PCI DSS - What is the Assessment Procedure?

31. August 2023

In this short series we provide you with useful facts about the Payment Card Industry Data Security Standard (PCI DSS). Be well informed on your PCI DSS certification.

Often, the word "Assessment" triggers apprehension and certain fears in companies. After all, opening the doors to an external assessor and allowing access to sensitive data, systems and processes is not a pleasant task at first glance. In addition, the knowledge that non-compliance with PCI DSS requirements can result in costly penalties and unpleasant consequences for companies certainly causes a certain amount of stress among responsible employees. However, a PCI DSS Assessment should be seen as an opportunity to work with the assessor to uncover weaknesses and areas in need of improvement within the company and to strengthen security efforts in the long term.

To help you get started and prepare for your PCI DSS Assessment, we have summarized the most important information and the typical process of a PCI DSS Assessment. This will help you to assess what you will really have to face during an Assessment.

Who needs to have a PCI DSS Assessment conducted?

The obligation to prove compliance with the PCI DSS applies to all companies that process, store or forward credit card data - regardless of their size and the annual number of credit card transactions. Only the depth and scope of the Assessment methods with which a company must demonstrate compliance with the PCI DSS changes based on the annual transaction volume:

The majority of small and medium-sized retail companies can demonstrate their PCI compliance through a Self-Assessment Questionnaire (SAQ).

As a rule, large retail companies and service providers must prove their PCI compliance by means of a fully comprehensive Assessment, which must be carried out by a Qualified Security Assessor (QSA) accredited by the PCI Security Standards Council. For this purpose, the PCI Council provides a list of QSAs on its website that is always up to date.

Prior to the initial PCI DSS Assessment: Gap Analys

Before you perform a PCI DSS Assessment for the first time, it is highly recommended to have a PCI DSS Gap Analysis performed. This analysis will help identify administrative, physical and technical gaps in your information security measures, especially with regard to cardholder data environments (CDEs). Conducting a Gap Analysis also allows your assessor to get a picture of your organization and find out how prepared you already are for a PCI DSS Assessment. Identified non-compliances with the PCI DSS standard are then documented for you in a detailed catalog of corrective measures. If you wish, your assessor can also advise you on how to correct the deviations.

Assessment preparation and planning

Scoping

The first step in preparing for your actual PCI DSS Assessment is Scoping. This is where the Assessment parameters and scope of your upcoming audit are determined. Your team will need to identify all locations, systems and operations where cardholder data is stored, processed or routed within your CDE. Scoping of all systems should be performed annually and always prior to your upcoming Assessment. It is your responsibility to delineate the scope of your Assessment scope in advance. Your assessor will verify that the scope has been correctly defined before the Assessment takes place, but can also assist in determining the scope earlier if you wish.

Planning

Initially, all participants come together in a planning meeting before the Assessment, which is often also referred to as a "kick-off". There, the detailed schedule including assessment sessions, assessment topics as well as responsible persons and interview partners are agreed upon. Ideally, your assessor will already provide you with a list of the documents required for the Assessment so that you can make them available at an early stage.

On-site and remote Assessment

The Assessment itself is a formal process in which all aspects of the PCI DSS applicable to your company are reviewed. Some assessment steps, such as the review of documents and IT systems, can be carried out remotely from your QSAs premises. Other Assessments, on the other hand, require on-site appointments at your company, for example interviews with responsible employees and inspections of your premises, during which physical security requirements of the PCI DSS are checked.

Correction of findings

If your assessor identifies non-compliances with the PCI DSS requirements, they will be documented in detail. To make it easier for you to correct the deviations, some audit companies also work with tool-based tickets. The tickets already contain recommendations regarding measures to be taken and can be assigned to responsible persons in your company for further processing. The current processing status of the deviations can always be viewed by you and your external assessor.

Report and follow-up

Upon successful completion of the Assessment, your QSA will prepare a "Report on Compliance" (RoC) and an "Attestation of Compliance" (AoC) for you to demonstrate compliance with the PCI DSS.

The RoC describes how the individual PCI DSS requirements are implemented in your company; i.e. the security situation, the environment, the systems and the protection of cardholder data in your company. It also documents how the assessor proceeded in reviewing each requirement.

The AoC confirms that your organization has completed the Assessment and is in compliance with PCI DSS requirements.

Consulting and advice between the Assessments

If you were satisfied with the support and Assessment provided by your assessor, it is often a good idea to take advantage of consulting services during the year, i.e., between annual Assessments. For example, if you make a change to your IT systems or processes that affects your organization's existing cardholder data environment, this may also affect the scope of your upcoming Assessment, the PCI DSS requirements that apply to you, and ultimately your PCI DSS compliance. Your assessor can advise you on any uncertainties or questions you may have to prevent surprises during your next Assessment and ensure the highest possible level of security for your customers' card data, even apart from the Assessment throughout the year.


You can find more information about PCI DSS here. Do you have questions or need support with your PCI compliance project? Contact us, we will be happy to help you.

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories