QSA-Readiness Checklist: Preparing for Your First PCI DSS On-Site Assessment

A Qualified Security Assessor (QSA) on-site assessment is the most rigorous form of PCI DSS validation. Required for all Level 1 merchants (over 6 million annual card transactions) and Level 1 service providers, it results in a Report on Compliance (ROC) - a detailed document attesting that your organization meets every applicable PCI DSS requirement. For many UAE businesses, the first QSA assessment is also the most difficult, because the gap between self-assessment habits and QSA evidence standards is wider than most teams expect.

This checklist covers every major preparation area so your first on-site assessment runs smoothly and produces a clean ROC.

Before You Engage the QSA

1. Confirm Your Assessment Scope

The single most consequential decision in any PCI DSS assessment is defining the scope correctly. Scope determines which systems, networks, people, and processes the QSA will examine. Get it wrong and you face one of two outcomes: scope too narrow means the QSA will expand it during the assessment (causing delays and potential failures), scope too broad means you are defending systems that should have been excluded (increasing cost and complexity).

Identify all payment channels. Document every way your organization accepts, processes, stores, or transmits cardholder data - e-commerce, point-of-sale, MOTO (mail order/telephone order), mobile, recurring billing, and card-on-file. Each channel may have different system components in scope.

Map cardholder data flows. For each payment channel, create a data flow diagram showing exactly where cardholder data enters your environment, which systems it passes through, where it is stored (if at all), and where it exits to processors or acquirers. The QSA will request these diagrams - they are not optional.

Identify all system components. List every server, database, application, network device, security appliance, and workstation that stores, processes, or transmits cardholder data - or that is connected to systems that do. This is your cardholder data environment (CDE). Include cloud-hosted components, virtual machines, containers, and serverless functions.

Document segmentation controls. If you have segmented your CDE from the rest of your network (and you should), document the segmentation method - firewalls, VLANs, access control lists, microsegmentation - and the specific rules that enforce the boundary. The QSA will test segmentation effectiveness, not just existence.

List all third-party service providers. Every payment gateway, hosting provider, managed security service, tokenization vendor, and cloud platform that touches cardholder data is in scope. You need their PCI DSS Attestation of Compliance (AOC) and a clear understanding of the shared responsibility matrix - which PCI DSS requirements they cover and which remain yours.

2. Select Your QSA Company

Not all QSA companies are equal in their UAE and regional experience. Key selection criteria:

Regional experience. Choose a QSA company with experience assessing UAE businesses. They should understand CBUAE regulatory context, UAE acquiring bank requirements, and the specific payment processors and service providers common in this market - Network International, Checkout.com, Telr, PayTabs, and others.

Assessment team availability. Confirm the specific assessors who will conduct your on-site assessment and their availability within your compliance timeline. QSA companies with limited UAE presence may have scheduling constraints.

Scope of services. Some QSA companies offer pre-assessment readiness reviews - a dry run that identifies gaps before the formal assessment begins. For a first-time assessment, a readiness review is strongly recommended. It costs less than failing the formal assessment and having to remediate under time pressure.

Clear fee structure. QSA assessment fees vary significantly. Get a detailed quote that specifies the number of on-site days, remote assessment days, report writing time, and any additional charges for scope changes or re-testing.

3. Establish Your Assessment Timeline

A first-time QSA assessment typically follows this timeline for UAE businesses:

Weeks 1-4: Pre-assessment and gap remediation. Either through a formal readiness review or internal assessment, identify and close remaining gaps before the QSA arrives. This is your last opportunity to fix issues without them appearing as findings in the ROC.

Weeks 5-8: On-site assessment. The QSA conducts interviews, reviews documentation, inspects configurations, observes processes, and tests controls. For a moderately complex environment, expect 5-15 days of on-site assessment activity, potentially spread across multiple visits.

Weeks 9-12: ROC drafting and review. The QSA writes the ROC, you review it for factual accuracy, and the final version is submitted to your acquiring bank or the applicable card brand.

Total timeline: 12-16 weeks from assessment kickoff to ROC submission. Plan accordingly relative to your acquiring bank’s compliance deadline.

