Your PCI Audit Questions Answered: Pricing, Scoping & Complexity

Watch this to learn what goes into scoping and pricing your PCI assessment.

Are you struggling to navigate the complexities of PCI audits? You can gain key insights and get a practical roadmap to understanding the PCI audit process in this webinar.

Our seasoned experts with nearly 20 years of experience in PCI audits will address what goes into scoping and pricing your PCI assessment.

In this webinar, VP of Assessments Gary Glover and Director of Sales Lee Pierce will discuss:

  • In this webinar, SecurityMetrics' VP of Assessments Gary Glover and Director of Sales Lee Pierce will discuss:
  • What PCI audits entail, including complexities and potential simplifications
  • How your scope may impact your audit process and pricing
  • The recommended timeline for a PCI assessment
  • How to best engage with your Qualified Security Assessor (QSA)
  • Costs associated with PCI audits for different organization types
  • Best practices for a first time PCI audit

This webinar was given on May 28, 2025.

Transcript of Your PCI Audit Questions Answered: Pricing, Scoping & Complexity

Welcome and Introductions

Lee: Welcome to this webinar. Today, we are going to be talking about PCI audits: the complexities, the simple aspects (if they exist), a little bit about pricing, and answer some questions people typically ask about the audit process, timelines, etcetera.

Gary: Scoping.

Lee: Scoping, everything. By way of introduction, I'm Lee Pierce. I've been with enterprise sales at SecurityMetrics for about twenty years and have really enjoyed working with this company. Always have. Gary, can you introduce yourself?

Gary: I'm Gary Glover, VP of our assessment team here at SecurityMetrics. I've also been here twenty years. We're excited to impart some of our knowledge gained over that time on scoping and how it works for people, so you can understand what you might be getting into when you start a PCI audit.

SecurityMetrics' History with PCI

Lee: SecurityMetrics has been in business just over twenty-five years. SecurityMetrics has been a pioneer in the PCI realm before PCI existed. I was going to ask you, Gary, could you describe our relationship with the card brands prior to PCI's formation?

Gary: Early on, our CEO noticed ecommerce banking was coming up and heard rumors about card security. He started building a relationship with Visa and Mastercard very early on. We've had long, good relationships with them. Since we started at the ground floor of this process, hopefully, we can let you know a little bit of what we've learned.

Webinar Intent and What to Expect

Lee: Regarding the intent of the webinar, we want to help people understand how a PCI audit would look in their environment. Particularly, we're going to talk about first-time entities – people perhaps doing self-assessments for years, and now it's time for them to step it up. We'll describe why that stepping up might need to occur, what that would look like, give an idea about the pricing they'd be looking at, provide a general roadmap of what they could expect, and discuss some of the challenges they might face. We'll be talking about complexity, the time it takes to achieve PCI certification using a Qualified Security Assessor (QSA), and the amount of preparation you could expect to work on prior to the full formal audit. That's what we're going to cover today. We will send out a recording of this webinar afterwards. Please send your questions, and we'll be happy to attend to them.

Gary: If we don't get to all of them, I'm sure somebody will get back to you afterwards. We're going to try to handle these questions as they come.

Understanding PCI Audit Scoping and the QSA Role

Lee: Quick question for you then, Gary. Gary is my boots-on-the-ground guy for audits and assessments. My approach is scoping through a sales perspective, but Gary's approach is managing and performing audits.

Gary: So today, you have the perspective of both sides. When you start with a PCI audit, you will likely engage with a salesperson first. They may then come to an auditor to ask for more help and detail. This is essentially the team we work with here at SecurityMetrics: a salesperson starts discussions with the company, and then if they need further detail, it's more complex, or they have questions, they work with us to help. Over the past twenty years, we've developed a good set of qualifying questions that our salespeople can ask early in the process.

Who Needs PCI Audits?

Gary: But backing up, who typically needs these audits? There are a couple of different cases. If you are a merchant, let's say, and your bank says you need to be PCI compliant – perhaps you're a newly classified Level 1 or high-level merchant, somebody has acquired you, or there's been an event that gets your bank's attention – they may say you need to do an assessment. Or, if you're a large service provider working with merchants or even other service providers, your customers may ask you to prove you're PCI compliant. Based on the business you do or your place in the payment pathway, it determines whether you need a full report by somebody like me, if you can do a self-assessment (SAQ), or if you need an assisted self-assessment. All those scenarios are possible. We're mainly focusing on people who need a full Report on Compliance (ROC). Your bank will let you know, or you can decide you need one if you're a service provider.

