You are here:

PCI DSS audit

A PCI DSS audit is a detailed examination  of the security of an organization's credit-card processing system. PCI QSA Audit consists of both onsite and off-site activities and is performer by a Qualified Security Assessor (QSA) who  evaluates an entity's payment and credit card security implementation against PCI DSS standard. 

SC2labs provides the PCI DSS audit service, as accredited by the PCI SSC

PCI QSA auditor

Published on March 2022 the new version 4.0 of the PCI Data Security Standard (PCI DSS) replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.

  • Level 1 Service Providers that store, transmit, or process more than 300,000 credit card transactions annually.

  • Level 1 Merchant that store, transmit, or process more than 6 000,000 credit card transactions annually.

  • any other entities required by their acquirer (regardless of annually  upon of transactions)

On-site Annual Security Audit
A detailed on-site  assessment provided is by a PCI SSC certified QSA (Qualified Security Assessor) or by a certified ISA (Internal Security Assessor). The Audit is a detailed review of an organization’s card data environment that result in a RoC (Report on Compliance) and AoC (Attestation of Compliance).

External Vulnerability Scan PCI ASV
External network vulnerability scanning is conducted quarterly by a PCI SSC Approved Scanning Vendor (ASV) of all Internet-facing system components that are a part of or provide a path to the cardholder data environment.

Kickoff and Planning

The kickoff is considered the start of the engagement after the agreement is executed. We will discuss the certification process,  identify the point of contact from both organizations and timelines for assessment, define a project roadmap and plan the next steps.

Preparation Phase

In the preparation  phase, we offer tailor – support approach. It can consist of:

  • PCI DSS  training/workshop  - our dedicated to the project QSA  auditors will conduct the training   at an early stage and explain all requirements  of the  PCI Standard,  which will lead to a better understanding of the process and proper preparation for formal validation

  • PCI DSS  scoping –  to take a closer look at network segmentation, inclusion and dependency of any third party/ outsourcing.

  • Pre-Assessment or full Gap Assessment. Pre-assessment consists of  interviews, reviews of documentation and a broadly walk-through to identify gaps and provide recommendations. The GAP Analysis  is a more detailed process, we will  conduct an “as-is” assessment  of your organization to identify gaps in security controls, systems, documentation  and the environment against  all PCI DSS requirements. The GAP executive summary includes any identified discrepancies and  necessary recommendations for action.

  • Remediation/ Advisory Support. Assistance  to provide advisory support for mitigating gaps and collecting evidence software development.

Formal validation
Once all controls are confirmed to be in place, the on-site assessment  will begin. It is the formal process in which accredited auditor will conduct the formal assessment against all requirements. 

The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and  collected by the QSA).

The deliverables include:

  • PCI DSS RoC – Report on Compliance

  • PCI  AoC – Attestation of Compliance

  • Certificate of Compliance

Continual Support
After your successful certification, we provide continual  at an in the ongoing maintenance of organization’s compliance – we will provide and discuss changes to the security standard itself, as well as explain and  at with emerging issues and questions.

You may also be interested in :






  • PCI QSA Audit  - an examination of IT systems, organisational documents, policies, procedures and employee interviews performed at the client's premises for compliance with the PCI DSS standard.

  • PCI ASV Audit - PCI ASV scan - services to check the security level of external information systems in accordance with the requirements of the PCI DSS standard.

  • GAP Audit - testing the degree of compliance of the client's system with the requirements of the PCI DSS standard.

  • PCI QSA - Payment Card Industry Qualified Security Assessor - an accredited auditor, certified by the PCI SSC, qualified to verify information systems for compliance with the PCI DSS standard.PCI ASV - Payment Card Industry.

  • Approved Scanning Vendor - an accredited auditor, certified by PCI SSC, with the authority to verify information systems for compliance with the PCI DSS standard.

  • Attestation of Scan Compliance (AoSC) - a document confirming passing or failing a PCI ASV scan (issued after PCI ASV scanning as a part of report) with PCI DSS requirement 11.2.

  • Report on Compliance (RoC) – large document (over 300 pages) that is completed during PCI QSA on-site audit. This document is usually only shared with card organizations (such as VISA/Mastercard)

  • Attestation of Compliance (AoC) - a formal document confirming compliance with PCI DSS. It is completed either by Merchant/Service Provider (if they are eligible to fill SAQ) or by PCI QSA at the end of PCI QSA on-site audit.

  • Issuer - a bank or other organisation issuing a card under the authority of a payment organisation, e.g. VISA or MC.

  • Acquirer - a bank or organisation that the merchant uses to process payment card payments. Receives authorisation requests and sends them to the issuer (Issuer) for acceptance. Provides services in the processes: authorization, clearing and settlement for the merchant. The Acquirer usually is:

  •  Merchant bank,

  •  Settlement agent,

  •  Service provider (sometimes),

  •  Card organisation (JCB, Discover, Amex),

  •  Never VISA or MC.

  • SAQ – Self Assessment Questionnaire – the form of self-check for merchants and service providers with low transaction volume (see compliance levels) if they are compliant with PCI DSS.

  • CoC – Certificate of Compliance – issued by SC2labs for marketing and PR purposes. This is not a formal confirmation on compliance (AoC is a formal document).

  • Merchant - an organisation that accepts credit card payments at the time of purchase.

  • Service Provider - transaction Processor.