PCI Compliance Audit Requirements and Checklist from an Expert PCI-QSA | Part II
8. Fill out the Attestation of Compliance (AoC). Clients, prospects, payment gateways – and many other interested parties – often will want some type of assurance of PCI DSS compliance, which is often sufficed for by providing them the Attestation of Compliance (AoC). The AoC is filled out by management and generally signed off by a senior officer if conducting an SAQ. For Level 1 Onsite Assessments, the actual Payment Card Industry Qualified Security Assessor (PCI-QSA) will then sign off on it. You can expect the AoC to become your “proof” of being PCI
9. Provide documentation to all interested parties. As stated, parties interested in your PCI compliance mandates will often ask for the AoC, but beware, they may also seek out additional evidence, such as your documented information security policies and procedures. It’s important to keep all audit evidence readily available for auditors and other entities seeking more information on your PCI compliance activities. For starters, make sure all PCI policies and procedures are easy to locate and have been distributed to all employees for reading material.
10. Stay compliant. Easier said than done, but PCI DSS compliance is really about the “moving target” – the challenges organizations face for staying compliant with the Payment Card Industry Data Security Standards. It’s about keeping policies and procedures up to date, undertaking scanning and penetration testing, if applicable, along with performing annual security awareness training for all employees and workforce members. There’s much to be done, no question about it, but remember one important thing – being PCI compliant – truly compliant – says a lot about an organization’s information security posture.
Read Part I of the PCI Compliance Audit Requirements and Checklist
Author: Charles Denyer