Don't Start Your 2023 PCI Report on Compliance Without Doing These 10 Essential Tasks FIRST
1. You have a copy of the signed Statement of Work with your QSA
Make sure you have this statement of work at your fingertips throughout your assessment period. This agreement protects you and your QSA for work that is contractually agreed upon.
2. Complete an end-to-end PCI Scope Assessment
The success of your PCI Report on Compliance hinges upon an accurate PCI Scope Assessment.
Your scope assessment includes the who, what, where, when, why, and how of your cardholder data environment and anything or anybody that connects to your cardholder data environment.
Not sure how to complete a full scope assessment to prepare you for your Report on Compliance (or Self-Assessment), you can learn how to do this critical task with our course and guidebook, How to Manage Your PCI Scope Without Losing Your Mind.
3. Upon completing your scope assessment, your QSA has returned the sample set to you BEFORE you kick-off the Report on Compliance
There are specific criteria for pulling a sample for a Report on Compliance assessment.
If you followed our 6 step process for completing a scope assessment, your QSA is already has validated your scope.
Using the sample formula, they must be able to identify the sample sets and return that back to you and be ready for kickoff.
For organizations with a robust PCI Compliance program with a mature controls, repeatable processes, and automation, you may opt to assess everything in scope rather than just a sample.
Pulling a report for all assets in scope for logging events is a lot easier than isolating sample sets.
4. You’ve created and communicated your high level timeline of activities
It’s important to get everyone on the same page with due dates and deadlines for evidence. Knowing when your Report on Compliance is due to your acquirer and how much time you need to gather evidence and have the assessment completed will drive your start date.
If you need more help creating the timeline of all your PCI assessment activities, see our course, The Art of Managing (and Delivering) a Successful Report on Compliance in our Resource Center.
5. You’ve scheduled all physical on site assessments
If you have data centers and / or call centers in scope for PCI DSS Assessment, it’s important to have these site visits scheduled.
It’s equally as important to have the facilities managers, data center managers, and call center managers prepped and ready to go for these on site visits.
6. You’ve confirmed all system administrators and personnel that will be scheduled for interviews and real time observations
If you’ve completed your end-to-end scope assessment, confirming who’s responsible and accountable for PCI DSS Requirements and controls is already done.
Now, if you haven’t done this by kick-off time, right now is a good time to accomplish this necessary and vital task.
Otherwise, the interviews and observations will waste more time than a toddler dressing themselves.
7. You’ve reached out to system administrators and personnel who want to do a mock interview before sitting with the QSA
This task is a hidden gem. There is nothing worse than an awkward QSA interviewing a nervous system administrator.
I’ve been on these types of interviews and they are nails on a chalk board painful.
I’ve also been on an interview where the system administrator admitted to forgetting how they configured the management console.
Needless to say, I ended that interview and stopped the system administrator from inflicting more pain on themselves.
And the QSA.
Make the time in your calendar to be available to system administrators who need and want to do a mock interview before they sit with the QSA.
8. You’ve set the RoC kick-off date and invited all stakeholders to the meeting
This is probably the easiest thing you’ll do – schedule the kick-off meeting.
Invite every single stakeholder.
If they decline the invite, that’s on them. Not you.
9. You’ve scheduled mandatory PCI Compliance training for everyone in scope for PCI DSS assessment
That’s right. Mandatory PCI DSS Training.
What I did (and this works, trust me), is schedule 3 training dates and times.
People had to pick they day/time they wanted to attend.
I took attendance at each training session.
I didn’t waste my time doing make up training. I got smart and recorded my last training and made it available to anyone who missed the live version.
10. Documentation and evidence are queued and awaiting QSA assessment.
Do not…and I repeat…Do not schedule the PCI RoC kick-off without the QSA queue filled to the brim with your policies, standards, processes, procedures, and evidence ready to be assessed.
When you kick off your assessment period, it’s not hurry up and wait.
You need to RoC and roll within 24 hours of kicking off your assessment.
There you have it. 10 Essential Tasks To Do BEFORE You Kick-off Your 2023 PCI Report on Compliance.
Any questions? Drop a comment below!
We’ve taken 20+ years of PCI experience (that’s over 40,000 hours!) and created a resource center that includes unlimited continuous access to all our on-demand video courses, guidebooks, cheat sheets, checklists, and example process flows.
Our monthly membership is designed for individuals who are dedicated to a professional career in the Payment Card Industry. Your membership gives you ongoing access to our PCI Resource Center for as long as you’re a subscriber.