PCI Compliance Certification Process for Level 1 Onsite Assessments | Why PCI Security Templates and Policies are Critical

The PCI compliance certification process for Level 1onsite assessments can be a taxing and challenging process, one that requires thoughtful consideration when choosing a PCI-QSA to conduct the actual assessment, along with finding supporting documentation for assisting with compliance. What’s important to note about Level 1 onsite assessments is the laundry list of documented policies and procedures needed for compliance, which can be obtained by purchasing the PCI security templates and policies from pcipolicyportal.com. We’ve provided essential PCI policies to companies all around the world – from Cape Town, South Africa, to Greenville, South Carolina – and are looked upon as the undisputed policy experts for PCI DSS compliance.   

As for the PCI compliance certification process for Level 1onsite assessments, here’s a brief, yet comprehensive step-by-step approach put together by one of the industry’s most experienced Payment Card Industry Qualified Security Assessors (PCI-QSA).

1.  Conduct a preliminary Gap Analysis against the actual PCI DSS standards. Onsite assessments generally have a large scope and can take a considerable amount of time for completion.  Charles’ advice is to start with a comprehensive internal gap analysis that includes a walk-through of all twelve (12) of the PCI DSS requirements. Trust us – it’s a highly effective strategy, one that yields important findings about your organization’s PCI “readiness” and overall posture.

2.  Place remediation items into specific categories and assign ownership.  You’ll undoubtedly find a number of areas requiring remediation – policies, procedures, and more – ultimately requiring competent professionals to assist in the actual remediation efforts.  We all have seats on the bus – as the old saying goes – so assign roles and responsibilities applicable to one’s strengths and skill sets.

3.  Seek out products, services, tools, and external resources for remediation. We offer a comprehensive set of PCI policies for onsite assessments, which is a good start indeed, but you may very well need additional tools and possibly even external resources for helping implement many of the required PCI mandates.

4.  Remediate. Talk is cheap, so roll up your sleeves and actually remediate all items found during the initial PCI gap analysis, or suffer the consequences of having a PCI-QSA find deficiencies during the actual assessment process.  Want to avoid assessment certification delays and frustrations with your QSA – remediate – plain and simple.

5.  Hire a PCI-QSA.  Find a competent, no-nonsense, well-skilled PCI-QSA to conduct your assessment. We recommend PCI-QSA Charles Denyer, who can be reached on his cell at 214-298-8532. He’s originally from Texas, but works all across the nation conducting Level 1 onsite assessments.  There are also many other high-quality QSA’s to choose from, so visit the official PCI DSS website at pcisecuritystandards.org to learn more.

6.  Agree on scope, set expectations and begin the Level 1 onsite assessment. Understanding the “who, what, when, where, and why” of your Level 1 onsite assessment is critical for mitigating scope creep, creating audit efficiencies, while also working within a defined budget.  You and your PCI-QSA need to agree on a number of essential matters BEFORE the assessment actually begins.

7.  Conduct vulnerability scans and penetration testing.  Level 1 onsite assessments require internal and external vulnerability scans, along with network layer and application layer penetration testing. Remember, the scans must be done by an approved scanning vendor (ASV), but the penetration tests can be conducted by almost any competent I.T. personnel and/or organization.

8.  Provide audit evidence to the PCI-QSA.  Get ready to produce screenshots, log reports, system setting outputs, along with policies and procedures – and more – as part of the audit evidence phase.  When a QSA conducts an actual Level 1onsite assessment, there’s a tremendous amount of audit evidence they’re required to collect.

9.  Receive final Report on Compliance (RoC) from the PCI-QSA.  The final deliverable for a Level 1 onsite PCI compliance assessment is two-fold: (1). The official Report on Compliance (RoC), along with the (2). Attestation of Compliance (AoC).

10.  Complete the Attestation of Compliance (AoC) and file the Report on Compliance (RoC) with VISA, if applicable, and other reporting requirements.  The AoC is often requested as proof of compliance by any number of parties, so keep that in mind. Additionally, some entities also required the entire Report on Compliance (RoC) as evidence also. Lastly, if you want to be listed on the VISA list of approved Service Providers, this requires additional time and senior management commitments also.

PCI Templates and Security Policies for PCI-SAQ | QSA Services and Policy Writing Also
Additionally, we also offer PCI templates and security policies for not only Level 1 onsite assessments, but for all PCI Self-Assessment Questionnaires (A, B, C, C-VT, D, P2PE-HW), along with PCI policy and procedure writing services.    Want to learn more about PCI compliance – then join pcipolicyportal.com for our webinars.  Lastly, learn more about the PCI certification process for the Self-Assessment Questionnaires.