PCI DSS Audit Process: What to Expect from Assessment to Compliance
Quick Answer
The PCI DSS audit process involves scoping your cardholder data environment, engaging a QSA for on-site assessment, remediating gaps, and receiving a Report on Compliance (ROC). A typical Level 1 audit takes 3-6 months and costs $100,000-$350,000.
PCI DSS Audit Overview
A PCI DSS audit (formally called an "assessment") is the process by which a Qualified Security Assessor (QSA) evaluates your organization's compliance with PCI DSS requirements. Level 1 merchants and Level 1 service providers are required to undergo annual QSA assessments. Other levels may voluntarily choose QSA assessments or be required to do so by their acquiring bank.
Key Takeaways
- A typical PCI DSS audit takes 3-6 months from kickoff to final ROC
- The audit process includes scoping, evidence collection, on-site assessment, gap remediation, and final reporting
- QSAs test controls through documentation review, interviews, technical testing, and observation
- Preparing thoroughly before the QSA arrives can cut assessment time (and cost) by 30-50%
- The deliverable is a Report on Compliance (ROC) and Attestation of Compliance (AOC)
The Audit Timeline
Typical PCI DSS Assessment Timeline
Month 1: Pre-Assessment Prep
Select QSA, define scope, gather documentation, conduct internal readiness assessment, remediate known gaps
Month 2: Scoping & Planning
QSA validates scope, reviews network diagrams and data flows, identifies assessment approach and schedules on-site visits
Month 2-3: On-Site Assessment
QSA conducts interviews, reviews evidence, performs technical testing, observes processes — typically 1-3 weeks on-site
Month 3-4: Gap Remediation
Address any findings from the assessment — implement missing controls, fix configurations, update documentation
Month 4-5: Re-Testing
QSA re-tests remediated areas to verify compliance — may require additional on-site visits
Month 5-6: Final ROC & AOC
QSA produces final Report on Compliance and Attestation of Compliance for submission to acquiring bank
How to Choose a QSA
A Qualified Security Assessor is an individual certified by the PCI SSC to conduct PCI DSS assessments. QSAs work for QSA Companies (QSACs) that are also approved by the PCI SSC. Choosing the right QSA is critical — a good QSA acts as a partner, not just an auditor.
QSA Selection Criteria
- Verify the QSA company is listed on the PCI SSC's official QSA directory
- Look for experience in your industry (e-commerce, SaaS, retail, hospitality)
- Ask about their experience with PCI DSS 4.0 and the customized approach
- Request references from companies of similar size and complexity
- Evaluate their communication style — you want a QSA who explains findings clearly
- Compare pricing but do not choose solely on cost — expertise matters more
- Ask about their team size and availability to ensure your timeline is met
- Confirm they can support re-testing and remediation validation
What QSAs Evaluate
QSAs use four primary assessment methods to evaluate each PCI DSS requirement:
| Method | Description | Example |
|---|---|---|
| Document Review | Examine policies, procedures, configurations, and records | Review firewall rule sets, change management logs, security policies |
| Interview | Speak with personnel responsible for implementing controls | Interview system administrators about patch management processes |
| Observation | Watch processes being performed in real time | Observe visitor badge procedures, watch a developer code review session |
| Technical Testing | Perform hands-on testing of technical controls | Run vulnerability scans, test access controls, verify encryption configurations |
Preparing for Your Audit
Audit Preparation Steps
Conduct an internal readiness assessment
Walk through every PCI DSS requirement and honestly assess your current state. Identify gaps early so you can remediate before the QSA arrives.
Update your scope documentation
Ensure your network diagrams, data flow diagrams, and asset inventory are current and accurate. QSAs will validate scope on day one.
Organize evidence in advance
Create an evidence repository organized by requirement number. Include policies, configuration exports, scan reports, training records, and process documentation.
Assign control owners
For each requirement, designate a person who can explain how the control works, show evidence, and answer QSA questions during interviews.
Run pre-assessment scans
Complete your quarterly ASV scans and internal vulnerability scans. Address any critical or high findings before the assessment begins.
Brief your team
Ensure all personnel who may be interviewed understand the audit process, know what to expect, and can articulate their security responsibilities.
Common Audit Findings
Based on QSA industry reports, the most frequently failed PCI DSS requirements are:
Req 6
Secure Development
Missing WAF, incomplete software inventory, inadequate code review
Req 10
Logging & Monitoring
Incomplete audit trails, logs not reviewed, insufficient retention
Req 11
Security Testing
Missing internal scans, incomplete penetration test scope
Req 8
Authentication
MFA gaps, weak passwords, shared accounts still in use
For a deeper dive into audit failures and how to fix them, see our guide to common PCI DSS audit failures.
How long does a PCI DSS audit take on-site?
The on-site portion typically takes 1-3 weeks depending on the size and complexity of your environment. Larger organizations with multiple locations may require several weeks spread over multiple visits.
Can I fail a PCI DSS audit?
Technically, there is no 'pass/fail.' If your QSA identifies non-compliant areas, you have the opportunity to remediate them before the final ROC is issued. The QSA will re-test remediated items. However, if you cannot remediate findings, the ROC will document non-compliance.
What is the difference between a ROC and AOC?
The ROC (Report on Compliance) is the detailed assessment report documenting all findings, evidence, and testing results. The AOC (Attestation of Compliance) is a summary document signed by both the merchant and the QSA attesting to the compliance status. Most acquiring banks require both.
How often do I need a PCI DSS audit?
Level 1 merchants and service providers must undergo an annual QSA assessment. The assessment validates compliance for a specific point in time, but the expectation is that controls are maintained continuously throughout the year.
Find a PCI DSS QSA
Compare qualified security assessor firms by industry experience, pricing, and assessment methodology.
Browse QSA Firms