Learning Center Home > Infographic > PCI Audit Timeline

PCI Audit Timeline


PCI Audit Timeline

How To Prepare For And Manage a PCI Audit

This post contains part of the text from the SecurityMetrics PCI Audit Timeline Checklist

To view the full interactive checklist, download the PDF below:

Interactive PCI Audit Timeline Checklist

Download PDF Here


One Year Before

Before you sign a contract, you will want to plan your path to compliance by determining what your specific needs are and what potential products can address them. 

  • First time PCI audit customers will:

    •  Engage with a Qualified Security Assessor (QSA) for an assessment

    • Confirm your merchant or service provider level with the card brands

  • If you are renewing, confirm any scope reducing solutions you are using do not expire before your next assessment


9 Months Before

  • First time PCI audit customers will:

    • Start the initial gap process with your QSA 

    • Review your 3rd party providers' attestation documentation and responsibility matrices

      • Check to see if they current and accurate

  • If you are renewing, confirm Approved Scanning Vendor (ASV) scans are happening on all appropriate targets and that issues are remediated

6 Months Before

  • Confirm that your policies/procedures are in place and updated

  • When renewing:

    • Engage with the QSA company that will be performing your assessment

      • Ask your QSA any questions, particularly concerning tricky preparation steps you encounter 

      • Go over the requirements you have 

      • Establish a specific date for you to submit your Report on Compliance (ROC) 

      • Set expectations for your timeline and schedule

      • Bring up any issues and discuss extensive changes with your auditor 

    • Review the scope of the penetration test with your QSA

  • Schedule your penetration test 

  • First-time customers will:

    • Begin ASV scans

3 Months Before

  • Obtain up-to-date network and card flow diagrams

  • Review evidence request list

  • Schedule your onsite visit

  • Determine what internal personnel need to be involved in the onsite visit for the assessment

    • Arrange for personnel to either attend or be available

1 Month Before

  • Finalize all travel arrangements for people involved in the onsite assessment 

Two Weeks Before

  • Verify all relevant parties are available for the onsite visit

  • Double-check that visitors cannot access sensitive areas

  • Ensure that managers/supervisors are informed of:

    • Date assessor will be onsite

    • What access assessor may need

    • Any documentation required

  • Obtain an agenda from your assessor

  • Share the agenda with all involved parties

Have an Upcoming PCI Audit Deadline?

Request a Quote Here


1-3 Weeks Onsite

The Onsite Assessment includes validation and documentation in order to produce a Report on Compliance (ROC). 

  • Project coordinator and audit lead will work together to identify onsite dates to complete PCI DSS assessment

    • Sampling may be needed 

  • Go over steps to compliance with your QSA 


30 Days After (Remediation)

During this phase, your QSA works with you to determine what remediation needs to be done to ensure compliance. 

  • QSA identifies compliance gaps and puts them in the audit portal

    • Merchant works with QSA to understand finding and what evidence will be needed to close the finding

  • Once remediation is finished, the merchant can upload the requested evidence to the audit portal for review 

30-45 Days After (Report Delivery)

You will receive a report on your audit describing the process and outcome. 

  • After all remediation work is finished, Audit Lead will release the completed SAQ D and AOC with the report 

∞ Ongoing

An essential step of PCI compliance is an ongoing effort to maintain your environment and avoid situations that cause a higher compliance burden. 

To ensure continued PCI compliance: 

  • Update security policies

    • Anytime you change the way you store, process or transmit cardholder data, update your policies to reflect the changes

    • Reach out to your QSA for assistance with your environment or changes 

  • Train your employees

    • Inform new and current staff members how to correctly handle card data

  • Update your SAQ if things change

    • Update and resubmit your SAQ if anything in your card processing environment changes

  • Run external vulnerability scans

    • Run scans at least quarterly

    • Run scans every time you make a network change 

  • Verify you understand where your credit card data is stored

    • Ensure all your credit card data is encrypted 

    • Identify unencrypted card data with card discovery tools

Have an Upcoming PCI Audit Deadline?

Request a Quote Here