Everything You Need to Know About PCI Onsite Assessments

There are a number of different names people use when referring to an onsite assessment they are required to undergo as a part of their Payment Card Industry (PCI) compliance. A Level 1 assessment, a PCI QSA onsite assessment, a ROC assessment. All of these are referring to the same thing: a PCI Onsite Assessment conducted by a PCI QSA certified company that will produce a Report on Compliance (ROC) and an Attestation of Compliance (AOC) to prove that your organization is PCI compliant. The differences in terminology make it hard for many people to understand what they need in order to show compliance or if a company they are engaging to perform an assessment is going to be giving them the results they need. So let’s cover everything you need to know about PCI Onsite Assessments from a variety of articles we’ve written previously to hopefully de-mystify the process.

A good place to start might be for you understand if you even need to be PCI compliant, as this can be non-trivial. For people not familiar with PCI, there are a lot of different rules and classifications to understand when trying to determine a) if you need to be compliant, and then b) how to demonstrate that compliance. Once you know that you do indeed need to be compliant, you should identify who you need to prove your compliance to. Are you a service provider that needs to show your customers that you are PCI compliant? Or are you a merchant organization that needs to work with your acquiring bank to show compliance? Either way, you can now decide whether you need to complete a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC). This decision will likely be made for you in most cases, as you’ll have a customer asking for either a ROC or an SAQ, or your acquiring bank will be asking for one or the other, based on the transaction levels you service. If you’re still unsure, check out our breakdown of whether you are required to have a PCI onsite assessment.

For SAQs, we’ve covered a complete breakdown of the process and all the differences between SAQs. So here, we’ll focus on PCI Onsite Assessments that result in a ROC.

In order to receive a ROC, the PCI Council mandates you must have a PCI onsite assessment completed by a certified PCI QSA company. Triaxiom Security is a certified PCI QSA company and you can find us listed on the PCI Council’s website. This assessment, as its name indicates, must have a portion of it performed onsite at your company to validate certain aspects of your compliance.

You can read more about what to expect for a PCI Onsite Assessment in one of our previous blogs. But in general, this is a fairly long and involved process to complete an assessment of this magnitude for most organizations. In all, you are probably looking at 3 to 5 weeks of project execution and a total cost between $20,000 and $30,000.

Finally, once you know a PCI Onsite Assessment is what you need to complete, it would probably help for you to understand what the project process looks like. You can review our detailed methodology here. Once you understand the process, you’ll want to do some internal preparation to make sure things run smoothly. We also put together a list of the top 10 ways to prepare for a PCI Onsite Assessment.

With all of these resources, you should have everything you need to help you understand what a PCI Onsite Assessment is, how it applies to your organization, and what the assessment process looks like. If you still have additional questions, please don’t hesitate to reach out to us and we’d be more than happy to help talk you through the process!