Home Business Finance PCI DSS Audits Explained

PCI DSS Audits Explained

PCI DSS Audits Explained

The Payment Card Industry Data Security Standard (PCI DSS) is a framework, designed to maintain security of payment card information, that any organisation which processes card payments must comply with. This includes businesses involved in the management, storage, or transmission of cardholder data, as well as those with the potential to impact the security of such data during its handling, maintenance, or transmission.

Organisations which are certified to the Standard must have their PCI DSS compliance evaluated annually.  Here, an impartial qualified security assessor company (QSAC) is hired to assess whether an organsiation’s processing practices and security measures are still aligned with the requirements of the Standard. For merchants processing over 6 million transactions per card brand and service providers handling more than 300,000 transactions, a Report on Compliance (ROC) must be completed. Meanwhile, organisations managing smaller quantities have the option of using self-assessment questionnaires (SAQs) to demonstrate their compliance.

What is a PCI DSS Audit?

At the heart of PCI DSS lies the audit, which is a thorough examination of a merchant’s compliance with the standard’s requirements. The audits assess whether an organisation has properly implemented and maintained the PCI controls, which are security measures that protect systems involved in card payment processing.

The Four Levels of PCI DSS Compliance

The PCI DSS categorises merchants into four levels based on their annual transaction volume, and this level dictates how an organisation must evidence its compliance. Level 1 is for the largest organisations and includes businesses processing over 6 million transactions per year. These organisations must have quarterly network scans conducted by a certified scanning vendor, as well as annual third-party audits to produce a Report on Compliance, and annual penetration test.

Level 2 includes organisations which handle 1 million and 6 million transactions, and requires organisations to complete a self-assessment questionnaire, quarterly network scans, an annual penetration test and Attestation of Compliance form, but don’t need to be audited. Level 3 merchants process between 20,000 to 1 million online transactions and have the same requirements as Level 2, minus the penetration testing requirement. Level 4 organisations, meanwhile, will process up to 1 million in-person transactions per year or less than 20,000 online transactions per year, and have the same requirements as Level 3 organisations.

Key Aspects of PCI DSS Audit Success


The first step of the audit process is scoping, a preparatory phase which defines the evaluation criteria for the audit. This involves identifying every place and process within a company where cardholder data is utilised, and best practice dictates that organisations perform scoping annually. The audited organisation must make sure it proactively limits the scope of the review, as auditors will otherwise arrive prepared to scrutinise all system operations.

An integral aspect of this is scoping the Cardholder Data Environment (CDE). To do this, organisations must identify all locations and workflows involving cardholder data. The audit must extend beyond the organisation’s boundaries to include third parties and service providers connected to the CDE, all of which require stringent security controls.

Security policies

To become compliant with PCI DSS, organisations must implement access controls which only allow individuals with certain roles to access card data, while activities which deal with sensitive data must be logged. Efficient Governance, Risk, and Compliance (GRC) tools can streamline this process, mitigating the time and cost associated with compliance requirements. Segmentation and tokenisation can also help with reducing the scope of audits and simplifying the overall compliance process.

Risk Assessments

Risk assessments are a fundamental component of PCI DSS audits, and it’s important that organisations keep detailed documentation of the risks identified in the assessment and how those risks have been mitigated.

Network Diagrams

Maintaining comprehensive network diagrams is crucial for auditors to efficiently locate and assess the systems which are being evaluated. These diagrams provide both an overall and detailed view of the environment, displaying cardholder data flow and relevant network connections.

Final Thoughts

The PCI DSS audit process is a meticulous examination of a company’s adherence to the requirements of the Standard, and the security measures it has implemented to protect that data.  Achieving and maintaining compliance to PCI DSS for an audit can be difficult, but some consultancy companies such as urmconsulting.com can offer assistance by both preparing organisations for audit and facilitating the audit itself. Successful audits require a proactive approach to scoping, diligent security policies, and comprehensive risk assessments. By becoming PCI DSS compliant, organisations not only safeguard sensitive information but also ensure the robustness of their overall security infrastructure in the face of evolving threats.