can save you from larger non-compliance issues down the road. These include costly financial and reputational consequences.