Do I Need Consulting Before a PCI Audit?

One of the common questions that comes up when we are talking to potential clients is whether they need to do some PCI consulting before a PCI Audit to help them prepare. The short answer is no. There is no requirement for you to undergo any type of consulting or pre-assessment before a QSA on-site evaluation is conducted. If you have a good grasp of the PCI DSS and are confident that you are scoped correctly, then you can save time and money by just scheduling and moving forward with your full assessment. This is especially true if you are already PCI compliant and are just going through your yearly audit.

With that being said, if this is your first time going through the process, I would recommend that you consider engaging for some consulting before the PCI Audit. The reason for this really boils down to the difference between a PCI Gap Analysis and a QSA On-Site Evaluation. In a Gap Analysis, which is what we would recommend at Triaxiom in most scenarios for your pre-assessment consultation, you will be paired with a certified QSA who will ultimately be your auditor once you undergo a full assessment. During the Gap Analysis process, your engineer will assess your scope and come up with some strategies to try to reduce that scope, if possible. Reducing the scope through effective segmentation and other techniques can significantly reduce the cost and complexity of meeting all requirements laid out in the PCI DSS. Further, once the scope is determined, your auditor will work with you in an interview-type fashion to go over each requirement, how you think you are meeting it, and whether you are meeting it or not. Because it is less involved, and because we as a company do not need to retain evidence for each finding, a PCI Gap Analysis is significantly cheaper, shorter, and more collaborative than a full-blown audit.

In contrast, we have had many clients attest that they are ready for a full PCI QSA On-Site Assessment and decide that they do not want to do a gap analysis or any type of consulting prior. Of course we are happy to do that. However, for a few of those situations, when we were in the middle of the audit it was determined that they were not actually compliant everywhere they thought they were, and they had several significant items keeping them from being compliant. In those instances, even though the initial price tag of compliance was less, those companies often ended up spending significantly more than they would have if they had engaged in some consulting before the actual PCI Audit.