Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first

PCI-DSS Audits

There are several reasons your business may need a PCI-DSS audit. For large corporations, mandatory PCI-DSS compliance audits are a regular occurrence.


PCI Data Security Standards (PCI-DSS) state that Level 1 businesses, that receive over six million credit card transactions a year, need to receive a PCI-DSS audit annually.

However, if you’re a smaller business receiving less than 1 million credit card transactions a year, a PCI-DSS audit will be necessary if you’ve suffered a data breach. Although this can be stressful, the PCI-DSS audit process is nothing to worry about.

What is a PCI-DSS audit?

A PCI-DSS audit is a thorough inspection conducted by the Payment Card Industry Security Standard Council (PCI-SCC) to ensure that all regulations are being followed. Any business or organisation that accepts payment cards from American Express, Discover, JCB, MasterCard, or Visa – the five members of PCI-SCC – needs to adhere to these standards.

The PCI-DSS audit is designed to ensure that all the appropriate safeguards have been installed to protect the data that passes every system involved in credit card transactions. This includes:

  • Card readers
  • Point of sale (POS) systems
  • Store network and wireless access routers
  • Online payment applications and shopping/gift cards
  • Payment card data storage and transmission, including the data stored in paper records

How does a PCI DSS Audit Work?

To conduct a PCI-DSS audit, you will need to find a qualified security assessor (QSA). The sensitive nature of working with credit card data means that this assessor will need to have been approved by the PCI-SSC for the audit to be valid.

Conducting a risk assessment

Your QSA will begin by conducting a risk assessment of your company’s security infrastructure, paying particular attention to the quality of the various networks, policies, and procedures.

Security awareness training

Your staff will then be provided with any necessary security awareness training that allows them to meet PCI-DSS regulations.

Reviewing the findings

Your QSA will then outline the findings from the risk assessment, creating a list of priorities that will need to be addressed.

Addressing issues

Your company will then need to take prompt action to make improvements, with the aim of correcting any problems found. If these issues are more complex, the QSA can act as a consultant or help manage the process.

Monitoring progress

Ultimately, you will need to continually monitor your security infrastructure following the PCI-DSS audit to ensure that your company remains compliant.

How often do I need to get a PCI-DSS audit?

For Level 1 businesses and organisations and smaller businesses who have recently experienced a breach, it’s mandatory to pass at least one PCI-DSS audit a year to retain compliance.

For other businesses, it completely depends on your payment provider of choice as many of these tend to have company-specific PCI-DSS audit frequency requirements.

What Happens If I Fail My PCI-DSS Audit?

If you’re disappointed with the results of your business’ PCI-DSS audit, it’s important not to worry. With the guidance of your QSA, you will be able to make the necessary changes to bring your security system up to speed again, reducing the risk of a further breach and meeting your customers’ privacy needs correctly.

However, you may be at risk of failure if your QSA detects a system vulnerability as this indicates that you did not discover and address the issue quickly – compromising your customers' data. Similarly, your business is at risk of being deemed non-compliant if issues are ignored or continue to reoccur due to poor monitoring. This will likely lead to further consequences including fines and penalties.

Get PCI - DSS Audit Ready with HiComply

Although it ultimately means incredible protection for both your company and your customers, the PCI-DSS audit process is an extremely time-consuming and complex one – so it’s not something that should be taken lightly as this could lead to errors and mistakes that could have been avoided.

Hicomply can help make this process much more straightforward for you and your business. By using the Hicomply ISMS solution, you won’t have to juggle all the necessary information and documentation as it’ll all be located in one place. Contact us today for more information