Compliance with the Payment Card Industry’s (PCI) Data Security Standards (DSS) requires annual reporting. This annual compliance reporting involves extensive PCI DSS audit procedures for organizations that handle the highest transaction volumes. The audit procedures are conducted during the completion of an on-site assessment known as a Report on Compliance (ROC).
PCI DSS Security Audit Procedures—Everything You Need to Know
Completing the PCI DSS audit procedures is an extensive process for any organization. ROCs involve verified, third-party testing of the framework’s complete implementation.
To prepare and complete an ROC, your organization needs to know:
- PCI DSS reporting requirements
- The relevant parties involved in assessments
- How to prepare for the assessment
- The PCI DSS audit procedures
Partnering with a PCI DSS compliance expert will provide your organization with the comprehensive advisory and assessment to complete an annual ROC—and simplify the complicated process.
Reporting Requirements—PCI Levels and Submitted Documentation
The first step of PCI DSS security audit procedures is to determine your organization’s compliance reporting requirements. Reporting requirements are primarily based on a merchant’s categorization amongst the four PCI Levels, which depends on annual transaction volumes.
The Four PCI Levels and Their Reporting Requirements
Per Visa, the four PCI Levels and their associated reporting documentation (explained further below) are:
- Level 1 – Merchants handling over six million annual transactions across all channels
- Reporting documentation – ROC and Attestation of Compliance (AOC)
- Level 2 – Merchants handling between one and six million annual transactions across all channels
- Reporting documentation – Self-Assessment Questionnaire (SAQ) and AOC
- Level 3 – Merchants handling between 20 thousand and one million annual e-commerce transactions
- Reporting documentation – SAQ and AOC
- Level 4 – Merchants handling fewer than 20 thousand annual e-commerce transactions or up to one million annual transactions across other channels
- Reporting documentation – SAQ
PCI DSS Reporting Documentation
PCI DSS compliance reporting documentation involves ROCs, AOCs, and SAQs:
- Report on Compliance (ROC) – The most thorough compliance assessment completed by a QSA tests each DSS specification and requires extensive, on-site PCI DSS audit procedures.
- Attestation of Compliance (AOC) – Completed by a QSA to affirm a merchant’s compliance. The PCI SSC provides different AOC versions associated with ROCs and the various SAQs.
- Self-Assessment Questionnaire (SAQ) – The PCI SCC provides nine different SAQs, each specific to different business activities, transaction handling methods, or other criteria.
PCI DSS Audit Procedures—The Relevant Parties
After determining if your organization is categorized as PCI Level 1, the next step of preparing for DSS audit procedures is understanding your associated reporting requirements.
Note that an ROC’s degree of assessment doesn’t apply to the organizations categorized as Levels 2 through 4.
The PCI DSS audits necessary for completing and submitting your ROC involves three parties:
- The PCI Security Standards Council (SSC) – The SSC is the entity that oversees the DSS and officially approves Qualified Security Assessors—the organizations that conduct PCI DSS audit procedures. Completed audit and reporting documentation must be submitted to the SSC annually. While the SSC comprises more members and stakeholders, the PCI Founding members are:
- American Express
- JCB International
- The audited “merchant” – All organizations that collect, store, process, or transmit credit card and cardholder data (CHD) are subject to the PCI DSS. Official PCI DSS documents and templates refer to these organizations as “merchants.”
- Depending on their reporting requirements, merchants may be obligated to undergo PCI DSS audit procedures annually.
- The Qualified Security Assessor (QSA) – QSAs are officially approved by the PCI SCC to conduct audits and oversee, complete, and affirm a merchant’s compliance reporting documentation. QSAs undergo a rigorous evaluation each year to ensure their knowledge and capability to perform PCI DSS assessment.
PCI DSS Audit Preparation—Gap Assessments
ROCs will comprehensively evaluate your organization’s complete PCI DSS implementation. Therefore, audit preparation should involve a QSA-conducted gap assessment to determine which measures must be remediated to achieve compliance.
Gap assessments should be thought of as an ROC trial run; if the gap assessment results reveal necessary remediation, immediately progressing to an official ROC will only demonstrate PCI DSS noncompliance.
A QSA can readily perform PCI DSS gap assessments and advise on any remediation efforts your organization must perform. However, organizations should contact their QSA and plan to conduct these efforts a few months before expected ROC audit procedures to ensure timely compliance report submission.
PCI DSS Remediation
Compliance remediation efforts for merchants require implementing processes and technologies to ensure adherence to the PCI DSS’ six Goals, 12 Requirements, 79 sub-requirements, and numerous sub-sub-requirements, as specified in the latest version (v3.2.1).
Please see RSI Security’s “Overview of Credit Card Industry Data Security Standards” for a list of the PCI DSS’ Goals, Requirements, and sub-requirements.
Section 6 of the ROC template provided on the SSC’s official website and available to all organizations via the Document Library offers a gap assessment and remediation roadmap. However, the full framework’s extensiveness—Requirement 1.1 collates a further seven sub-sub-requirements alone, and the template document amounts to 191 pages in total—renders self-conducted gap assessments especially challenging.
Partnering with a QSA will significantly simplify the task of identifying whether any specifications require remediation before official ROC assessments.
PCI DSS Audit Procedures—Undergoing ROC Assessment
PCI DSS audit procedures require on-site assessment—a critical differentiation between PCI Level 1’s ROC requirement and other Levels’ reporting. The AOCs required for Levels 2 and 3 may be completed remotely.
The PCI SSC describes a completed ROC as a “summary of evidence” that demonstrates DSS compliance. The ROC template contains:
- Section 1 – Contact information and report date, including:
- 1.1 – The merchant, assessor, and assessor’s contact information
- 1.2 – The report’s date and timeframe
- 1.3 – The implemented PCI DSS version (i.e., v3.2.1)
- 1.4 – Any additional QSA services provided to the merchant
- 1.5 – A summary of findings (i.e., all 12 Requirements and three appendices)
- Section 2 – Summary of information, including:
- 2.1 – A description of the merchant’s payment card-relevant business activities
- 2.2 – High-level network diagrams illustrating a merchant’s network topography and their complete, assessed environment architecture
- Section 3 – Scope of work and assessment approach, including:
- 3.1 – The assessor’s validation of cardholder data environments (CDE) and scope accuracy (i.e., a summary of the conducted PCI DSS audit procedures)
- 3.2 – A CDE overview
- 3.3 – Network segmentation
- 3.4 – Network segmentation details
- 3.5 – Third-party involvement relevant to the ROC assessment (e.g., payment processing and transmission services)
- 3.6 – Third-party entities that must maintain PCI DSS compliance
- 3.7 – Wireless network summary
- 3.8 – Wireless assessment details
- Section 4 – Details about the merchant’s assessed environment, including:
- 4.1 – A detailed network diagram and an optional data flow diagram
- 4.2 – CHD flow descriptions
- 4.3 – Cybersecurity measures and technology securing CHD
- 4.4 – Hardware and software used to facilitate CHD environments
- 4.5 – Sampling
- 4.6 – Sample set reporting
- 4.7 – An assessment of CDE-connected service providers
- 4.8 – Third-party review of payment applications and solutions
- 4.9 – Documentation review
- 4.10 – Personnel review
- 4.11 – Managed service providers (MSPs)
- 4.12 – An assessors disclosure summary for all “In Place With Compensating Control” answers
- 4.13 – An assessors disclosure summary for “Not Tested” answers
- Section 5 – Quarterly scan results, including:
- 5.1 – Quarterly compliance scans conducted by a QSA
- 5.2 – An attestation of scan compliance
- Section 6 – Findings and observations, including:
- Comprises the assessment of PCI DSS Requirements, sub-requirements, sub-sub-requirements, testing procedures, implementation questions for all framework specifications, organized per Requirement
- Appendix A – Additional PCI DSS Requirements, including:
- Appendix A1 – For shared hosting providers
- Appendix A2 – For merchants SSL or early TLS for card-present POS POI terminal connections
- Appendix A3 – For validating designated entities
- Appendix B – A compensating controls overview
- Appendix C – Compensating controls worksheets (CCW)
- Appendix D – Segmentation and sampling used to reduce an organization’s PCI DSS compliance scope
In addition to the full PCI DSS and testing procedures, the ROC template outlines reporting instructions for informing an assessor’s responses within Section 6. These testing procedures, reporting instructions, and assessor responses comprise most of the official PCI DSS security audit procedures.
