If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are required to comply with the PCI DSS.
How much does a PCI audit cost?
Pricing for a PCI audit depends on scoping factors, including what type of organization you are, number of annual transactions, payment applications, physical locations, third parties, and audit frequency. Pricing will also vary based on the compliance level needed, inclusion of a gap analysis, or inclusion of additional remediation time.
How long does a PCI audit take to complete?
The average PCI audit can take anywhere from weeks to months, depending on your level of preparedness and staff’s availability for interviews and control demonstration. To satisfy the PCI-DSS requirements for an engagement, the auditor must validate scope, perform testing procedures, and document conclusions. These steps require time from the service organization’s management, which can be compressed or extended to meet your timeline needs. You can save time by leveraging the Online Audit Manager to maintain the audit evidence you need for compliance.
What do I receive when my PCI audit is complete?
PCI audits culminate in a final report to communicate confidence and assurance that mission-critical networks and physical environments are protected against the most damaging forms of threats. The components and formatting of PCI reports delivered by KirkpatrickPrice are based on guidelines provided by the PCI SSC and written by our in-house Professional Writing team.
How long is a PCI report valid?
PCI reports represent your controls from a period of time in the past. Typically, your clients will not accept a report issued more than 12 months ago because they want your testing to be relevant for their own audit period.
How often does a PCI audit need to be performed?
Industry standard is to schedule a PCI audit to be performed annually or when significant changes are made that will impact the control environment. Any frequency less than that will demonstrate a lack of commitment to compliance, plus it may cause distrust. Maintaining an audit process that covers each fiscal year will demonstrate a commitment to compliance and ongoing testing of controls, which ultimately contributes to the health of your organization.
Who is involved in a PCI audit?
In every PCI engagement, the Auditor is required by the PCI SSC to maintain communication with management and those charged with governance. Other team members involved in the audit could come from anywhere in your organization, ranging from IT to development to compliance officers – anyone with the appropriate responsibilities for and knowledge of the matters concerned in the audit.