PCI DSS Audit Process
Understanding the PCI DSS audit process helps you prepare effectively and avoid surprises. Whether you're completing a Self-Assessment Questionnaire (SAQ) or undergoing a full Qualified Security Assessor (QSA) assessment, knowing what to expect makes the process smoother.
This guide walks through both the self-assessment and QSA audit processes, timeline expectations, and how to prepare your team and evidence.
Key Takeaways
| Point | Summary |
|---|---|
| Two paths | SAQ (self-assessment) for most, QSA audit for Level 1 |
| Annual requirement | Validation required every year |
| Evidence-based | Every control must be supported by documentation |
| Continuous compliance | Controls must work year-round, not just during audit |
| Planning matters | Well-prepared audits go faster with fewer issues |
Understanding Your Validation Path
Your validation path depends on your merchant/service provider level and transaction volume:
| Level | Validation Method |
|---|---|
| Merchant Level 1 | QSA on-site assessment (ROC) |
| Merchant Levels 2-4 | Self-Assessment Questionnaire (SAQ) |
| Service Provider Level 1 | QSA on-site assessment (ROC) |
| Service Provider Level 2 | SAQ D (Service Provider) |
Note: Some acquiring banks or payment processors may require QSA validation even for lower-level merchants.
Path 1: Self-Assessment Questionnaire (SAQ)
What Is an SAQ?
The SAQ is a self-validation tool. You evaluate your own compliance against PCI DSS requirements and attest to the results. No external auditor validates your answers, but you're legally attesting to their accuracy.
SAQ Types and Scope
| SAQ | Questions (v4.0) | Typical For |
|---|---|---|
| A | ~27 | Fully outsourced e-commerce |
| A-EP | ~191 | E-commerce with website integration |
| B | ~43 | Imprint or dial-out terminals |
| B-IP | ~89 | IP-connected terminals |
| C-VT | ~87 | Virtual terminal |
| C | ~172 | Internet-connected payment apps |
| P2PE-HW | ~33 | P2PE hardware terminals |
| D (Merchant) | 330+ | All other merchants |
| D (Service Provider) | 330+ | All service providers |
SAQ Process
Step 1: Determine SAQ Type
- Analyze your payment flow
- Identify how you handle card data
- Confirm with payment processor or acquirer if unsure
Step 2: Gather Evidence
For each applicable requirement, collect:
- Policy documents
- Screenshots of configurations
- Log samples
- Process documentation
- Interview notes (for your own reference)
Step 3: Complete the SAQ
- Go through each requirement
- Mark as "In Place," "Not Applicable," or "Not in Place"
- Document any compensating controls
- Note any items requiring remediation
Step 4: Remediate Gaps
- Fix any "Not in Place" findings
- Implement missing controls
- Update documentation
Step 5: Complete Attestation
- Executive sign-off
- Sign the Attestation of Compliance (AOC)
- Submit to acquiring bank (if required)
Timeline: SAQ Completion
| Phase | Duration | Activities |
|---|---|---|
| Preparation | 1-2 weeks | Gather evidence, review requirements |
| Completion | 1-2 weeks | Answer all questions, identify gaps |
| Remediation | Variable | Fix any gaps found |
| Attestation | 1 day | Executive review and signature |
Total: 3-6 weeks typical for straightforward environments; longer if significant remediation needed.
Path 2: QSA Assessment (Report on Compliance)
What Is a QSA Assessment?
A Qualified Security Assessor (QSA) is a PCI SSC-certified company that evaluates your compliance. They conduct testing, review evidence, interview personnel, and issue a Report on Compliance (ROC).
Who Must Use a QSA?
- Level 1 Merchants: Over 6 million annual transactions
- Level 1 Service Providers: Over 300,000 annual transactions
- Post-Breach: Organizations may be escalated after security incidents
- Contractual: Some partners require QSA validation regardless of level
The QSA Assessment Process
Phase 1: Engagement and Scoping
| Activity | Purpose |
|---|---|
| QSA selection | Choose qualified assessor |
| Scoping meeting | Define CDE, connected systems |
| Document review | Assess current documentation |
| Assessment planning | Schedule interviews, testing |
Phase 2: Documentation Review
The QSA will request documentation including:
- Network diagrams
- Data flow diagrams
- Security policies and procedures
- System inventories
- Configuration standards
- Incident response plans
- Service provider contracts
Phase 3: On-Site Assessment
| Activity | What Happens |
|---|---|
| Interviews | QSA talks to personnel about processes |
| Observations | QSA observes controls in action |
| System testing | QSA examines configurations, logs |
| Sampling | QSA tests representative samples |
| Physical inspection | QSA reviews physical security |
Phase 4: Evidence Collection and Testing
For each requirement, the QSA will:
- Request evidence of compliance
- Test that controls are operating effectively
- Document findings
- Note any exceptions or gaps
Phase 5: Remediation (if needed)
If gaps are found:
- QSA documents findings
- You implement fixes
- QSA retests to verify remediation
- Repeat until all requirements met
Phase 6: Report Finalization
- QSA drafts Report on Compliance (ROC)
- You review for accuracy
- QSA finalizes report
- Both parties sign Attestation of Compliance (AOC)
Timeline: QSA Assessment
| Phase | Duration | Activities |
|---|---|---|
| Engagement | 2-4 weeks | QSA selection, scoping |
| Pre-assessment | 2-4 weeks | Documentation review, preparation |
| On-site assessment | 1-2 weeks | Interviews, testing |
| Report drafting | 2-4 weeks | QSA prepares ROC |
| Remediation | Variable | Fix any gaps |
| Finalization | 1-2 weeks | Final review, signatures |
Total: 3-6 months typical for first assessment; 2-4 months for annual re-assessments with mature programs.
