How to Complete a PCI Audit in 7 Steps

by Hannah Grace Holladay / February 23rd, 2024

To protect the security of cardholder data, the PCI Security Standards Council requires organizations that work with payment cards to maintain compliance with the PCI DSS. If you’re an entity that stores, processes, or transmits cardholder data, it’s imperative to regularly conduct a PCI audit to ensure compliance.

Below, we will define common PCI requirements and discuss the seven steps of conducting a PCI audit.

What Is a PCI Audit?

A PCI audit is a rigorous examination of the Payment Card Industry Data Security Standard, which consists of nearly 400 individual controls and is a critical part of staying in business for any merchant, service provider, or subservice provider who is involved in handling cardholder data.

At KirkpatrickPrice, our PCI audit program takes a seven-step approach to help your organization gain PCI compliance.

Beginner's Guide to PCI Compliance

Starting a PCI audit is overwhelming.

Our Beginner’s Guide to PCI Compliance will prepare you to complete your audit successfully.

You know you need a PCI audit, but don’t know what to expect or how to get started. This guide will prepare you for what your auditors are looking for and how to confidently begin your PCI compliance journey.

Get the Guide

The 7 Steps of a PCI Audit

1. Gap Analysis

How do you conduct a PCI compliance internal audit? Before beginning a PCI audit for the first time, we recommend conducting a gap analysis.

A gap analysis helps identify any administrative, physical, and technical gaps in your information security program, specifically, how you handle cardholder data. Going through a gap analysis allows our senior-level QSAs to understand your business and your level of readiness for a PCI audit. The gap analysis is an important step towards PCI compliance because your QSA can create remediation strategies that will guide you through the PCI audit process and towards compliance. Next, your organization will move on to remediate the findings found during the gap analysis.

Learn more about what to look for in a QSA before beginning any PCI audit.

2. Remediation

At this point, you may have detected some areas of non-compliance. Remediation will help your organization recognize its gaps and remediate those areas for a smoother path toward PCI compliance.

Now that your organization understands its administrative, physical, and technical gaps, a QSA from KirkpatrickPrice will work to develop a detailed remediation plan with findings from the gap analysis and recommendations on proper ways to mitigate areas of non-compliance.

3. Scoping and Planning

After weeks of remediation work, it’s time to start the PCI audit by verifying the scope of the engagement. We will work with your organization to analyze your services, geographic locations, payment applications, third parties, and other system factors to develop an accurate scope for the PCI audit.

This stage prepares the entire engagement team to move to the next step of gathering information. One helpful tip: The narrower the scope, the more accurate and efficient your PCI audit process will be, so we aim for a detailed and defined scope.

4. Gathering

At KirkpatrickPrice, we will collect your policies, procedures, and other documentation needed for your PCI audit through the Online Audit Manager.

Alongside your designated Audit Support Professional and QSA, you will begin answering questions and describing systems relating to your organization’s internal controls. The Online Audit Manager provides a platform that streamlines the PCI audit process and aids you in completing 80% of the PCI audit before one of our senior-level QSAs even visits your office for an onsite visit.

Gathering and preparing data beforehand gives you the opportunity to be more effective with time and communication during your onsite visit.

5. Onsite Visit

An onsite visit is probably what you envision when thinking about a stereotypical audit. Onsite visits are important for testing internal controls and observing your people and technology in action. During the onsite visit, a senior-level QSA, who has been partnered with you throughout the PCI audit process, will observe and test your organization to determine if your processes meet the 12 requirements of PCI compliance.

6. Report Delivery

Next, you will receive a Report on Compliance (RoC), which provides you with a detailed report on the results from your PCI audit. To generate RoCs, KirkpatrickPrice has a team of Professional Writers, who are trained and knowledgeable about the PCI DSS, that write high quality reports.

Your report will also go through our Quality Assurance processes to ensure it meets our quality standards. You can take a deep breath knowing your PCI audit was performed by a QSA and a firm that is committed to your organization’s compliance success!

7. Get on the List

We know the ultimate goal of completing a PCI audit is getting on the Visa Compliance List to give your clients an added level of assurance. By completing all the steps of your PCI DSS audit with a qualified auditing firm, you’ll receive a report to help you get on the list.

How to Market Your PCI Compliance

Going through the PCI compliance internal audit process can do more than assure your clients that their sensitive data is protected; PCI compliance can also be a powerful tool for your sales and marketing team.

How do you take your PCI compliance and market it to prospects and clients?

When you work with KirkpatrickPrice, you will receive a complimentary press kit that includes compliance logos, the writing and distribution of a press release announcing your recent PCI compliance, copy to use in marketing materials, and advice on how to best your market PCI compliance achievements.

Ready to Start Your PCI Compliance Audit?

We understand that PCI compliance can feel overwhelming. That’s why it’s so important to work with a qualified firm you can trust. At KirkpatrickPrice, we want to partner with you from audit readiness to final report.

Are you ready to work with a qualified QSA firm that partners with you throughout the PCI audit process? Connect with one of our experts today!

More PCI DSS Compliance Resources

Beginner’s Guide to PCI Compliance

PCI Demystified

What is a PCI audit?

About the Author

Hannah Grace Holladay

Hannah Grace Holladay is an experienced content marketer with degrees in both creative writing and public relations. She has earned her Certificate in Cybersecurity (CC) certification from (ISC)2 and has worked for KirkpatrickPrice since November 2019, starting first as a Professional Writer before moving to the marketing team as our Content Marketing Specialist. Her experience at KirkpatrickPrice and love for storytelling inspires her to create content that educates, empowers, and inspires the cybersecurity industry.