PCI DSS Audit and Report on Compliance (RoC)

Get a tailored quote for our PCI DSS Audit and RoC service

A PCI audit conducted by an IT Governance QSA provides a thorough assessment of the controls you have implemented and establishes whether they meet the requirements of the standard. We have a team of account managers and Qualified Security Assessors to discuss your PCI DSS challenges. For more information, please contact us.

What is a PCI DSS RoC?

Under the PCI DSS (Payment Card Industry Data Security Standard), certain organisations must undergo an annual external audit, conducted by a QSA (Qualified Security Assessor), to prove their compliance. As a rule of thumb, the more transactions you process, the more likely you’ll need to be audited.

After completing your audit, the QSA will write a RoC (Report on Compliance). This provides a summary of the information collected during the audit and compares it against the PCI DSS requirements. It’ll provide enough detail to show that you are either meeting each requirement or can justify why certain requirements are not applicable to you.

PCI DSS compliance helps your organisation protect payment card and cardholder information, helping you meet your obligations and facilitate customer confidence.

Our QSAs can help you determine the most cost-efficient way to achieve compliance with the PCI DSS.

Did you know?

Verizon’s 2022 Payment Security Report found that 43.4% of businesses surveyed in 2020 had maintained their compliance with the PCI DSS at their interim audit, an increase from 27.9% in 2019.

Benefits of PCI DSS scoping and gap analysis

By conducting scoping and gap analysis, you can help your organisation:

  • Identify and understand the potential risks to its CDE (cardholder data environment);
  • Identify cardholder data you have no business reason to store;
  • Identify ways to reduce the scope of the CDE;
  • Gain insight into changing environments and their impact on PCI DSS scope; and
  • Identify what controls to implement.

Do you need to be audited for PCI DSS compliance?

Whether you are required to undergo a formal assessment is down to your acquiring bank.

As a rule, you will need to employ a QSA to carry out an assessment if you process more than one million transactions annually or have had a card data breach in the past.

However, even if you do not need to be audited, you might welcome prefer the assurance that you gain from an independent assessment of your compliance.


Our engagement process

Our QSAs typically spend several days on-site, meeting the PCI DSS programme lead, key staff involved in managing relevant networks and systems, and other relevant staff.

The audit process typically follows these steps:

  1. Opening meeting with management
    We will explain to the management team what to expect from the audit and discuss the scope at a high level.
  2. Gather and review documentation
    We will gather and review all relevant documentation that can help demonstrate your compliance with the PCI DSS requirements.
  3. Review and confirm scope
    We will review the documented scope of the assessment to ensure it includes all assets that are part of or connected to the CDE.
  4. Select samples for testing
    If many system components are in scope, we will take a representative sample to test to make sure they meet the Standard’s requirements.
  5. Conduct interviews
    We will interview key staff to validate the evidence provided, and determine whether they know what assets are within the audit scope and how the PCI DSS controls have been implemented.
  6. Validate samples
    We will check the measures implemented within the samples selected earlier, and verify that they are consistent with what the documentation and staff interviews state. We will also check logs to determine that these measures are sustained throughout the year.
  7. Wrap-up meting with PCI DSS lead
    Before we finalise the RoC, we will hold a meeting with the auditee’s PCI DSS lead to discuss any outstanding remediation actions.
  8. Complete the RoC
    We will then complete the RoC to provide a summary of the information collected during the audit, compared with the Standard’s requirements.
  9. Produce the AoC
    Finally, we will prepare the AoC for formal submission, certifying that your organisation is PCI DSS compliant.

Find out more about our PCI Compliance Audit and RoC >>

How IT Governance can help you

Our services provide a tailored route to PCI DSS compliance, scalable to your budget and needs.

We go further than a simple yes/no approach to truly understand how security measures work.

We work in partnership with you to help understand what is required and give you control.

We can offer expertise to vet compensating controls and determine whether they are acceptable.

Companies using our PCI DSS products and services:

oliver bonas logo

volkswagen logo

papajohns logo

betfred logo

amnesty logo

"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.” 

Damien Everard, COO of Appletree

PROTECT YOUR
BUSINESS
THIS WINTER