First time Level 1
Consider engaging a QSA if you are migrating from a Level 2 to a Level 1 PCI compliance status.
If your PCI compliance level is Level 1, the compliance assessment must be done either by an external Qualified Security Assessor (QSA), or by your own Internal Security Assessor (ISA).
If you choose to use your internal security resource, you must ensure that they complete the PCI SSC ISA training and pass the annual ISA accreditation program.
If you choose to use a QSA and have not engaged one yet, refer to the list of PCI SSC-approved Qualified Security Assessors.
Assessment process by a QSA
-
Gap analysis
The QSA performs an initial gap analysis of your PCI DSS compliance status. The analysis shows what controls you already have in place and what still needs to be implemented in order to be fully PCI DSS compliant. The QSA then shares feedback and remediation checklist items, with detailed insights of what is required.
-
On-site assessment
The QSA performs an on-site assessment to determine how your payments security currently stands. The QSA visits your location, conducts multiple interviews, and collects evidence related to your current PCI DSS compliance status. Both technical and operational components of the business are evaluated according to PCI DSS.
-
Remediation assistance
After the onsite assessment has been completed, your QSA provides initial feedback on your compliance status and the required remediation steps. Your QSA explains areas of non-compliance, provides guidance on how you can become compliant, and gives advice on retesting procedures. If corrective actions to address the identified issues are performed, and the requirements were reassessed during the assessment, you must document this in Items Noted For Improvement (INFI).
-
Completing the Report on Compliance (RoC)
When you meet all the eligible PCI DSS requirements and the audit is complete, your QSA writes your PCI DSS compliance status in a Report on Compliance (RoC). After this document has been reviewed and finalized, your QSA provides an Attestation of Compliance (AoC), which is a summary of the results of the assessment. You should submit the AoC to Adyen.
Because the ROC contains detailed information about the technical infrastructure of your cardholder data environment, you should never share the full ROC with Adyen. You should submit only your AOC.