PCI Audit

A PCI DSS audit is rigorous examination of the Payment Card Industry Data Security Standard, which consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data. In fact, if you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are required to comply with the PCI DSS.

PCI Audit

Why Work With KirkpatrickPrice?

As a licensed CPA and QSA (Quality Security Assessor) firm, we deliver hundreds of PCI Reports on Compliance (RoC) and Attestations of Compliance (AoC) per year and KirkpatrickPrice Information Security Auditors are senior-level experts.

Whether you need a RoC, AoC, or assistance with your Self-Assessment Questionnaire (SAQ), KirkpatrickPrice can help. KirkpatrickPrice also provides risk assessments, policy development, and penetration testing services to support your organization in PCI compliance efforts.

Our audit delivery tool, the Online Audit Manager, streamlines the audit process, helps reduce the complexity of compliance efforts, and gives our clients the ability to combine multiple audit frameworks into one audit. We’ve spent over a decade honing this process so that clients can complete one audit process while receiving multiple reports.

Connect with us today to learn about the time it takes to complete a PCI audit, understand the cost of receiving a PCI report, and take part in a free demo of the Online Audit Manager.

PCI FAQs

How much does a PCI audit cost?

Pricing for a PCI audit depends on scoping factors, including what type of organization you are, number of annual transactions, payment applications, physical locations, third parties, and audit frequency. Pricing will also vary based on the compliance level needed, inclusion of a gap analysis, or inclusion of additional remediation time.

How long does a PCI audit take to complete?

The average PCI audit, using KirkpatrickPrice’s process, is completed in 18 weeks. The engagement begins with scoping procedures, then moves into an onsite visit, evidence review, report writing, and concludes with the delivery of a PCI report. This timeline is extended when a gap analysis must be performed or when remediation takes longer than expected.

What do I receive when my PCI audit is complete?

PCI audits culminate in a final report to communicate confidence and assurance that mission-critical networks and physical environments are protected against the most damaging forms of threats. The components and formatting of PCI reports delivered by KirkpatrickPrice are based on guidelines provided by the PCI SSC and written by our in-house Professional Writing team.

How long is a PCI report valid?

The opinion stated in a PCI report is valid for twelve months following the date the report was issued.

How often does a PCI audit need to be performed?

Industry standard is to schedule a PCI audit to be performed annually or when significant changes are made that will impact the control environment. Any frequency less than that will demonstrate a lack of commitment to compliance, plus it may cause distrust.

Who is involved in a PCI audit?

In every PCI engagement, our Information Security Auditors are required by the PCI SSC to maintain communication with management and those charged with governance. Other team members involved in the audit could come from anywhere in your organization, ranging from IT to development to compliance officers – anyone with the appropriate responsibilities for and knowledge of the matters concerned in the audit.

Click for More PCI FAQs

How can I prepare for a PCI audit?

Who can perform PCI audits?

What policies are required for PCI compliance?

What are the levels of PCI compliance?

How can I gain compliance with PCI Requirement 9 and 12?

What are the 12 PCI requirements?

How Could a PCI Report Benefit Your Organization?

If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, then PCI compliance is critical to the operability of your organization. A non-compliant organization could be subject to substantial fines and penalties, termination of ability to accept cards as payment, loss of business, lost confidence of customers, and legal costs. PCI compliance has the power to demonstrate your commitment to security and assure your clients that their cardholder data is protected.