PCI DSS Audit: What It Is + How to Prepare

A PCI DSS audit is an examination of the security of your cardholder data environment against the requirements of the PCI DSS standard. This audit must be conducted by a Qualified Security Assessor (QSA).
Troy Fine

by Troy Fine

September 18, 2023
PCI Audits hero

If your company stores, processes, or transmits sensitive cardholder information, you're required to comply with the Payment Card Industry Data Security Standard (PCI DSS). While it may seem straightforward, the path to compliance may differ depending on how many card transactions you handle in a given year. 

Businesses handling a large number of transactions (think millions) on an annual basis must comply with a more stringent set of compliance requirements, including a PCI DSS audit. 

If you're a bit confused, that's OK. Below, we explain exactly what a PCI DSS audit is, which businesses are required to get an audit, and how you can prepare. 

What Is a PCI Audit?

A PCI DSS audit is an examination of the security of your cardholder data environment (CDE)  against the requirements of the PCI DSS. This rigorous audit can be performed by a Qualified Security Assessor (QSA) that works for a QSA firm. These are independent security professionals qualified by the PCI Security Standards Council (PCI SSC) to validate a company's compliance with the PCI standard.

It's important to note that a PCI DSS audit is not the only route to PCI compliance. Depending on your PCI level (more on that below), you can either prove compliance by: 

  • Having a QSA conduct an on-site audit, which will result in a Report on Compliance (ROC)

  • Completing a PCI DSS self-assessment questionnaire (SAQ)

The exact requirements will vary depending on the type of organization you are (merchant or service provider) and the level your organization falls under.

Three types of PCI reporting documentation

PCI Compliance Levels for Merchants 

To determine what level of PCI DSS compliance your organization belongs to, you’ll need to determine how many card transactions your business processes in a year. 

PCI DSS merchant compliance levels include varying requirements—the higher the level, the more stringent the requirements for compliance (and passing a PCI DSS audit) will be.

It's important to note that payment brands define their own PCI DSS compliance levels based on transaction volume. Below is a table with each payment brand and how they define PCI levels. 

Service providers working with merchants will have to determine their PCI DSS requirements (QSA audit or SAQ) based on the requirements from their merchants.

Merchant PCI Compliance Levels by Payment Brand





Level 1

Level 2

Level 3

Level 4

Visa

Merchants processing over 6 million transactions annually

Merchants processing 1 million to 6 million transactions annually

Merchants processing 20,000 to 1 million e-commerce transactions annually

Merchants processing less than 20,000 e-commerce transactions and all other merchants processing up to 1 million transactions annually

Mastercard

Merchants processing more than 6 million total combined Mastercard and Maestro transactions annually

Merchants processing more than 1 million but less than or equal to 6 million total combined Mastercard and Maestro transactions annually 

Merchants processing between 20,000 and 1 million combined Mastercard and Maestro e-commerce transactions  annually

All other merchants

Discover

Merchants processing 6 million or more card transactions annually 

Merchants processing between 1 million and 6 million card transactions annually

All other merchants

Discover does not have a Level 4

American Express

Merchants or service providers processing 2.5 million or more transactions annually

Merchants or service providers processing 50,000 to 2.5 million transactions annually

Merchants processing 10,000 to 50,000 transactions annually

Merchants processing below 10,000 transactions annually

JCB International

Merchants processing more than 1 million JCB transactions annually

Merchants processing fewer than 1 million JCB transactions annually

JCB does not have a Level 3

JCB does not have a Level 4


Note: UnionPay International was added to the PCI SSC in 2020. Merchants should contact UnionPay for more information about their PCI compliance requirements.

Level 1 merchants are required to undergo a PCI DSS audit on an annual basis. Additional requirements include: 

  • An annual ROC by a QSA

  • Quarterly network scans by an Approved Scanning Vendor (ASV)

  • Submission of completed Attestation of Compliance (AOC)

Merchants that process a smaller number of transactions will satisfy PCI requirements by completing a self-assessment questionnaire (SAQ) and completing an AOC. 