Preparing for Your Assessment
Document Preparation Checklist
Network and Architecture:
- Network diagram showing CDE and connections
- Data flow diagram for cardholder data
- System inventory (hardware, software, applications)
- Cloud architecture documentation (if applicable)
Policies and Procedures:
- Information security policy
- Acceptable use policy
- Access control policy
- Change management procedure
- Incident response plan
- Vulnerability management procedure
- Vendor management policy
Technical Evidence:
- Firewall rule sets and documentation
- User access lists and roles
- System configuration standards
- Encryption documentation
- Audit log samples
- Vulnerability scan reports
- Penetration test reports
Operational Evidence:
- Security training records
- Access review documentation
- Change management tickets
- Incident response test results
- Service provider compliance evidence
Team Preparation
Key Interview Participants:
| Role | Interview Topics |
|---|---|
| Security/Compliance Lead | Overall program, policies |
| System Administrators | Configuration, patching |
| Network Administrators | Firewall, segmentation |
| Developers | Secure development, change management |
| Operations | Incident response, monitoring |
| HR | Background checks, training |
| Physical Security | Facility access, media handling |
Interview Tips:
- Answer questions directly and honestly
- It's okay to say "I don't know, let me find out"
- Provide evidence to support your answers
- Don't volunteer information beyond the question
- Be familiar with relevant policies and procedures
Evidence Quality
Good evidence is:
- Current: Dated within the assessment period
- Complete: Shows the full picture
- Relevant: Directly addresses the requirement
- Authentic: Screenshots, exports, or copies from actual systems
Examples of good evidence:
| Requirement | Good Evidence |
|---|---|
| MFA enabled | Screenshot of MFA configuration in identity provider |
| Quarterly scans | ASV scan report with passing results and date |
| Access reviews | Spreadsheet with reviewer notes and dates |
| Training | Training platform report showing completion |
Common Assessment Findings
High-Severity Findings
| Finding | Impact | Prevention |
|---|---|---|
| Missing MFA | Immediate remediation required | Implement MFA before assessment |
| Stored CVV | Critical violation | Never store CVV, audit data stores |
| Missing encryption | Data at risk | Encrypt all CHD at rest and in transit |
| No penetration test | Cannot complete assessment | Schedule test before assessment |
| Missing patches | Known vulnerabilities | Maintain patching program |
Medium-Severity Findings
| Finding | Impact | Prevention |
|---|---|---|
| Incomplete logging | Partial compliance | Audit logging configuration |
| Weak passwords | Must remediate | Enforce password policy |
| Missing documentation | Delays assessment | Prepare docs in advance |
| Inconsistent configurations | Remediation needed | Standardize configurations |
Administrative Findings
| Finding | Impact | Prevention |
|---|---|---|
| Policy not reviewed | Minor remediation | Annual policy review |
| Training outdated | Must update records | Track training annually |
| Vendor agreements missing | Need to obtain | Review vendor contracts |
The Report on Compliance (ROC)
ROC Structure
| Section | Contents |
|---|---|
| Executive Summary | Overview of assessment, summary of results |
| Scope of Work | What was assessed, excluded, methodology |
| Details of Reviewed Environment | CDE description, network, data flows |
| Quarterly Scan Results | ASV scan summary |
| Findings and Observations | Detailed testing results by requirement |
| Appendices | Supporting documentation |
Understanding ROC Results
For each requirement, the QSA will mark:
- In Place: Control is implemented and effective
- In Place with Compensating Control: Alternative control meets intent
- Not Applicable: Requirement doesn't apply to your environment
- Not in Place: Control is missing or ineffective
A compliant ROC has no "Not in Place" findings.
The Attestation of Compliance (AOC)
The AOC is the summary document you share with partners. It includes:
- Merchant/service provider information
- Assessment summary
- Description of scope
- Statement of compliance status
- Signatures from assessor and assessed entity
Sharing the AOC:
- Partners typically request AOC rather than full ROC
- ROC is detailed and often contains sensitive information
- AOC provides compliance confirmation without exposing details
Maintaining Compliance Year-Round
PCI DSS compliance is continuous, not a point-in-time achievement:
Ongoing Activities
| Frequency | Activity |
|---|---|
| Daily | Log review, security monitoring |
| Weekly | System reviews, access monitoring |
| Monthly | Patching review, policy check |
| Quarterly | Vulnerability scans (ASV external, internal) |
| Semi-annually | Segmentation testing, access reviews |
| Annually | Full assessment, penetration test, policy review |
Continuous Compliance Benefits
- No scramble before assessments: Evidence is always current
- Faster audits: Less remediation needed
- Lower risk: Security issues caught early
- Better security: Controls actually protect you
Frequently Asked Questions
How much does a QSA assessment cost?
Costs vary based on scope and complexity. Small environments might be in the range of tens of thousands, while complex environments can be significantly more. Get quotes based on your specific scope.
Can we fail a PCI assessment?
Not exactly. If you have findings, you remediate them, the QSA retests, and you continue until compliant. However, you can't receive a compliant ROC until all requirements are met.
What happens if we're not ready when the audit starts?
The assessment will take longer and cost more as findings require remediation and retesting. Consider a readiness assessment before the formal audit.
How long is a ROC valid?
ROC is a point-in-time document, but compliance validation is typically annual. Your AOC should be renewed annually.
Can we use the same QSA every year?
Yes. Continuity can make assessments more efficient since they understand your environment. However, some organizations rotate QSAs periodically for fresh perspective.
Preparing for your first PCI assessment or want to streamline your process? Talk to our team
Sources
- PCI DSS v4.0.1 Requirements - Full requirements
- PCI SSC Qualified Security Assessor Directory - Find a QSA
- PCI SSC SAQ Instructions - SAQ guidance