Merchant Levels and Self-Assessment

Lee: Let's talk about the bank quickly. When the bank notifies a merchant that they're hitting the one-million-transaction mark – maybe we should back up briefly and talk about what classifies the merchant levels. You can self-assess if you are doing fewer than a million transactions a year.

Gary: Actually, fewer than six million. A Level 1 merchant is six million transactions and above. Between one million and six million is a Level 2 merchant. You can even self-assess there if you have qualified internal resources. Mmm-hmm. You can also work with a QSA like us. Anything below a million transactions typically uses a Self-Assessment Questionnaire (SAQ).

Lee: So that Level 2 merchant, when they're identified as hitting a million or more collective card transactions – is it per card brand? I think it's per card brand: one million Visa transactions or one million Mastercard.

Gary: And then they're reciprocal, if you hit one million Visa, then Mastercard also counts you as a Level 1 merchant.

Lee: Correct. So when the bank identifies a Level 2 merchant, you're on their radar more. Often, we see the bank encourage the Level 2 merchant to get an assisted SAQ, where a QSA goes through their self-assessment with them. But the QSA actually signs the Attestation of Compliance (AOC).

Gary: Yeah. One of the signatures. Both companies are signing.

Lee: Exactly. There's a spot on there for that. People often ask, "Can you sign my attestation here for the QSA?" I have to say, "You're self-assessing, so sorry." But if a QSA has done the audit…

Gary: If you can define the work they've done, and we provide our attestation that we have worked with the company.

Lee: Yes. So when the bank gives notification, they don't tell you, "You have to do this and get this signed immediately." They usually give you about a year?

Gary: It depends on how big the Level 1 merchant is and how important they are to the bank. If there have been compromises or any unusual activity in the past, it may affect the time period. Typically, it's a year or slightly more. They'll tell you, "You have this much time," and then they will consider fines. They're not necessarily going to say, "We will be giving you a fine." It depends on the merchant bank or the merchant license-holding entity. Sometimes they're not banks nowadays; they're called acquirers or PayFacs – all these different things.

PCI Audit Timelines and Executive Buy-in

Lee: Once this has been determined and that's the roadmap they have to take, are they going to get this done in a month?

Gary: This is a process. If you're listening and know what a PCI audit is, you probably understand it's not just a checkbox. It's not, "Hey, I'll have my IT guys sit down in a room, check this off, and we're done. This is typically a long process, especially for a large Level 1 merchant with many stores. We'll talk about different characteristics of merchants and service providers in a minute, but it's not something you can get done quickly. There's a lot of documentation and testing we have to do. To do that testing, the right setup and configurations need to be in place, and maybe some de-scoping of the environment is needed. If you have many things in scope, you'll want to get some out. We'll talk about that more too.

Expect this process to take anywhere from six months to a year to eighteen months, depending on how far along in the process you've been, if you've been audited before, if you started thinking about it, if you've been doing an SAQ. If you're brand new to PCI, never even thought about it, it's going to be a pretty significant effort. It's not something quick.

Lee: Exactly. So if you keep that in mind, and if you are the IT person in your company, you'll want to get the executives on board with this timeframe and talk to them about staffing needs, for example.

Gary: Frankly, having executive support is crucial. We've been in situations where compliance was driven from the bottom up instead of the top down. Sometimes the IT staff just say, "Fail us so we can get attention at the executive level." It really needs to be driven from the top down, with executives saying, "Look, we support you. Let's get this done." Typically, it is. Very seldom do we encounter situations like that.

Lee: Particularly in this climate where small businesses are frequently breached. That's in the spotlight, which makes larger businesses feel like they're an even bigger target. It seems to be a uniform concern nowadays.

Merchant Audit Profiles and Complexity

Lee: Let's talk about a few profiles you've seen through the years, Gary, regarding audit types and complexities.

Gary: We'll go through them generically, starting with merchants. As mentioned, Level 1 merchants (six million transactions or more per year) are typically asked to do this. There are several types of Level 1 merchants. A common one is a Level 1 merchant with hardware and stores – a set of brick-and-mortar locations. They have Point-of-Sale (POS) systems that take card dips, swipes, or taps. There are various systems and characteristics involved. A large Level 1 merchant with thousands of stores is quite different from one who has franchised out everything and only has a hundred corporate stores. All sorts of factors affect the scope.

Let's discuss a Level 1 merchant with a significant number of stores. As a team, we start asking, "Okay, tell me about your stores. Is there just one configuration? Is there just one POS system used throughout every store?" Often, the answer, especially in the past (it's improving now), is, "Well, no. We have five different POS systems because we acquired them over time and didn't want to replace them." Or, "We bought out someone's store, and they had this POS system, and we didn't want to spend money replacing it." If you have a hundred stores with five different POS systems, the concept of sampling comes in. We need to see a significant sample – not necessarily in numbers, but significant for audit confidence. Can we trust the setup? With five different POS systems and a hundred stores, maybe we need to see five or ten stores of each type. That's the worst-case scenario for a Level 1 merchant. It doesn't mean we have to visit every single store; we need a representative sample showing how things are implemented across those types. This scenario is the most expensive because it takes more time for us to figure out and test all those systems. The cost is directly correlated to the amount of work we do during the assessment.

Now, let's consider a similar Level 1 merchant with a thousand stores that has rolled out a single POS system everywhere. It's highly repeatable. You know exactly what's happening. They have excellent processes, procedures, and documentation, with ways to make it identical in every store (which doesn't always happen, especially in hotel chains where things differ). If that's the situation, we think, "Great. Now we need to sample less." It's simpler; we don't need to visit as many places. We must verify that what you claim is true – that they are the same everywhere – so we choose the locations. But there will be fewer of them, resulting in scope reduction. A major simplification large merchants can implement is rolling out one single POS system instead of multiple layers. The next level up is a single, validated Point-to-Point Encryption (P2PE) solution,

Lee: Which changes everything.

Gary: Then it's really simple. There's much less in scope because the card data environment (CDE) shrinks to just the POS device itself. You're not talking about transmitting data to a back-end server in the store, moving it to a central server, and then sending it to the bank. Classic POS systems can involve complex infrastructure.

P2PE and Validated Solutions

Lee: One thing with P2PE I've seen over the years: people believe they're buying a certified, validated P2PE solution, but find out after spending significant money that it hasn't actually been validated by the PCI Council. It might function that way, but nobody knows officially. So that's a word of caution.

Gary: That is difficult; we call those "P2PE-ish" systems. Sometimes banks might say, "This is our system, this is what we want to roll out, we're taking the risk, and we'll allow you to use the P2PE scope." For example, looking at a P2PE SAQ, a merchant could potentially do a ROC with that greatly reduced scope.

Lee: Make sure you have that conversation.

Gary: Sometimes, unfortunately, you can't rely solely on the salesperson.

Lee: These sales guys…

Gary: You have to look it up; there's a list of validated solutions on the PCI Council's website. You can perform validation to ensure what they're saying is true. If you can't get the scope reduction, it doesn't help; you're still doing the same amount of work. That covers the scope-decreasing levels for a Level 1 merchant with hardware stores.

Ecommerce and Network Segmentation

Gary: Now, let's talk about a Level 1 merchant that's just an ecommerce presence – a large website selling items, and that's their only business. They have an ecommerce presence, and those systems are in scope. In the past, we've seen companies create systems like that and put the web servers on the same network segment as their email servers or office workstations. The practice of ensuring your PCI card-handling network is as small as possible and segmented using network controls really helps reduce assessment costs.

Lee: Oddly enough, I was doing a scoping exercise with a potential client a few weeks ago. We identified seventeen VLANs in their private network, but when I tried to map out penetration testing, he said, "You're basically going to see everything from everywhere."

Gary: So, it’s a flat network, and it doesn’t really matter.

Lee: Yeah

Gary: Yes, that's exactly right. Years ago (it's less common now), even a large Level 1 merchant, like an auto parts store, might have had their mainframes, all stores, back-end servers, and office network all on the same essential network. In that case, the entire company is in scope: hundreds of servers, workstations, email – everything. It becomes almost intractable. We were able to convince them to implement network controls and get large areas out of scope for the second year. That process of scoping–helping people understand: "Okay, let's see how many servers you have. Tell me what's involved in your card processing. Tell me the data flows." When we discussed Level 1 merchants with POS systems, each different POS system constitutes a separate card flow. If you have multiple flows, even in ecommerce – maybe you've contracted with three different ecommerce companies for various parts of your website, multiple product lines, or multiple websites – each is a separate card flow. Reducing card flows and standardizing hardware to the fewest types possible is key for de-scoping and simplifying an assessment. You're trying to simplify the entire environment.

