PCI ROC Level 1 Assessment

What is it?

A PCI ROC Level 1 Assessment is a formal, in-depth compliance audit required for large businesses (those processing over 6 million card transactions annually) under the Payment Card Industry Data Security Standard (PCI DSS).

It results in a Report on Compliance (ROC), completed and signed off by a QSA (Qualified Security Assessor), and is necessary to demonstrate and prove secure handling of payment card data.

The assessment covers all active payment channels and may also include supporting an organisation’s third-party service providers to complete their obligations.

Features

All new engagements include an initial scope review to confirm in- scope payment channels.

We can conduct most assessments remotely, apart from reviewing physical access controls where a remote engagement may be challenging.

We are licensed to operate in the EMEA but can work with partners to cover other regions if required.

Benefits

We can provide dry run assessments before a formal assessment is conducted to establish the level of preparedness. This prepares internal teams for the assessment process and validates control implementation before a full formal assessment.

The assessments can be completed by multiple QSAs to cover multi-site environments or accelerate delivery to meet deadlines.

An initial scope review will often identify the de-scoping that will reduce the compliance burden for the client.

Reporting

We provide several formal reporting elements:

• Prioritised Approach ReportIf an initial scoping review is requested, a gap analysis report will be provided for review prior to commencing the final assessment.
• Report on ComplianceDocumenting all applicable controls reviewed and all assessment activities that have been conducted.
• Attestation of ComplianceThis is a signed document that can be provided as evidence of your current compliance status. If requested, multiple Attestations of Compliance (AoCs) can be provided for separate payment channels.

The PCI requirement

Businesses with over six million total annual transactions across all payment channels are required to complete a QSA led assessment. To support the process, an onsite or remote assessment will be completed to review the applicable requirements.

There are some instances, such as the physical security review of a data centre, where an onsite review may be required.

Typical payment channels:

• E-commerce- Websites with a payment function that is either hosted by the customer or redirected to a payment processor
• MOTO – Mail Order / Telephone Order. Card transactions where the cardholder is not physically present, making them “card-not-present” transactions.
• Customer present – Retail environments, where the customer will provide their card and operate a card machine.