PCI DSS Audit in the UAE: Gap Assessment to RoC Checklist

A PCI DSS audit runs through six phases: scope definition, gap assessment, remediation, evidence collection, the QSA on-site assessment (or SAQ self-validation), and Report on Compliance submission - followed by annual maintenance. For a prepared UAE organization the full cycle takes 3-6 months; with material gaps in the cardholder data environment it stretches to 6-12 months. This guide is the end-to-end checklist for that journey, framed against PCI DSS v4.0.1, the only version mandatory from 2026 onward.

That last point matters more than most teams realize. With v3.2.1 retired and all of the future-dated v4.0 requirements now in force, any first audit you run in 2026 faces the complete v4.0.1 control set - including the new client-side script requirements and the targeted-risk-analysis approach to flexible controls. If your last reference point was a v3.2.1 assessment, the evidence bar has moved.

This is the audit-process checklist. If you are earlier in the journey and still working out whether you even need to validate, start with our PCI DSS certification complete guide. If you are weighing who runs the audit, see how to hire a PCI DSS auditor in the UAE. This page is about the process itself - getting from a standing start to a clean RoC.

The PCI DSS Audit Lifecycle in the UAE: 6 Phases

Here is the framework worth screenshotting. The whole audit, regardless of merchant level, follows the same path:

Scoping -> Gap Assessment -> Remediation -> Evidence Collection -> QSA On-Site / SAQ Validation -> RoC or AOC Submission -> Annual Maintenance

Where you exit depends on your validation path. SAQ-path merchants - typically Levels 2 through 4 - run through scoping, gap assessment, remediation, and evidence collection, then self-validate with the relevant Self-Assessment Questionnaire and submit an Attestation of Compliance to their acquiring bank. There is no external assessor signing the result.

Level 1 organizations and most service providers continue to a full QSA audit. A Qualified Security Assessor performs an on-site (or remote-equivalent) assessment, tests every applicable control, and produces a Report on Compliance (RoC) - a detailed document, often hundreds of pages, that the card brands and your acquirer accept as formal proof.

Realistic UAE timelines:

Who signs off also differs by path. For the SAQ path, your acquiring bank accepts the AOC. For the RoC path, the QSA attests and the report goes to your acquirer and, where required, the card brands. UAE organizations that fall under CBUAE licensing - payment service providers, stored-value facility operators, and similar - frequently carry additional regulatory reporting obligations on top of the card-brand requirement, so confirm both tracks early.

One practical note on sequencing: the six phases are mostly linear, but scoping and the gap assessment are tightly coupled and worth iterating together. You will often find, mid gap assessment, that a system you assumed was out of scope is actually connected to the CDE - which sends you back to redraw the boundary. Better to discover that in phase 1-2 than during the QSA window, when a scope change can mean re-testing controls you thought you were done with. Treat the first two phases as a single loop you run until the boundary stops moving.

Step 1-2: Scope Definition and Gap Assessment Checklist

Scope is where audits are won or lost. Every system in scope is a system you have to secure, document, and prove - so the first job is to define the cardholder data environment (CDE) accurately, then make it as small as honestly possible.

Scope definition checklist:

• Identify every system, network segment, person, and process that stores, processes, or transmits cardholder data
• Map every connected-to or security-impacting system - these are in scope even if they never touch card data directly
• Produce a current data-flow diagram tracing card data from capture (web, POS, call centre, IVR) through processing to storage and transmission
• Produce a current network diagram showing the CDE boundary and every segmentation control
• Validate segmentation - if you claim a segment is out of scope, you must be able to prove the boundary holds (and a QSA will test it)

Tightening segmentation before the clock starts is the single highest-leverage move available. Pulling a workload out of the CDE removes it from every one of the 12 requirements at once.

Gap assessment checklist - the 12 PCI DSS v4.0.1 requirements:

A gap assessment compares your real state, requirement by requirement, against what “compliant” evidence actually looks like. Work through all 12:

Common UAE scope-creep traps:

• Legacy integrations - an old reporting tool or batch job quietly pulling full PANs from a database
• Call centres taking card-not-present payments - agents, phone systems, and recordings all enter scope
• Shared service environments - one CDE host on a hypervisor can drag the whole cluster into scope without strict segmentation
• Forgotten storage - card data in support tickets, email attachments, spreadsheets, or backups

The output of phase 2 is a clear, ranked list of gaps. That single document is what cuts your timeline most - see the cost section below for the numbers.

Step 3-4: Remediation and Evidence Collection

With gaps identified, the discipline in phase 3 is triage. Not every gap is equal.

Remediation prioritization:

• Blocking gaps - controls that are absent or failing and that the QSA cannot sign off without. These get fixed before the assessment, full stop.
• Documentation gaps - the control exists but is not written down or evidenced. Cheaper to close, but the QSA still needs the artifact.
• Risk-acceptable items - lower-severity gaps you can carry with a documented, time-bound remediation plan. Under v4.0.1’s flexible approach, a targeted risk analysis is the mechanism for justifying how and how often certain controls are performed - it is not a way to skip a requirement.

A quick caution: a documented remediation plan is not the same as compliance. The control still has to be in place and evidenced before sign-off.