We've discussed Level 1 merchants with hardware and ecommerce. They might also have call centers for customer support. A Level 1 merchant could have all three: a web presence, hardware stores, and a call center. So, figuring out everywhere card data flows is what occupies sales and QSA minds initially: "Tell me where everything runs. Where do pathways go? Where does card data land? Who sees it? Who doesn't? Have you outsourced processing to a third party on your website?" Okay, let's understand how you're doing that. Is it an iframe? A button redirect? All these details help us, and we try to clarify as much as possible before the assessment.

Lee: Not to mention the inheritance issue of relying on another party's validation.

Gary: Correct. Now, let's say a Level 1 merchant has undergone fifteen audits and is just changing audit companies. They likely know their scope well; they've been doing it a long time. It's fairly easy for us to provide a quote based on past work. Those factors simplify things. That covers Level 1 merchants.

PCI Audit Pricing for Merchants

Lee: And We were going to talk about pricing. If you're a very complex Level 1 merchant, you could easily be looking at north of $50,000 or into six figures, depending on complexity.

Gary: And you might need multiple auditors due to numerous locations.

Lee: Right, we see that. We want to assure you, if you're considering a first-time audit, that SecurityMetrics really makes a difference compared to many competitors. You'll find a personal touch here, helping you identify changes aligned with your business needs, simplifying things to reduce your risk footprint and future audit budgets.

Gary: Our salespeople, like Lee, don't just say, "Okay, it starts at $50,000. Here's your price, pay us." Then later, we find out, "Oh, that $50,000 didn't include this, or this, or you didn't tell us about that, so we need to increase the price." We didn't do our upfront work sufficiently in that scenario. We strive to do the discovery work upfront. I believe many QSAs operate similarly.

Lee: Yes.

Gary: But that's a question you can ask when searching for an auditor. And get references from existing customers. Ask them, "Regarding the price, what happens if they find more scope? What occurs?" We encounter unexpected things too. We've often been on-site at a Level 1 merchant, walked past a room full of people on phones, and asked, "What's that?" "Oh, that's our call center." "You never mentioned a call center; we need to look at that." "Oh, we didn't think that was in scope. Those agents are just talking to people and taking credit card numbers." It was an oversight on their part, which happens.

The Gap Analysis Phase

Lee: And we then ask questions from various angles to ensure we uncover everything.

Gary: Even after getting a quote from SecurityMetrics or any QSA, you typically enter a gap analysis phase for deeper diving: "Okay, here's what we think you're doing. Let's confirm it. Let's look at network diagrams, ask IT staff questions, and get into the details." We'll ask, "Are these all the places card data exists?" And they might say, "Well, if you're looking for everything, I guess we could..." There's that aspect.

So, that price range is about right. It can be expensive and take a long time if you're a Level 1 merchant; that's what you should expect unless you can simplify down to P2PE or fully outsource website processing. Those are trends we're observing.

Universities and Complex Organizations

Lee: I wanted to mention universities are a significant part of our work, and there's definite complexity there. That's another area where I believe we have a specialty.

Gary: Yes. Many QSAs work with universities, but we have a specialized team handling large, conglomerate-type organizations. A university might have 90 or 200 merchant IDs. They're all taking credit cards differently: the bookstore, sports arena...

Lee: The hospital.

Gary: Hospitals, theatre productions...

Lee: Seasonal events.

Gary: Seasonal things, like taking a POS system out for concessions. It's a complex setup, and a bank will say, "We don't want 200 SAQs; we want one assessment representing the entire organization."

Lee: And in the past, we've grouped them with bank approval. So, we might have one SAQ addressing specific merchants (A, B, C) and another type for more complex areas like the health center or library. That really helps save money when consolidated.

Gary: Exactly. We also do things to help large organizations, like conducting webinar training for fifty people who follow the same process. Then we'll talk to the next group of twenty doing a different process. There are many ways to simplify large projects. We try to work with you to find those methods because it makes it easier for us too.

Lee: Yes, that's right; it benefits everyone. The next area would be branching over to service providers.

Assisted SAQs

Gary: Okay, one quick thing before that. You mentioned earlier that sometimes a Level 2 merchant might be asked to do an SAQ-D. Mmm-hmm. And it's assisted, perhaps the bank says, "You can do that if you get a QSA involved." We've had organizations approach us for that.

Regarding that assisted SAQ, it involves roughly the same work as the front part of a full audit. There's just less documentation at the end because, as a merchant, you can fill out the SAQ form. We can help, but it's mainly checkboxes, not extensive writing. That makes the back-end reporting phase shorter and easier, but the front-end work – scoping, minimizing scope, segmentation, consolidating business lines – remains the same. We've done many of those and can work with clients on that model; it depends on what your acquiring bank requires.

Lee: And you definitely want written confirmation of what they'll allow, so there's no question later.

Gary: But that would likely be $50k or less.

Lee: Absolutely, if it's that type. Imagine if they had certified P2PE; there might be fewer than twenty requirements.

Gary: It can be quite easy. Again, people might think, "You mean I have to replace all my POS systems; that will cost a lot." Yes, potentially. You have to balance that cost against the ongoing work for security, secure IT staff, and this annual audit process. It's not as if once you complete the audit, the next year takes only an hour. It takes roughly the same amount of time because we must repeat the testing. We can't just say, "You did well last year. Has anything changed? No? Great. Okay, check." Stamp,

Lee: Stamp.

Gary: We don't do that; that's not what the Council expects.

Lee: The benefit is you can expect fewer surprises and slightly less upfront time in subsequent years.

Gary: Yes.

Service Providers

Gary: Okay, service providers.

Lee: Yes.

Gary: We've discussed Level 1 merchants. There are also Level 1 and Level 2 service providers. The cutoff is 300,000 transactions. If you're a Level 2 service provider, you process fewer than 300,000 transactions annually. More than 300,000 makes you Level 1. You might think, "Wow, that's much less than one million or six million for merchants." It is.

That's because a service provider sits right in the middle of the payment process, potentially for many merchants. So, they're held to a higher standard of security expectations. Even as a smaller company, you still have to perform Level 1 merchant-type reporting. There's no difference between a Level 1 merchant ROC audit and a Level 1 service provider ROC audit, except perhaps one or two service provider-specific requirements. Essentially, it's the same PCI DSS ROC.

Lee: Question for you: Why should a service provider be motivated, or even eager, to get a QSA ROC? Why would they want to do that?

Gary: Good question. The biggest reason is their customers might require proof of compliance. They'll say, "Show us your AOC proving you're compliant because we're a merchant, and one of our requirements is to only contract with PCI-compliant service providers." That's the primary driver. Another reason might be, "We're a small service provider, but we'd like to be listed on the Visa and Mastercard lists." So, they might choose to do a full ROC even with fewer than 300,000 transactions. Then there are always those who proactively think, "We know we need to be secure; somebody mentioned PCI. Let's just do it," instead of being mandated. Small merchants are supposed to ask their service providers for an AOC.

Lee: Correct. And PCI DSS v4.0 emphasizes that more..

Gary: With more process around tracking third-party compliance. Level 1 service providers can be payment gateways. They might not have a fancy ecommerce site, just an API people send data to, which they route to various banks. It's like middleware, but handling many credit card numbers. That's a gateway. There are also ecommerce service providers. Say a small merchant wants a web presence but lacks the skills. A service provider might say, "Don't worry, we've got you. We can support your web needs and route transactions." They become an ecommerce platform for multiple merchants; there are many like that.

Those are examples. These service providers might also have call centers for support. They might have a website where people look up transactions, possibly with access to full credit card numbers for chargebacks. These are all factors we examine. Again, the same questions apply: What are your card flows? Where does card data come from (sources)? Where does it go? What does it look like?

Lee: And how do you ensure isolation between your various customers?

Gary: Yes, isolating customers, preventing pivoting – all that. Then there are major considerations that can reduce scope. Worst case: "I have all these servers in a rack in my building." Then we need to consider that building, the servers handling the service (gateway, ecommerce hosting, etc.), physical security in your office, network segmentation from other office zones. Maybe you have ten offices nationwide and four distributed data centers. More hardware, higher complexity, more locations increase scope. We always ask: How many locations do you have? Are there employees at those locations handling card data? What does the network connection between offices look like? If one office handles card data and another doesn't, but they share the same network segment, both offices are in scope. So, again, we discuss segmentation.

Lee: And the element of business necessity versus convenience. Those are hard conversations needed.

Gary: Often, people say, "We really need to store the credit card data." Our question is, "Why? What do you do with it?" "Well, we keep it in this file in case we ever need it." "Have you ever used it?" "Well, no, but what if we do?" You can tell accountants might be driving that – wanting to keep everything. We explain, "If you choose to store card data, you must do A, B, C, D, E, F. That will incur X, Y, Z costs..." They often return the next day saying, "We don't really need to store that anymore." Those are the discussions that help people de-scope. And suddenly not storing card data changes network requirements, etcetera.

Outsourcing and Cloud Environments for Service Providers

Lee: Yes. So, these service providers assisting merchants allow the merchant to outsource significantly. That's why service providers are such targets. I know in healthcare, most breaches originate from third-party service providers.

Gary: Exactly, there's a big focus there. The trend, moving away from extensive hardware, is towards the cloud. There are different cloud environment types. One is, "I put my stuff in the cloud, but I still manage all the servers – create instances, images, act as sysadmin." Okay, that's fine, but it's roughly the same amount of work for us because, although virtual, the servers are your responsibility. The next level involves using services like Amazon Fargate or a specific PCI-compliant service from AWS/Azure/GCP for storage, encryption, etc. Then you can say, "Oh, good." We can reference their AOC in your ROC, making it easier. Simplifying trends for service providers include: "Hey, we don't even have servers; we just use Lambda functions hosted in Google Cloud, Amazon, or Azure." Those cloud providers state, "We'll handle system updates, patching...firewall security," etc. They take some responsibility off you; you get their responsibility matrix. We use that to simplify the work you do and scope your audit smaller.

Lee: If a merchant can understand the responsibility matrix – which might be a spreadsheet with columns identifying ownership – then the merchant...

Gary: And the service provider both. Or service providers using other service providers.

Lee: It clarifies responsibility sharing and its benefits. Consequently, you gain informed knowledge about costs and their justification.

Service Provider Pricing

Gary: Typical service provider costs depend, again, on location count, amount of hardware requiring review, whether it's all cloud-based, and reliance on others' PCI compliance. If you depend on others' compliance, we don't have to audit Amazon or Azure. We reference their ROC, simplifying things for you. Typical small or medium-sized service provider assessments range from $30,000 to $50,000. Depending on the time required to assess all systems. Sometimes clients say, "Everything is remote; we're all cloud-based. No travel needed." Travel costs decrease, but frankly, we've learned since COVID that remote audits often take slightly longer because clients might prefer working only two hours a day on the audit, spreading our time over a week, which disrupts schedules. So, regarding on-site versus remote, there isn't necessarily a major cost difference besides travel.

Lee: Maybe just travel expenses.

Gary: Don't assume, "We don't have an office, so the audit will be super cheap." It depends. How many card flows? How many systems to review? How many people to interview? Years ago, I audited a service provider who was one guy in an air-conditioned shipping container. He had one system; it was quite simple. It depends on the internal environment's complexity, systems in scope, and whether you can modify your network to remove things from scope. That's what we always encourage.

Lee: Yes. One point for Level 2 service providers: You receive vendor security questionnaires. If you have a ROC – choosing to undergo a QSA assessment like a Level 1 provider even below 300k transactions – it helps significantly shortcut those questionnaires going forward.

Gary: Especially if the network questioned is the same as your PCI network; you've already answered those questions.

Lee: Yes, they're covered. That's great.

Related PCI Audit Tasks and Resources

Lee: I wanted to ask about other related tasks when needing an audit – work involved like penetration testing, vulnerability scanning, file integrity monitoring (FIM), securing the ecommerce environment (especially with new PCI DSS v4.0 requirements). Other elements that bolt onto the PCI audit. PCI DSS requirements necessitate more than just the audit; you need scanning – internal and external. And you always advise customers on that.

Gary: Right. As a QSA company, we can't mandate using a specific tool.

Lee: Yes.

