Learning Center Home > Infographic > PCI Audit Timeline

PCI Audit Timeline

Infographic

PCI Audit Timeline

How To Prepare For And Manage a PCI Audit

This post contains part of the text from the SecurityMetrics PCI Audit Timeline Checklist

To view the full interactive checklist, download the PDF below:

Interactive PCI Audit Timeline Checklist

Download PDF Here

PRE-ASSESSMENT

One Year Before

Before you sign a contract, you will want to plan your path to compliance by determining what your specific needs are and what potential products can address them. 

  • First time PCI audit customers will:

    •  Engage with a Qualified Security Assessor (QSA) for an assessment

    • Confirm your merchant or service provider level with the card brands

  • If you are renewing, confirm any scope reducing solutions you are using do not expire before your next assessment

 

9 Months Before

  • First time PCI audit customers will:

    • Start the initial gap process with your QSA 

    • Review your 3rd party providers' attestation documentation and responsibility matrices

      • Check to see if they current and accurate

  • If you are renewing, confirm Approved Scanning Vendor (ASV) scans are happening on all appropriate targets and that issues are remediated


6 Months Before

  • Confirm that your policies/procedures are in place and updated

  • When renewing:

    • Engage with the QSA company that will be performing your assessment

      • Ask your QSA any questions, particularly concerning tricky preparation steps you encounter 

      • Go over the requirements you have 

      • Establish a specific date for you to submit your Report on Compliance (ROC) 

      • Set expectations for your timeline and schedule

      • Bring up any issues and discuss extensive changes with your auditor 

    • Review the scope of the penetration test with your QSA

  • Schedule your penetration test 

  • First-time customers will:

    • Begin ASV scans


3 Months Before

  • Obtain up-to-date network and card flow diagrams

  • Review evidence request list

  • Schedule your onsite visit

  • Determine what internal personnel need to be involved in the onsite visit for the assessment

    • Arrange for personnel to either attend or be available


1 Month Before

  • Finalize all travel arrangements for people involved in the onsite assessment 


Two Weeks Before

  • Verify all relevant parties are available for the onsite visit

  • Double-check that visitors cannot access sensitive areas

  • Ensure that managers/supervisors are informed of:

    • Date assessor will be onsite

    • What access assessor may need

    • Any documentation required

  • Obtain an agenda from your assessor

  • Share the agenda with all involved parties

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

ONSITE ASSESSMENT

1-3 Weeks Onsite

The Onsite Assessment includes validation and documentation in order to produce a Report on Compliance (ROC). 

  • Project coordinator and audit lead will work together to identify onsite dates to complete PCI DSS assessment

    • Sampling may be needed 

  • Go over steps to compliance with your QSA 


POST ASSESSMENT

30 Days After (Remediation)

During this phase, your QSA works with you to determine what remediation needs to be done to ensure compliance. 

  • QSA identifies compliance gaps and puts them in the audit portal

    • Merchant works with QSA to understand finding and what evidence will be needed to close the finding

  • Once remediation is finished, the merchant can upload the requested evidence to the audit portal for review 


30-45 Days After (Report Delivery)

You will receive a report on your audit describing the process and outcome. 

  • After all remediation work is finished, Audit Lead will release the completed SAQ D and AOC with the report 


∞ Ongoing

An essential step of PCI compliance is an ongoing effort to maintain your environment and avoid situations that cause a higher compliance burden. 

To ensure continued PCI compliance: 

  • Update security policies

    • Anytime you change the way you store, process or transmit cardholder data, update your policies to reflect the changes

    • Reach out to your QSA for assistance with your environment or changes 

  • Train your employees

    • Inform new and current staff members how to correctly handle card data

  • Update your SAQ if things change

    • Update and resubmit your SAQ if anything in your card processing environment changes

  • Run external vulnerability scans

    • Run scans at least quarterly

    • Run scans every time you make a network change 

  • Verify you understand where your credit card data is stored

    • Ensure all your credit card data is encrypted 

    • Identify unencrypted card data with card discovery tools

Have an Upcoming PCI Audit Deadline?

Request a Quote Here