Any service provider or merchant that’s become a victim of a data breach that exposed cardholder data will have to pass a yearly on-site audit to ensure PCI compliance—no matter their PCI level. 

pci-reporting-requirements-by-compliance-level

What Does the PCI DSS Audit Process Look Like?

If you're undergoing a PCI DSS audit for the first time, you're probably curious about the process. Below, we outline the steps to compliance for Level 1 merchants. 

  1. Find a QSA to conduct your audit. The PCI SSC website has a database of QSAs to help you find one who operates near you. 

  2. Your QSA will begin their audit process. This will involve testing the controls in place to protect cardholder information. Your QSA will also test your payment applications (if applicable), dataflow, network in place for the cardholder data environment, and IT policies and procedures. 

  3. Your QSA will include their audit findings in an ROC. Once completed, they’ll share the ROC with your organization for review so you can address any control gaps in your PCI DSS compliance. 

  4. Once you’ve addressed compliance gaps, the QSA will forward the ROC to your acquiring bank. At this point, the QSA and your organization will produce and sign an AOC.

pci-audit-process-overview

The 6 Steps of a PCI DSS Audit

To help you prepare for and pass an upcoming PCI DSS audit, we've outlined what you need to do before, during, and after. 

1. Approve Your Assessment Scope

First things first: You need to set your PCI DSS assessment scope. In simple terms, your PCI DSS scope involves the people, processes, and technologies that interact with or could impact your cardholder data environment (CDE). 

Consider how cardholder data flows within your organization to begin scoping your CDE. Your physical point-of-sale (POS) systems and registers probably come to mind, but what about your online payment processing? 

List out all systems that store, process, or transmit cardholder data. From there, you can map out how this data flows throughout your organization and systems. Note the people who have access to these systems as well. This exercise will help identify what is and is not in scope for your PCI DSS assessment. 

Why it’s important: In order to accurately protect cardholder data, you need to know exactly what is and is not included within your scope. Scoping your CDE will enable you to accurately build and implement the necessary security controls to achieve PCI DSS compliance. 

2. Complete a Gap Assessment

After you've scoped your CDE, you can complete a gap assessment. This assessment compares your current security practices with the 12 PCI requirements to determine where your controls fall short. 

Once you’ve completed the gap analysis, you can address any weaknesses and vulnerabilities uncovered. 

Why it’s important: A gap assessment allows you to become familiar with your current security posture against the PCI DSS requirements and close any gaps before embarking on the official PCI DSS audit. 

3. Gather Documentation 

A PCI DSS audit includes quite a bit of paperwork. To help set yourself up for success, you'll want to ensure your CDE dataflows and current security policies and procedures are properly documented. 

Other important documentation includes: 

  • Encryption protocols

  • Procedures for securing stored card information

  • Data management policies

Why it’s important: The more detailed documentation you're able to provide your QSA, the smoother your audit process will be. 

4. Engage a QSA to Lead the Audit 

At this point, you're ready to engage a QSA to lead your audit. You can find a list of PCI SSC-approved QSAs on their website. 

Once you've chosen your QSA, they will take over the audit process. You will need to support the auditor during their on-site visit by sharing documentation and allowing the QSA to interview relevant team members. 

After they've completed their assessment, the QSA will include their findings within an ROC and share it with your organization. 

Why it’s important: The only way for a Level 1 merchant to prove PCI DSS compliance is by hiring an outside QSA to assess your PCI compliance against the standard.  

5. Address Control GapsFound in the ROC

After you've received the ROC, you must revise existing or implement additional security policies or procedures to satisfy any requirements your organization isn’t currently compliant with. 

Your QSA will work with you to set up a plan and timeline to address these control gaps. Once you’ve addressed those control gaps and the QSA has reviewed them, they will send over a final ROC for you to sign. Your ROC will signify to your stakeholders and clients that you are PCI DSS compliant. 

