How Do I Audit PCI DSS? (Assessment, Procedure and Reporting)

The Payment Card Industry Data Security Standard (PCI DSS) is a globally used security standard that was introduced and is still governed by the Payment Security Industry Security Standards Council (PCI SSC).

The standard was introduced by the council to tackle the risk of card fraud. This standard applies to all businesses that process, store, or transmit cardholder data.

The standard helps businesses develop a system to protect cardholders’ data by providing businesses a framework for developing or improving their payment card data security process. This process includes the prevention, detection of any breaches, and response to these breaches.

PCI DSS compliance is assessed every year. The assessment depends on the rank of the business. Businesses are ranked by the Payment Card Industry based on the number of card transactions they have annually.

This compliance can be reported in the form of Self-Assessment Questionnaires (SAQ) or by using a Qualified Security Assessor (QSA).

Whether a business can use SAQs or QSAs depends on their ranking based on the number of their payment card transactions each year.

There are a total of 4 rankings or levels, where level 1 is the highest rank for businesses with more than 6 million annual transactions and level 4 is the lowest rank for businesses with lower than 20,000 annual transactions.

Self-Assessment Questionnaire (SAQ)

Smaller businesses must show their compliance with the PCI DSS through a Self-Assessment Questionnaire (SAQ). Generally, level 3 and level 4 businesses are applicable to use SAQs. There are many different versions of SAQs that a business must use based on how it provides its services.

Related article  What Is the Objective Internal and External Audit?

An SAQ consists of a list of questions that correspond to the PCI DSS requirements designed for businesses. An SAQ also contains an Attestation of Compliance to attest that the person performing the appropriate SAQ is eligible to perform it. 

However, some times level 3 and level 4 businesses may not be applicable to show compliance through an SAQ. In some cases, for example, if the card provider company (VISA, American Express, Mastercard, etc.) deems that a business presents an unusual risk, they may direct the business to hire a Qualified Security Assessor (QSA) to complete the audit. This may generally occur after the business has been affected by a security breach.

Level 2 businesses have the choice between whether to self-assess or hire a QSA to complete the PCI audit for them. If these businesses choose to self-assess, then they will also have to go through the same process as level 3 and level 4 businesses.

Qualified Security Assessor (QSA)

Level 1 businesses, do not have a choice to self-assess. These businesses will always have to hire a QSA to perform the audit on their behalf. QSAs are independent security organizations that must pass rigorous tests to receive a qualification from the PCI SSC.

These organizations audit business to validate its compliance with the PCI DSS. During the audit, the QSA will perform many tasks, which include the following.

  • Verifying all the technical information provided by the business.
  • Using independent judgment to confirm the provisions of the PCI DSS have been compiled with.
  • Providing support and guidance to the business during the process.
  • Being onsite the business during the compliance process.
  • Adhering to the PCI DSS Security Assessment Procedures.
  • Validating the scope of the audit.
  • Evaluating compensating controls.
  • Producing the final report.
Related article  4 Types of Auditors - What do they do?

The QSA will also help the business to calculate any gaps between the processes of the business and the requirements of the PCI DSS.

When these gaps are identified, businesses must fix these gaps and ensure no vulnerabilities exist within the system which can threaten unauthorized access to cardholder data.


Once the audit process is complete, the business must report its compliance with the PCI DSS to its respective acquiring financial institution or payment card company.

The type of report that will be provided, SAQ, or through a QSA, will depend on the requirements of the payment card company, as mentioned above.

Some payment card companies may require a business to submit a quarterly network scanning report as well. The report will generally consist of the following.

  • Contact information of the business and the report date.
  • Executive summary.
  • Description of the scope of work and what approach was taken.
  • Details about the reviewed environment.
  • Quarterly scan reports.
  • Findings and observations.


The Payment Card Industry Data Security Standard is a standard for all businesses that carry out payment card transactions.

Businesses have to report their compliance of these standards annually to their respective financial institution or payment card companies.

When reporting their compliance, businesses have the option to either carry out a self-assessment in the form of Self-Assessment Questionnaires (SAQ) or hire a Qualified Security Assessor (QSA), depending on the number of the business’ transactions annually.

Level 3 and 4 businesses must use SAQs to report their compliance. Level 2 businesses have the option between SAQ or using QSA. Level 1 businesses do not have the choice to use SAQ and must always use QSA.

Related article  Top 9 Audit Firms in the USA 2023