Evidence pack the QSA expects:

This is where first-timers get surprised. Self-assessment habits - a screenshot here, an “it’s configured, trust me” there - do not survive contact with a QSA. Evidence has to be specific, dated, attributable, and reproducible.

• Network and data-flow diagrams (current, version-controlled)
• Firewall and router rule reviews with business justification (Req 1)
• System configuration standards and hardening evidence (Req 2)
• Encryption and key-management documentation (Req 3-4)
• Anti-malware status and patch/SLA evidence (Req 5-6)
• Access reviews and MFA/authentication proof (Req 7-8)
• Physical access and media handling logs (Req 9)
• Log samples and SIEM review records, 12-month retention (Req 10)
• ASV scan reports (passing, quarterly) and penetration test results with remediation evidence (Req 11)
• Security policies, procedures, and awareness training records (Req 12)

New v4.0.1 evidence to prepare specifically:

• Targeted risk analyses documenting the frequency and rationale for flexible controls (Req 12.3.1)
• Payment-page script inventory and authorization - every script on payment pages inventoried, justified, and integrity-checked (Req 6.4.3)
• Tamper-detection and change-detection alerting on payment pages to catch client-side skimming (Req 11.6.1)

The evidence-quality gap is the most common reason a “ready” organization slips. If your team has only ever done SAQs, budget time for the jump from self-assessment proof to QSA-grade proof. The difference is concrete: a self-assessment might note “MFA is enabled for admins,” while a QSA wants a dated export listing every admin account, its MFA status, the enforcement policy, and a sample of the control operating - reproducible on request. A screenshot from six months ago does not clear that bar. Each requirement needs a named owner, a current artifact, and a way for the assessor to confirm the control is live, not just configured once. A PCI DSS gap analysis and a QSA-led readiness review exist precisely to surface that gap before the real assessor does.

Step 5-6: The QSA On-Site Assessment and RoC Submission

The QSA assessment window is typically 3-6 weeks. Despite the “on-site” label, much of it is now hybrid - document review and interviews remotely, targeted on-site observation where the standard requires it.

What happens during the assessment:

• Interviews - the QSA talks to control owners across engineering, security, ops, and HR to confirm that documented processes match reality
• Observation - watching controls operate live (a deployment, an access grant, a log review)
• Sampling - selecting a representative subset of systems and records rather than examining everything
• Evidence walkthroughs - mapping each requirement to the artifacts in your evidence pack

When the QSA finds an issue, there is usually a remediation-during-assessment loop: minor gaps surfaced mid-assessment can often be fixed and re-evidenced inside the window without restarting. Structural gaps may push the timeline, which is exactly why the gap assessment in phase 2 earns its keep.

RoC vs AOC - what gets produced:

A summary AOC accompanies the full RoC and is the document usually shared with acquirers and partners. UAE organizations under CBUAE oversight may need to report compliance status as part of their licensing obligations - factor that reporting line into your submission plan.

Annual recertification: PCI DSS is not a one-and-done. Validation is annual, with quarterly ASV scans throughout. The good news is that year two is materially faster: scope is already defined, evidence pipelines exist, and the team knows the drill. Organizations that treat compliance as continuous - automating evidence collection, keeping diagrams current, running internal reviews - spend far less each cycle than those who scramble annually. That is also the strongest argument for a structured remediation plan that builds repeatable processes rather than one-off fixes.

PCI DSS Audit Cost and Timeline in the UAE (2026)

Costs vary widely with scope, environment complexity, and validation path. Indicative bands for UAE engagements:

Treat those as relative tiers, not quotes - the only accurate number comes from a scoped review of your environment.

Here is the claim worth remembering: organizations that complete a gap assessment before engaging a QSA typically cut total audit timeline by 30-40% versus going straight to the formal assessment. The mechanism is simple. Going in blind means gaps surface during the QSA window, when remediation is slowest and most expensive - re-testing, fresh ASV scans, and re-interviews all reset the clock. Finding those same gaps in a low-pressure gap assessment lets you fix them in parallel, before the assessor arrives.

Internal vs QSA-led: You can self-assess when your merchant level and acquirer permit an SAQ path - generally Levels 2-4, subject to your bank’s rules. A QSA audit is mandatory for Level 1 merchants and most service providers, and many UAE acquiring banks require QSA involvement for Level 2 as well. When in doubt, confirm your level and required validation type with your acquiring bank before committing to a path.

For more on the SAQ side of that decision, our SAQ types explained guide breaks down which questionnaire maps to which payment setup, and the QSA readiness checklist covers the assessment day itself in depth.

The fast path: start with scope and gaps

The pattern across every successful UAE audit we have supported is the same: the organizations that finish fastest and cheapest are the ones that nailed scope and ran a real gap assessment before the QSA ever showed up. Everything downstream - remediation, evidence, the assessment window, the RoC - is faster and calmer when phase 1 and 2 are done well.

Book a free 30-minute PCI DSS audit-readiness call. We run a rapid scope and gap review and give you a phase-by-phase plan to a clean RoC. Get in touch and we will map your CDE, flag the gaps most likely to bite, and tell you honestly which validation path fits your business.