PCI Compliance Audit FAQs
How much does a PCI audit cost?
Pricing for a PCI audit depends on scoping factors, including what type of organization you are, number of annual transactions, payment applications, physical locations, third parties, and audit frequency. Pricing will also vary based on the compliance level needed, inclusion of a gap analysis, or inclusion of additional remediation time.
How long does a PCI audit take to complete?
The average PCI audit, using KirkpatrickPrice’s process, is completed in 18 weeks. The engagement begins with scoping procedures, then moves into an onsite visit, evidence review, report writing, and concludes with the delivery of a PCI report. This timeline is extended when a gap analysis must be performed or when remediation takes longer than expected.
What do I receive when my PCI audit is complete?
PCI audits culminate in a final report to communicate confidence and assurance that mission-critical networks and physical environments are protected against the most damaging forms of threats. The components and formatting of PCI reports delivered by KirkpatrickPrice are based on guidelines provided by the PCI SSC and written by our in-house Professional Writing team.
How long is a PCI report valid?
The opinion stated in a PCI report is valid for twelve months following the date the report was issued.
How often does a PCI audit need to be performed?
Industry standard is to schedule a PCI audit to be performed annually or when significant changes are made that will impact the control environment. Any frequency less than that will demonstrate a lack of commitment to compliance, plus it may cause distrust.
Who is involved in a PCI audit?
In every PCI engagement, our Information Security Auditors are required by the PCI SSC to maintain communication with management and those charged with governance. Other team members involved in the audit could come from anywhere in your organization, ranging from IT to development to compliance officers – anyone with the appropriate responsibilities for and knowledge of the matters concerned in the audit.
Click for More PCI FAQs
What are the 12 PCI requirements?
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel