How Long Does it Take to Complete a PCI QSA Onsite Assessment?

A PCI QSA onsite assessment, also known as a Level 1 Assessment, that produces a full Report on Compliance (RoC) is an extremely involved process. In a previous blog, we’ve covered our methodology for completing this type of assessment, potentially explaining some of the level of effort that goes into this type of assessment. Taking it a step further, we’re going to explain the basic timeline required to complete a PCI QSA onsite assessment to help add some additional context to what you’re getting yourself into when beginning this type of assessment.

Before

Prior to this type of assessment beginning, there are a number of things that need to happen, all of which take some time.

Initial Scoping Call – Before actually signing contracts and scheduling a PCI QSA onsite assessment, we’ll need a call to discuss your environment at a high level in order to provide the most accurate price proposal for the assessment possible. While we can usually schedule this call with you within 24 hours and have a formal proposal to you shortly after the call, you do need to factor in the time it takes to get a proposal and get that proposal approved before a project can even officially begin.

Contract Signatures – Once you’re ready to move forward with the project, formal contracts need to be prepared and signed before the work can be scheduled. Again, this should only take about 24 hours from the time you say you’re ready to move forward to full execution. But sometimes, legal teams need to get involved and this process can drag on for a couple weeks.

During the PCI QSA Onsite Assessment

• Project Initiation Meeting – With formal contracts in place, the project can be officially scheduled, including a Project Initiation Meeting or Kick-Off Call. On this 30-minute call, we’ll meet with the project points-of-contact in order to review the proposed schedule, discuss the rules of engagement, and cover the action items that we’ll need completed prior to work commencing. This will usually be scheduled 1-2 weeks before work on the project is set to begin.
• Initial QSA Review Call – Following the kick-off meeting (sometimes even directly afterwards), you’ll need to sit down with the lead QSA assigned to your project for an hour or two. This call is primarily designed to give the lead QSA a background understanding of your business, business processes, employees involved, the scope of work, etc. We’ll also request sets of documentation and configuration files around this time so we’ll make sure you understand what we need.
• Documentation/Configuration Review – Prior to coming onsite for the interviews and validation required with a PCI QSA onsite assessment, the assessment team will spend 3-5 days reviewing all of your supporting documentation (policies, procedures, etc.) and device configuration files (usually firewalls, routers, switches, etc.) in order plan the required interviews and validation approach while onsite.
• Onsite Visits – Depending on the number of locations in scope and sampling approach that can be used, the amount time required for onsite work could vary wildly. At a minimum, you can expect 3 days onsite at the main headquarters location, and then potentially 1 – 2 days at a subset of satellite offices. This can vary based on payment channels present at each location, similarity of configurations between locations, geographic similarity of locations, etc.
• Post Onsite Review, Analysis, and Follow-Up – Upon completing all of the onsite work, the assessment team will need an additional 3 days to conduct any follow-up interviews necessary, request additional evidence/documentation where required, analyze notes and evidence gathered while onsite, and prepare for completing the required RoC.

After

Following the assessment, the team will enter into the documentation and quality assurance phase. For a PCI QSA onsite assessment, there is a significant level of effort required at this point to complete the hundreds of requirements identified in the RoC, provide supporting evidence, and explain how an organization meets that particular requirement, in detail. When the first draft of the document is completed, it has to go through a technical quality assurance process whereby another QSA validates the information contained and then an editorial quality assurance process that looks for accuracy and polish. This part of the process can take another 3 – 5 days before the final report is ready for delivery to the customer.

In all, as you can probably tell if you’ve been keeping track along the way, a PCI QSA onsite assessment can take between 3 and 4 weeks for actual project execution. The “before” portion of time is really up to the client organization for how quickly contracts can be completed. The important lesson here is to plan ahead! It takes time to schedule an assessment of this size and it takes a long time to complete the required work. This is one of the largest and most involved types of assessments that we offer, making it crucial for organizations to give themselves enough lead time to get this kind of work accomplished before your annual RoC/AoC is due.