Learning Center
PCI Audit
PCI Audit Timeline

PCI Audit Timeline

Use this to outline the most important actions that you need to take to prepare for a PCI DSS Audit.

PCI Audit Timeline

How To Prepare For And Manage a PCI Audit

This post contains part of the text from the SecurityMetrics PCI Audit Timeline Checklist.
To view the full interactive checklist, download the PDF.

PRE-ASSESSMENT

One Year Before

Before you sign a contract, you will want to plan your path to compliance by determining what your specific needs are and what potential products can address them.

  • First time PCI audit customers will:
    • Engage with a Qualified Security Assessor (QSA) for an assessment
    • Confirm your merchant or service provider level with the card brands
  • If you are renewing, confirm any scope reducing solutions you are using do not expire before your next assessment

9 Months Before

  • First time PCI audit customers will:
    • Start the initial gap process with your QSA
    • Review your 3rd party providers' attestation documentation and responsibility matrices
      • Check to see if they current and accurate
  • If you are renewing, confirm Approved Scanning Vendor (ASV) scans are happening on all appropriate targets and that issues are remediated

6 Months Before

  • Confirm that your policies/procedures are in place and updated
  • When renewing:
    • Engage with the QSA company that will be performing your assessment
      • Ask your QSA any questions, particularly concerning tricky preparation steps you encounter
      • Go over the requirements you have
      • Establish a specific date for you to submit your Report on Compliance (ROC)
      • Set expectations for your timeline and schedule
      • Bring up any issues and discuss extensive changes with your auditor
    • Review the scope of the penetration test with your QSA
  • Schedule your penetration test
  • First-time customers will:
    • Begin ASV scans

3 Months Before

  • Obtain up-to-date network and card flow diagrams
  • Review evidence request list
  • Schedule your onsite visit
  • Determine what internal personnel need to be involved in the onsite visit for the assessment
    • Arrange for personnel to either attend or be available

1 Month Before

  • Finalize all travel arrangements for people involved in the onsite assessment

Two Weeks Before

  • Verify all relevant parties are available for the onsite visit
  • Double-check that visitors cannot access sensitive areas
  • Ensure that managers/supervisors are informed of:
    • Date assessor will be onsite
    • What access assessor may need
    • Any documentation required
  • Obtain an agenda from your assessor
  • Share the agenda with all involved parties

ONSITE ASSESSMENT

1-3 Weeks Onsite

The Onsite Assessment includes validation and documentation in order to produce a Report on Compliance (ROC).

  • Project coordinator and audit lead will work together to identify onsite dates to complete PCI DSS assessment
    • Sampling may be needed
  • Go over steps to compliance with your QSA

POST ASSESSMENT

30 Days After (Remediation)

During this phase, your QSA works with you to determine what remediation needs to be done to ensure compliance.

  • QSA identifies compliance gaps and puts them in the audit portal
    • Merchant works with QSA to understand finding and what evidence will be needed to close the finding
  • Once remediation is finished, the merchant can upload the requested evidence to the audit portal for review

30-45 Days After (Report Delivery)

You will receive a report on your audit describing the process and outcome.

  • After all remediation work is finished, Audit Lead will release the completed SAQ D and AOC with the report

∞ Ongoing

An essential step of PCI compliance is an ongoing effort to maintain your environment and avoid situations that cause a higher compliance burden.

To ensure continued PCI compliance:

  • Update security policies
    • Anytime you change the way you store, process or transmit cardholder data, update your policies to reflect the changes
    • Reach out to your QSA for assistance with your environment or changes
  • Train your employees
    • Inform new and current staff members how to correctly handle card data
  • Update your SAQ if things change
    • Update and resubmit your SAQ if anything in your card processing environment changes
  • Run external vulnerability scans
    • Run scans at least quarterly
    • Run scans every time you make a network change
  • Verify you understand where your credit card data is stored
    • Ensure all your credit card data is encrypted
    • Identify unencrypted card data with card discovery tools
Checklist
Episode
Updated
April 23, 2024
Posted
September 22, 2020
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000