Gary: But often, QSAs, especially SecurityMetrics, can say, "We have a solution for you." That helps if you choose a QSA that's also an Approved Scanning Vendor (ASV), like us. You don't need to engage a third party and correlate results with your auditor. We see it all. Yes, it's a one-stop shop. You can get ASV scans. We also offer penetration testing services,

Lee: Completely independent.

Gary: You don't have to use them, but they're available. But there are things you must do. You'll need logging software. You'll need FIM software. Some QSAs offer recommendations. We can refer you, but we don't write FIM software ourselves. Some services we provide include ASV scanning, penetration testing, and for new ecommerce requirements, script analysis tools like Shopping Cart Monitor to handle that requirement. That simplifies your effort by not needing multiple vendors. You can source it from one supplier. Those are factors when selecting a QSA – what can be easily bundled?

Lee: Some feel daunted by creating acceptable policies and procedures. We offer options, including robust, mature policy/procedure templates. We can add that to your audit. If you're isolated without resources to write or adapt policies, we have solutions where we facilitate getting them developed and written for you. Another option is technology advisement or implementation via third-party outsourced partners with whom we have strong relationships. If you need help bridging gaps due to staffing shortages...

Gary: The assessor cannot implement things for you. We can't configure your firewall rules or architect your AWS environment. We provide ideas but can't perform the work; otherwise, we lose independence. We provide information. These options aim to make it easier for you.

Lee: Yes. One action you can take is visiting our website, clicking into the audit area, filling out a brief questionnaire, and starting a conversation with our enterprise sales staff. This helps us understand your situation and provide guidance on pricing. These are helpful resources. Also, know, you can contact us with questions; we don't need a contract to offer help. We value being a resource and building long-term relationships.

The PCI Audit Process and Benefits

Gary: We wish we could give you the exact cost right now. But hopefully, after today, you understand the many variables involved. Pretty much any QSA will offer a ballpark estimate in this type of discussion. We've provided ranges. It will take more than a month. So, dig in and prepare. Our hope is to work together as a team and make this as simple as possible.We can't say it requires no thought, "Those guys will just handle it, check everything, I don't even need to talk to them." No, that's not how it works. We're thorough and aim to do what's right. But we're here to help, not make your life harder. Frankly, the PCI Council isn't here to make life harder either. The requirements are backed by evidence; it's work that needs doing. Don't feel bad about it. People feel good when they achieve compliance, especially the first time. After the first audit, people think, "Yeah, I did it! Next year, I know what to expect."

Lee: Yes. The PCI standard, particularly, people find refreshing because it's prescriptive. Some other standards discuss general security ideas, open to interpretation. PCI requirements are more measured; you know what's required without wondering about interpretation.

Gary: Exactly. You mentioned documentation earlier; people might not think it's difficult. But our twenty years' experience shows documentation – writing technical policies, procedures – is often one of the longest lead items. Using templates from SecurityMetrics or others is beneficial if you don't already have them (like banks or large organizations). Starting with something is much better than a blank page.

Lee: That reminds me: if you're new to PCI but have done SOC 2, NIST, or ISO, it all helps. It lends itself to reducing difficulties in achieving PCI compliance.

Gary: Everyone wishes for one audit to rule them all.

Lee: That would be great.

Gary: Unfortunately, until there's one global government and security network, it's tough because all these organizations have slightly different versions of requirements. A SOC audit requires different sampling and systems. I wish we could say PCI compliance equals global compliance, or NIST compliance equals global compliance, but we can't. We try our best to correlate data and gather information from other sources if you have them.

Q&A: Interacting with Your QSA

Lee: I see some questions have come in; we've addressed many already. Here's an interesting one: "How often should I contact my QSA leading up to the audit? What interactions can I expect before the formal audit?"

Gary: Okay. Let me quickly outline the phases. There are three main assessment phases: pre-validation (or pre-on-site), the actual validation where we test everything, and report writing. The pre-validation phase can be long or short, depending on your preparation and speed. Our goal is to communicate as much as needed during this pre-audit phase. So, "before your audit" depends on the phase. Before even starting, you'll likely talk to salespeople and answer initial questions. Once you engage and begin the process, we want regular communication. Typically, clients engage at least monthly, sometimes twice or even weekly. Many opt for a weekly call to review progress. We use tools to facilitate communication, but you should feel comfortable reaching out to your QSA with questions anytime. If your QSA is on another assessment, you can contact a project manager or coordinator. They can acknowledge your question. For emergencies, we can try involving another QSA, though detailed questions are hard without environmental knowledge. Our goal is open communication. We'd rather talk extensively before the validation phase. More pre-validation communication means less needed afterwards. We don't want to perform the validation and find numerous issues requiring remediation. Our goal is minimizing back-end remediation.

