PCI DSS Compliance Audits

PCI Compliance Audits

Our technically adept, client-centric PCI assessors who are well-versed in multiple compliance frameworks can guide you through the PCI compliance journey in the most optimal fashion.

"*" indicates required fields

Request a PCI DSS
Compliance Audit

Name
*
This field is for validation purposes and should be left unchanged.

What is PCI DSS?

The global acceleration of cashless transactions makes payment systems an obvious target for criminals. Vulnerabilities may appear anywhere in the payment processing ecosystem. The PCI Data Security Standard (PCI DSS) is a security framework for developing a robust payment account data security process. The framework is developed and maintained by the PCI Security Standards Council (PCI SSC), which was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc. (participating payment brands). The PCI SSC is responsible for developing and managing the PCI DSS and its related qualification programs, while the participating payment brands maintain their separate compliance enforcement programs. The participating payment brands determine which entities need to validate compliance, validation levels, whether an entity is eligible to complete a self-assessment questionnaire (SAQ) or must complete a Report on Compliance (ROC), and exact fines or penalties for non-compliance. 

The PCI DSS provides a baseline of technical and operational requirements designed to protect account data and is intended for all entities that store, process, or transmit account data or could impact the security of the cardholder data environment (CDE). The account data consists of cardholder data and sensitive authentication data, defined as follows (source):

Account Data
Cardholder Data (CHD) Sensitive Authentication Data (SAD)
  • Primary Account Number (PAN)
  • Cardholder Name
  • Expiration Date
  • Service Code
  • Full track data (magnetic stripe or chip)
  • Card verification code (CVV or CVC)
  • PINs

The PCI DSS consists of 12 principal requirements (source):

Goals PCI DSS Requirements
Build and Maintain a Secure Network and Systems 1. Install and maintain network security controls
2. Apply secure configurations to all system components
Protect Account Data 3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
Implement Strong Access Control Measures 7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
Regular Monitor and Test Networks 10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly
Maintain an Information Security Policy 12. Support information security with organizational policies and programs

What is a PCI DSS assessment?

There are two types of PCI DSS assessments: self-assessment questionnaire (SAQ) and report on compliance (ROC). The former can be completed by the entity on its own or with the assistance of a qualified security assessor (QSA) like Linford and Company, whereas the latter must be compiled by a QSA following an audit. Whether an entity is required to complete an SAQ or engage a QSA to perform a PCI audit and compile a ROC is at the discretion of the organizations that manage compliance programs, such as participating payment brands, acquirers, or other parties of interest. 

Whether an entity completes an SAQ or undergoes a QSA-validated assessment, an attestation of compliance (AOC) can be completed and signed by the entity that underwent the assessment and the QSA company (if involved) as a declaration of the results of a PCI DSS assessment.

An AOC is valid for one year from the date the AOC is signed.

What is the cost of a PCI DSS assessment?

The fees for a PCI DSS assessment are contingent upon the scope of the CDE and the complexity of the system components, people, and processes that could impact the security of the CDE. For a PCI audit resulting in a ROC, the fee can range from $30k to $200k. Fees for QSA-assisted SAQ assessments depend on the type of SAQ, and a QSA company may assess either a time-and-material or a fixed fee up to $40k. 

In addition to the aforementioned professional fees, entities should also take into account the costs associated with compliance, which includes, but not limited to:

  1. Implementation of an intrusion detection/prevention system (IDS/IPS)
  2. Implementation of a security information and event management system (SIEM)
  3. Quarterly internal vulnerability scans 
  4. Quarterly external vulnerability scans by an approved scanning vendor (ASV)
  5. Malware protection and detection
  6. Software security training for developers
  7. Static code scans
  8. Annual penetration testing
  9. Quarter rogue wireless access point scans 
  10. Implementation of a file integrity monitoring (FIM) tool to detect changes to critical files
  11. Security awareness training for new hires and annually thereafter
  12. Security policies development

Who needs a PCI DSS assessment?

The responsibility of mandating compliance with PCI DSS typically sits with the participating payment brands and acquirers. However, PCI DSS applies to any business that stores, transmits, or processes account data or could impact the security of the CDE. Two primary categories of businesses are often asked for attestation of PCI DSS compliance: merchants and service providers. 

