PCI-DSS ROC AuditsA Report On Compliance (ROC) audit for PCI-DSS compliance
FRSecure performs a full array of information security assessments and audits including FISMA, ISO Certification, NERC/FERC, FDA, SEC, FINRA, SOX, and more. If you’re looking for an assessment, we’ve likely done it before, and are happy to discuss your needs with you. Call us today.
What is a PCI-DSS ROC Audit?
A PCI-DSS Report On Compliance (ROC) audit is a formal audit of controls pertaining to credit card collection, storage, transmission, destruction, etc. This audit applies to Level 1 PCI merchants. It is a formal audit process performed by qualified security assessors (PCI QSA).
FRSecure is a certified PCI QSA, authorized to perform ROC audits.
Why would I want one?
If you are a level 1 merchant, then a ROC audit is required. If you are not level 1, but still have PCI compliance needs, FRSecure can still help, but you probably don’t need a ROC audit (although there may be business reasons to get one anyway).
If you’re not sure if you need a ROC audit, spend a couple minutes on the phone with our team and we’ll help you determine your PCI compliance needs. It is improper and against QSA rules to recommend a ROC audit if it is not appropriate, so you can rest assured we will not try to sell you a ROC if it’s not what you need.
What makes FRSecure different?
Not all QSA auditors are created equal. Anyone who’s experienced an audit will tell you that some auditors are there to be helpful, and some seem to want to cause extra work for no valid reason. At FRSecure, our QSA auditors (and all of our security experts) strive to be a resource of security knowledge for you. If a risk is significant, we will show you why that is. If it is not, we will not try to convince you otherwise. Our transparent, helpful approach to all of our projects is consistently appreciated by our clients.
What are the deliverables I should expect?
Deliverables for a ROC audit are:
PCI Report on Compliance
- Contact Information and Report Date
- Executive Summary
- Business description
- Service provider, transaction processing support and other third-party relationships that include access to cardholder data
- POS products in use
- Describe client’s status pertaining to direct connections to any card brand’s network
- Relationships with wholly owned or international entities with PCI compliance requirements
- Wireless connectivity to cardholder environment
- Scope and Approach
- PCI version in use
- Assessment timeframe
- Technical background information summarizing the technical environment that was assessed
- Any network areas precluded from the audit
- List of interviewees
- List of documentation reviewed
- Brief description and/or high-level diagram of network topology and controls
- Summary of Quarterly Scan Results
- Findings and Observations
- Using the PCI-provided template, document the existence/absence of each control prescribed in the Data Security Standard
- As necessary, document the adequacy of any compensating controls
- Appendix – Supporting Details – access to all raw data used in generating the report will be made available on the accompanying encrypted flash drive available after Client has accepted the report
What does a PCI-DSS ROC Audit cost?
There is a lot of variance in ROC pricing. There are some QSAs on the low end that pump out these types of audits using inexperienced auditors. There are others on the very high end. FRSecure tends to be in the middle. To do an adequate job a ROC audit takes a significant amount of time, and there is a lot of required documentation that goes into the deliverables. These are not inexpensive audits, but they are critical both to maintain PCI compliance, as well as to ensure the credit card information is appropriately protected.