Lee: Basically, It's almost like rehearsing the audit before the formal validation.

Gary: Yes. Our goal is ensuring you know what to expect during validation.

Q&A: QSA-Assisted SAQfor Level 4 Merchants and Virtual vs. Physical Environments

Lee: Okay. Another question: "Do I have to be a Level 2 merchant to involve a QSA?" I've seen instances where a Level 4 merchant with complexity worries their SAQ isn't sufficient. They might do a QSA-assisted SAQ for one year, even if not required, then feel more confident self-assessing later, assuming no significant changes.

Gary: That's exactly right. We often work with small organizations that are part of a franchise. The franchisor might say, "Work with these guys; they'll help you." You can always talk to a QSA. We sometimes have consulting-only agreements. We might help short-term or for a full year. Some small entities come to us annually for an assisted SAQ because the resulting AOC clearly shows QSA involvement, reducing subsequent questions.

Lee: Fewer questions for them.

Gary: Yes.

Lee: Regarding franchises, often the franchisor provides a pre-packaged, certified solution. It might not be as complex as franchisees fear of using the corporate solution, provided it's implemented correctly.

Another question: "What's more difficult to scope: virtual or physical environments?"

Gary: Complex virtual environments, especially with infrastructure-as-code – meaning no traditional servers, just recipes sent to a service creating OS, functions, etc. – can be trickier. We have to determine how requirements apply. We don't just say, "Wow, no server? Where's your antivirus?" You can't run antivirus on a Lambda function directly. We find alternative ways to meet the control's intent, likely higher upstream. Those situations can be tricky. But QSAs are trained for this. If you have a complex or cutting-edge cloud environment, look for a QSA with experience or who knows how to evaluate it. For me, starting as a mechanical engineer, hardware networks seem straightforward – you see the components. Virtual networks aren't fundamentally different; you just adjust your thinking slightly.

Lee: It's not rocket science.

Gary: It's not rocket science.

Q&A: Nonprofits and Outsourcing Considerations

Lee: Yes, I wanted to mention you can visit our website and obtain a fantastic PCI guide book. At trade shows, it's quite thick; people love them. We have a virtual PDF version too.

Visit our site, chat with us, and we'll provide the guide.

It's very helpful.

Gary: All the auditors contribute sections. The people doing the work write it, not a technical writer.

Lee: Yes, it's excellent. It's like giving away trade secrets. Right there in the book.

Gary: If you've never done a PCI audit, download it.

Lee: Here's another question: "Are nonprofits required to have a PCI audit if they receive payments/donations via a payment system?"

Gary: Everyone taking payments is required by the card brands to be PCI compliant. I don't think nonprofit versus for-profit status matters.

Lee: Yes. If card data is involved in your system – whether you're a third party acting for merchants or a merchant yourself – to the extent card data touches an environment, that environment falls under PCI requirements.

Gary: Another common confusion: people think, "I have a website using someone else's iframe, so I don't need to worry about PCI." No, that's not correct. If you were sold that idea, it's wrong. You still have responsibilities.

We're seeing many compromises on ecommerce sites using third-party iframes where data is skimmed. The issue often lies with the merchant's site, not the service provider's. Don't assume outsourcing via iframe absolves you. You still have responsibility, perhaps less, but still some. The minimal responsibility an ecommerce merchant can have is fully outsourcing everything: "I have no systems; a company handles everything; I only change colors," etc. That simplifies compliance. But you still must verify the provider is compliant. You never reach zero responsibility.

Lee: That's right. You need solid validation for any assisting third party.

Conclusion

Lee: We thank you for joining the webinar. If we didn't answer your questions, please contact us for a personal response. Check out our website; we have extensive content on our blog and YouTube channel. Please explore, ask questions, call – don't be shy, and don't worry. We have a supportive approach; you won't feel pressured into a large sale. Thank you.

Get the Guide To PCI Compliance
Download
Get Quote for PCI Compliance
Request a Quote