Why it’s important: Achieving and maintaining PCI DSS compliance is not only considered a best practice for any company handling cardholder data—it's required by payment brands. Failure to comply with the PCI DSS standard can result in hefty fines, losing your ability to process payments, and even jail time in more serious cases. 

6. Continuously Monitor Your PCI DSS Compliance 

PCI DSS compliance doesn't stop when you receive your final ROC—it’s an ongoing process that requires annual audits and continual monitoring of your security controls. 

To ensure you maintain your compliant status with PCI DSS, Level 1 merchants must: 

  • Engage a QSA to perform a PCI DSS audit and complete an ROC annually 

  • Complete external vulnerability scans by an ASV quarterly

  • Submit a completed AOC form annually

Once you become PCI DSS compliant, it's recommended to hire an ASV to conduct your quarterly external vulnerability scans so this step doesn't fall off your radar. The PCI SSC has a directory of qualified ASVs on its website to help you choose the right ASV for your organization. 

In addition to these requirements, the PCI SSC recommends the following best practices to help you maintain ongoing compliance: 

  • Maintaining security awareness: Train your staff on new and emerging threats to prevent data breaches and ensure your team is kept up to date. 

  • Monitor your third-party service providers: Develop and implement processes for monitoring your service providers to ensure they continue to maintain PCI DSS compliance.

  • Assign ownership for specific security activities: Assign management-level individuals to own important security activities to ensure they're being tracked and monitored. These activities may include coordinating resources, monitoring continuous compliance, and managing costs of PCI compliance

Why it’s important: PCI DSS compliance is not a one-and-done process. To ensure you maintain compliance year over year, annual audits and quarterly external vulnerability scans by an ASV will help you monitor your security posture and patch weaknesses before they become a bigger issue. 

consequences-of-pci-non-compliance

What Happens if You Don’t Pass a PCI Audit?

If your audit results are negative, you can address the control gaps and vulnerabilities uncovered in the ROC. While receiving negative feedback on your PCI DSS audit can be discouraging, think of it as an opportunity to fix weaknesses before they lead to more serious consequences. 

Again, PCI DSS non-compliance can lead to possible fines or losing the ability to process payment cards, which could severely damage trust with customers and impact your business.

If the results of your ROC are favorable, you can work on maintaining compliance. In either case, a good QSA will work with you to create a roadmap and goals to maintain and improve your security posture

How Drata Can Help You Prepare for and Pass a PCI Audit 

The path to PCI compliance isn't always easy to navigate. Whether you're just beginning to build your PCI compliance program or you're looking to remain compliant, you can benefit from automating certain steps to help you simplify the process. 

Book a demo with our team to find out how Drata can help.

Trusted Newsletter
Resources for you
PCI Compliance Checklist Hero

PCI DSS Compliance Checklist: Understanding the 12 Requirements

Penetration testing hero

Penetration Testing: Why It’s Important + Common Types

PCI Compliance Cost What It Takes to Become Certified

PCI DSS Compliance Cost: What It Takes to Become Certified

Choosing the Right PCI SAQ for Your Business

Choosing the Right PCI SAQ for Your Business

Troy Fine
Troy Fine
Troy Fine is a 10-year former auditor, now Director of Compliance Advisory Services at Drata. He advises customers on building sound cybersecurity risk management programs that meet security compliance requirements. Troy is a CPA, CISA, CISSP, and CMMC Provisional Assessor. His areas of expertise include, GRC, SOC 2 audits, SOC 2+ examinations, CMMC, NIST 800-171, NIST 800-53, Sarbanes-Oxley Section 404 compliance, HITRUST, HIPAA, ISO 27001, and third-party risk management assessments.
Related Resources
PCI Compliance Checklist Hero

PCI DSS Compliance Checklist: Understanding the 12 Requirements

Penetration testing hero

Penetration Testing: Why It’s Important + Common Types

PCI Compliance Cost What It Takes to Become Certified

PCI DSS Compliance Cost: What It Takes to Become Certified

Choosing the Right PCI SAQ for Your Business

Choosing the Right PCI SAQ for Your Business