A merchant is any business that accepts payment cards as payment for goods and/or services. A service provider is an entity directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity or providing a service that controls or could impact the security of cardholder data. A merchant may also function as a service provider if its services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. 

Note that participating payment brands and acquirers have different rules for merchants and service providers that are based on transaction volume, and are called merchant and service provider levels.

PCI DSS Assessment Process

How does a PCI DSS assessment begin?

The assessment process includes the following high-level steps (source):

  1. Scope: Identify the people, processes, and technologies that interact with or could affect the security of account data. This also includes system components that could influence the security of the CDE. 
  2. Assess: Review all in-scope system components to determine whether PCI DSS requirements have been met. The assessment activities may be performed remotely, in-person, or a combination of both. Prior to meetings, documentation including policies and procedures, data flow and network diagrams, and system inventories should be collected and reviewed in advance to ascertain that all evidence is ready and available to be assessed. Our QSA will set up secure storage repositories for evidence. 
  3. Remediate: Bridge any gaps identified during the assessment to get ready for re-test. 
  4. Report and Attest: Upon the completion of the assessment activities, our QSA will complete the report (SQA or ROC) and attestation (AOC). The reports will then be sent to the assessed entity for review, comments, feedback, and sign-off.
  5. Submit: The assessed entity is responsible for sending the completed and signed reports (SAQ/ROC and AOC), along with other requested supporting documentation such as ASV scan reports, to the requesting entity.

What are the deliverables?

Validation documents are the official mechanism by which entities demonstrate their PCI DSS compliance status to the requesting entity. Depending on participating payment brand compliance programs, entities may be required to undergo a detailed PCI DSS assessment and submit a ROC or may be eligible to conduct a self-assessment and submit a SAQ. An AOC, signed by the entity and the QSA (if involved), accompanies the validation document.

Report on Compliance (ROC): This is a detailed report for QSAs to document the results of a PCI DSS assessment. The ROC contains more detailed information than the SAQ, including sample selection, inventory of interviews and evidence, and how each requirement was assessed and validated. 

Self-Assessment Questionnaire (SAQ): There are various types of SAQs depending on whether an entity is a merchant or a service provider and how merchants interact with the payment systems. SAQs can be completed by the assessed entities with or without the assistance of a QSA. To determine whether you are eligible to complete an SAQ and which SAQ type is appropriate, contact the participating payment brands, your acquiring bank, or the requesting entity.

Attestations of Compliance (AOC): AOC is a declaration of the results of a PCI DSS assessment, completed and signed by the entity that underwent the assessment and the QSA Company (if involved). The AOC reflects the results of a PCI DSS assessment documented in an associated ROC or SAQ.

Experienced PCI Assessors

Our highly experienced assessors demystify the PCI compliance process and leverage their vast experience to deliver comprehensive and efficient assessments.

Our
Partners

rob
jaclyn
mark-larson
kevin-anderson
nicole
isaac-clarke
maggie
rhonda-willert
hilary-stavrakas
bmccarty
leadership-team
ray-dunham
mkovash
lois-colby
danielle
jenny-shen
richard-rieben
ben-burkett

Our
Partners

rob
jaclyn
mark-larson
kevin-anderson
nicole
isaac-clarke
maggie
rhonda-willert
hilary-stavrakas
bmccarty
leadership-team
ray-dunham
mkovash
lois-colby
danielle
jenny-shen
richard-rieben
ben-burkett

Why Choose Linford & Company LLP?

Extensive Experience

Each of our professionals has at least 8 years of experience leading successful assessments of various compliance frameworks and holds industry certifications including QSA, CPA, CISA, CISSP, and ISO 27001 Lead Auditor.

Top-notch Service

PCI DSS compliance is a rigorous and challenging process, demanding a deep knowledge of technology and the framework. At LInford & Company, we provide an experienced and responsive team to help you navigate the daunting process.

Multi-framework Compliance

If your organization is subject to compliance with multiple security frameworks, Linford & Company can help you achieve cost savings and efficiency by integrating multiple audits into one.

Ready for a PCI DSS Assessment?

Fill out the form, and we’ll put you in touch with one of our experienced QSAs for a free consultation. Your contact information stays with us and is only used to talk with you about your PCI DSS assessment—we do not sell or share your contact information with anyone.

"*" indicates required fields

Request a PCI DSS
Compliance Audit

Name
*
This field is for validation purposes and should be left unchanged.