Make Your Auditor Happy: Follow These PCI Audit Requirements

What is a PCI Audit?

The PCI Security Standards Council certifies Qualified Security Assessors (QSAs) at companies like SecurityMetrics to validate a merchant's compliance with the PCI DSS. These QSAs perform assessments (also called audits) on site. Depending on a business's PCI merchant level, they may be required to perform an audit. For example, level 1 merchants (process over 6 million credit cards per year) are required to pass an annual audit by a QSA. Read more about how merchant levels affect PCI DSS Compliance requirements.

How to pass your next PCI DSS audit

No matter the type of business, whether a retail or service provider environment, similar problems materialize before or during an audit that ultimately slow audit progress. Aside from being experts on PCI audit requirements, onsite PCI DSS auditors are attuned to quickly see the security problems in an environment.

PCI audit requirements

The job of a security auditor is to inspect and analyze what security methods, tools, and processes have already been implemented at a business.

If security isn’t a top priority at your company, it will make a PCI DSS assessment that much more difficult. That being said, most environments will need a little TLC. Auditors love to see when IT or compliance managers try their hardest to keep on top of vulnerabilities to ensure security at their organization. If they require a little help to get over the last few bumps to clear their PCI DSS audit, an auditor will gladly help.

Every auditor wants to step into an audit environment full of eager, determined employees ready to help at every turn. Obviously, that doesn’t always happen.

See also: White Paper: How to Prepare for a PCI DSS Audit

See also: How to Prepare for a PCI DSS Audit

What every PCI auditor wants

In an ideal world, auditors want the audit liaison or compliance officer to have:

• An understanding of PCI terms and definitions
• Transparent and eager attitudes to their questions and suggestions.
• An already-made PCI audit checklist complete with questions to ask the auditor.
• Last year’s ROC printed out for them.
• Documentation on how the environment is coping with recent vulnerabilities.
• Talked with key stakeholders to help them understand the organization’s risks.
• Checked event logs regularly.
• Documentation on how third party security risks are mitigated.
• An understanding of PCI DSS 4.0
• An understanding of your PCI DSS scope.

Throughout the duration of the year, businesses grow, card data environments change, and PCI DSS requirements are amended.

The quicker an auditor gets up to speed, the quicker you get through your audit.

‍Infographic: PCI audit tip checklist

‍We asked 8 of our top auditors their words of advice for those looking to pass their PCI DSS audit with flying colors, and came up with this 8-phase PCI audit checklist.

Download the interactive PDF checklist here.