This guide is especially important if you are migrating from a Level 2 to a Level 1 Merchant status.
Level 1 Merchants are required to engage with a Qualified Security Assessor (QSA). If you have not engaged a QSA yet, you can find a list of PCI SSC-approved Qualified Security Assessors here.
You can also ask your own internal security resource to perform an audit. However, if you choose an Internal Security Assessor (ISA) to assess your environment, you must ensure that they complete the PCI SSC ISA training and pass the annual ISA accreditation program.
The assessment process
The QSA performs an initial gap analysis of your PCI DSS compliance status. The analysis shows what controls you already have in place and what still needs to be implemented in order to be fully PCI DSS compliant. The QSA will then share feedback and remediation checklist items, which provides detailed insights of what is required.
The QSA performs an onsite assessment to determine how your payments security currently stands. The QSA visits your location, conducts multiple interviews, and collects evidence related to your current PCI DSS compliance status. Both technical and operational components of the business are evaluated according to PCI DSS.
After the onsite assessment has been completed, your QSA provides initial feedback on your compliance status and the required remediation steps. Your QSA explains areas of non-compliance, provides guidance on how you can become compliant, and gives advice on retesting procedures. If corrective actions to address the identified issues are performed, and the requirements were reassessed during the assessment, you must document this in Items Noted For Improvement (INFI).
Completing the Report on Compliance (RoC)
Once you meet all the eligible PCI DSS requirements and the audit is complete, your QSA writes your PCI DSS compliance status in a Report on Compliance (RoC). After this document has been reviewed and finalized, your QSA will provide an Attestation of Compliance (AoC), which is a summary of the results of the assessment. You should submit the AoC to Adyen.
Because the ROC contains detailed information about the technical infrastructure of your cardholder data environment, you should never share the full ROC with Adyen. You should submit only your AOC.