How long should last an audit?
These questions pop up every time an organisation gets into the mouth of PCI DSS Harbour where their QSA is expecting them.
The answer is crystal clear: There is no mandate from the PCI SSC regarding assessment timeline.
Organisations are free to draw up their own schedule and milestones with the QSA and acquirers, if any. This is true for the initial audit as well as for the recurring ones. QSA’s mention an average duration of 8-12 week schedule, depending on the complexity of the environment. Of course, non-major remediations can be accommodated within the usual timeline. Bigger items may require to go back to square one.
The major risks of an extended assessment period are:
- A change of scope: The assessment necessarily takes a point-in-time approach, but if that point-in-time differs materially from the reality when the AOC is issued, that’s not in anyone’s interest.
- The risk of falling out of compliance: Attestation of Compliance are delivered for a period of one year. Therefore not getting the new AOC before expiration of the current one would induce a non-compliance status.
Getting a PCI DSS Pilot onboard
PCI DSS Ship Pilots have extensive experiences of the PCI DSS water and more specifically of on-site audits. They know how QSA’s are working and how to satisfy them.