PCI DSS Onsite Audit Service

To protect the security of cardholder data, the PCI Security Standards Council requires organizations working with payment cards to maintain compliance with PCI DSS.

To protect the security of cardholder data, the PCI Security Standards Council requires organizations working with payment cards to maintain compliance with PCI DSS. If you are an organization that stores, processes or transmits cardholder data, ask our authorized QSA service company, “How do you conduct a PCI audit?” you may be asking.

A PCI audit is a rigorous review of the Payment Card Industry Data Security Standard, which consists of approximately 400 individual controls and is a critical part of staying in business for any merchant, service provider or sub-service provider involved in the processing of cardholder data.

The service typically takes several days onsite for our QSAs to meet with the administrators overseeing the PCI DSS program, key personnel involved in network management and cardholder systems, and people responsible for company procedures and policies.

  • Scoping: A task begins with a preliminary assessment of your scope and compliance requirements.
  • Pre-assessment information gathering: During this step, our PCI DSS QSA will perform a pre-assessment that includes network design review, security policy review, and onsite visit preparation.
  • QSA PCI DSS audit: We will perform a full inspection of your cardholder data environment against the 12 PCI DSS requirements and gather evidence that your controls are in place and operating effectively.
  • Complete PCI DSS AoC: After we complete all remediation items, we will submit the completed RoC to our internal QA process and confirm that your organization is compliant, before making the AoC ready for official shipping.

It should be performed by a QSA who will make a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to verify that your organization is fully compliant.

PCI Compliance Certification (AoC) is a certification completed by the Qualified Security Assessor (QSA) that specifies an organization’s PCI DSS compliance status. An AoC is documented proof that an organization supports security best practices to protect cardholder data. Basically, an AoC is a written statement that your organization has completed the valid SAQ and has been verified by a QSA.

A PCI Compliance Report (RoC) is issued by a QSA and details an organization’s security posture, environment, systems, and protection of cardholder data. The RoC was developed through a comprehensive assessment completed by a QSA that included a review of on-site audits and controls. After an auditor has tested your controls and documented your processes, a summary of findings is developed that results in a final RoC.

Each RoC is regulated according to the PCI Security Standards Council’s specifications for a qualified RoC derived from the RoC Reporting Template provided to all QSAs. Standardization of reporting allows your organization to provide every stakeholder, customer or interested party with a clear representation of your PCI compliance status.

CertBy provides PCI DSS onsite audit service. With this service provided as an authorized QSA, AoC (Attestation of Compliance) and RoC (Report on Compliance) outputs are produced.

Our company, which meets all kinds of services required for PCI DSS by payment and electronic money institutions with the law numbered 6493, also provides ISO 27001 consultancy, penetration testing and secure code development trainings. For more detailed information about our services, you can reach us at info@certby.com