PCI DSS Audit and Report on Compliance (RoC)

What is a PCI Audit on Compliance?

A PCI DSS Report on Compliance (ROC) is required by organisations with large transaction volumes and must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organisation is in full compliance.

A PCI DSS audit is a detailed review of an organisation’s cardholder data environment (CDE) using a standard methodology and reporting format that results in an RoC.

PCI DSS compliance as demonstrated by a RoC gives companies a competitive advantage by helping them secure infrastructure and increase their overall trading credibility. Maintaining PCI DSS compliance helps protect credit card information and facilitates customer confidence.

Our Qualified Security Assessors are ready to help identify the best and most cost effective approach to assessing your payment processes and systems, and confirm they meet the standards set by the PCI Security Standards Council (PCI SSC).

Did you know?

Verizon’s 2018 Payment Security Report identified that 52.5 percent of businesses surveyed were fully compliant with the PCI DSS, compared to 55.4 percent in a previous study in 2016. 

Data gathered by Verizon’s QSAs during 2017 identified that PCI compliance is decreasing among global businesses, with only 52.4 percent of organisations maintaining full compliance in 2017, compared to 55.4 percent in 2016.

Benefits of a PCI DSS audit

By conducting a PCI DSS risk assessment, you can help your organisation to:

  • Identify and understand the potential risks to its CDE.
  • Identify the presence of cardholder data that is not required for your business to function optimally.
  • Determine how to segment environments to isolate sensitive networks (CDE) from non-sensitive networks.
  • Provide your organisation with the insight into changing environments and ongoing discovery of emerging threats and vulnerabilities.
  • Assist it to identify where mitigation controls need to tighten.

Do you need to conduct a PCI audit?

You might need a formal assessment if any of the following apply:

  • You are a Level 1 merchant processing large volumes of transactions annually (more than six million) with Mastercard or Visa.
  • You are a merchant processing large volumes of transactions annually (more than one million) with Mastercard and you do not have a PCI DSS-trained internal assessor on staff.
  • You are a merchant that has been breached in the past or otherwise deemed to represent exceptional risk.
  • You are a service provider to merchants that can impact the security of their payment transactions and you have access to large volumes of transactions annually.

Our engagement process

The service typically involves several days on-site for our QSAs to meet with the managers who oversee the PCI DSS programme; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.

  1. Scoping: An engagement begins with a pre-assessment of your scope and compliance requirements.
  2. Pre-assessment information gathering: During this step, our PCI DSS QSA will conduct a pre-assessment, which includes a review of the network design, security policy review and on-site visit preparation.
  3. QSA PCI DSS audit: We will conduct a complete review of your cardholder data environment against the 12 PCI DSS requirements, and gather evidence that your controls are in place and working effectively
  4. Completed PCI DSS AoC: With completion of all the remediation items, we will then submit the completed RoC to our internal QA process, before preparing the AoC ready for formal submission, certifying your organisation as compliant.

Find out more about our PCI DSS Compliance Audit and ROC service

How IT Governance can help you

Personalised approach

We go further than a simple ‘yes/no’ approach to better understand how security measures work.

Professional advice

We work in partnership with your organisation to help you understand what is required and why.

Tailored packages

Our services provide a tailored route to PCI compliance, scalable to your budget and needs.

Delivered by experts

We can offer expertise to vet compensating controls and make sure they are adequate.

SAVE 25%