ROC Reporting Details—Assessor Responses
When a QSA assessor conducts the PCI DSS audit procedures, they will test and report their findings directly in the ROC template. The findings are reported via a combination of checkboxes and written-in answers.
Summary of Assessment Findings—Checkboxes
Assessors are provided with five checkboxes when answering whether a given PCI DSS specification (i.e., Requirement, sub-requirement, or sub-sub-requirement) has been implemented.
For example, Requirement 1.1.1 asks whether the assessed merchant had implemented a formal process for network connection approval and testing and firewall or router configuration changes.
When responding, assessors will check one of the following:
- In Place – Testing has demonstrated that the Requirement has been met in its entirety.
- In Place w/ CCW – Testing has demonstrated that the Requirement has been met with the assistance of a compensating control.
- All instances of this answer must be supported by a Compensating Control Worksheet submitted as part of ROC documentation.
- Not in Place – This answer conveys one of the following three scenarios:
- Testing has demonstrated that some or all Requirement elements have not been met.
- The Requirement is in the process of being implemented.
- Further testing is necessary to verify whether the Requirement has been met.
- N/A – The Requirement doesn’t apply to the assessed merchant. Any instance of checking N/A must still be supported by detailed written responses that demonstrate why the control does not apply to the merchant—with the exception of certain “no/yes” ROC questions.
- Not Tested – The Requirement wasn’t tested by the assessor. The PCI SSC, brands, and acquirers that determine whether a merchant’s PCI DSS implementation is compliant will decide whether answering with “Not Tested” results in compliance or not on a case-by-case basis.
Reported Findings—Detailed Written Responses
Each ROC testing procedure must be answered with a detailed response in the space provided. Many of the findings will be reported with brief explanations of an assessed merchant’s Requirement implementation, including details such as the specific configurations reviewed and processes observed.
Other written responses may be “yes/no” answers, reference numbers, employee names or titles (if testing procedures require personnel interviews), or a list of reviewed and tested samples.
Third-Party Service Providers
Many merchants outsource some aspect of CHD collection, storage, processing, or transmission to third-party service providers. These service providers must also maintain and annually demonstrate PCI DSS compliance. However, PCI DSS audit procedures must still include a thorough review of whether an outsourced service achieves compliance.
The SSC clearly establishes that merchants’ assumption of their service providers’ PCI DSS compliance is insufficient—asserting throughout all official PCI documentation and guidance that merchants’ compliance is ultimately their responsibility. Due diligence is required to confirm whether partnered service providers have implemented the necessary controls and cyber- or physical security measures. Outsourcing does not absolve compliance culpability.
Detailed Written Response Example for Third-Party Service Providers
If a given PCI DSS Requirement is the responsibility of a service provider, the merchant’s assessor must still review the third party’s most recent AOC to validate their compliance.
The ROC template provides the following example as a written response for these scenarios:
“Assessor verified this is the responsibility of Service Provider X, as verified through review of x/y contract (document). Assessor reviewed the AOC for Service Provider X, dated MM/DD/YYYY, and confirmed the service provider was found to be PCI DSS compliant against PCI DSS v3.2 (or PCI DSS v3.2.1) for all applicable requirements, and that it covers the scope of services used by the assessed entity.”
PCI DSS Audit Procedures Version 4.0
The PCI DSS security audit procedures are currently being updated for version 4, with an expected release in Q1 of 2022. Once the version and all supporting and reporting documentation guidance have been published by the SSC, merchants will be provided 18 months to remediate any new compliance gaps.
Given the extensiveness of the PCI DSS framework, partnering with a QSA will help simplify the v4.0 remediation process.
QSAs—Mandatory (and Beneficial) for PCI DSS Audit Procedures
Organizations that must undergo the annual PCI DSS audit procedures specified in the ROC template are required by the SSC to partner with an approved QSA for assessment. Although QSA assessment is required, the expertise these partnerships provide substantially ameliorates PCI DSS compliance challenges.
As an SSC-approved QSA and PCI compliance expert, RSI Security will streamline the process—from preparatory gap assessments to submitting your final documentation.
Contact RSI Security today to rethink your PCI DSS compliance.