The Evidence Preparation Checklist

The QSA will request evidence for every applicable PCI DSS requirement. For your first assessment, organizing this evidence in advance - rather than scrambling to produce it during the on-site visit - is the difference between a smooth assessment and a stressful one.

Network and System Architecture (Requirements 1-2)

• Network diagram showing all connections between the CDE, DMZ, internal networks, wireless networks, and the internet. Include IP ranges, VLAN assignments, and firewall placement.
• Data flow diagram for every payment channel showing cardholder data movement from entry to storage/transmission.
• Firewall and router rule sets with documented business justification for every allow rule. The QSA will review these rule by rule.
• Segmentation test results from your most recent penetration test or segmentation validation, confirming that the CDE boundary is effective.
• System configuration standards for all in-scope system types - servers, databases, network devices, workstations. These must be documented and baselined, not just applied ad hoc.
• Hardening evidence showing that unnecessary services, protocols, and accounts have been disabled on all in-scope systems.

Data Protection (Requirement 3)

• Data retention policy specifying how long cardholder data is stored and the business justification for retention.
• Evidence of PAN protection - encryption, truncation, or tokenization - for all stored cardholder data. Include encryption algorithm details, key lengths, and key management procedures.
• Confirmation that sensitive authentication data (full track data, CVV/CVC, PIN data) is not stored after authorization - anywhere, including logs, error handlers, debug output, and temporary files.
• Encryption key management documentation covering key generation, distribution, storage, rotation, and destruction procedures. PCI DSS v4.0 requires documented cryptographic key management aligned with industry standards.

Transmission Security (Requirement 4)

• Evidence of strong cryptography on all transmissions of cardholder data over public networks - TLS 1.2 or higher, with certificate details and configuration evidence.
• Wireless network inventory and security configuration evidence if wireless networks are in or connected to the CDE.

Vulnerability Management (Requirements 5-6)

• Anti-malware deployment evidence for all in-scope systems commonly affected by malware, including configuration settings and update schedules.
• Quarterly ASV scan reports from an Approved Scanning Vendor, showing passing results for all four quarters of the assessment period. If any quarter had a failing scan, show the remediation and passing rescan.
• Internal vulnerability scan reports showing quarterly scans with all high-risk vulnerabilities resolved.
• Annual penetration test report covering both internal and external testing of the CDE, including segmentation testing if segmentation is used to reduce scope.
• Change management and secure development documentation if you develop or modify in-scope applications. PCI DSS v4.0 requires documented secure development training, code review processes, and vulnerability testing for custom code.

Access Control (Requirements 7-9)

• Role-based access control documentation showing that access to the CDE is limited to personnel with a business need. Include role definitions, approved access lists, and the process for granting and revoking access.
• Unique user ID evidence confirming that every user accessing the CDE has a unique identifier - no shared or group accounts.
• Multi-factor authentication (MFA) evidence for all remote access to the CDE and for all administrative access to in-scope systems. PCI DSS v4.0 expanded MFA requirements significantly.
• Password and authentication policy meeting PCI DSS v4.0 requirements - minimum 12 characters (or 8 characters with MFA compensating), complexity requirements, and change intervals.
• Physical access controls for facilities housing CDE systems - badge access logs, visitor logs, camera recordings, and access authorization records.

Monitoring and Testing (Requirements 10-11)

• Audit log configuration evidence showing that all in-scope systems generate logs for the event types specified in Requirement 10, with timestamps synchronized across all systems.
• Log retention evidence confirming at least 12 months of audit log history, with the most recent 3 months immediately available for analysis.
• Daily log review evidence - whether manual or automated - showing that logs are reviewed for anomalies every day. The QSA will ask how anomalies are investigated and escalated.
• Intrusion detection or prevention system (IDS/IPS) deployment evidence for CDE network perimeters, with current signature updates and alerting configuration.
• File integrity monitoring (FIM) evidence for critical system files, configuration files, and content files on in-scope systems, with weekly comparison at minimum.

Policies and Procedures (Requirement 12)

• Information security policy covering all PCI DSS requirements, reviewed annually, and acknowledged by all personnel.
• Incident response plan that specifically addresses payment card data breaches, with defined roles, communication procedures, and card brand notification requirements.
• Security awareness training records showing that all personnel with access to the CDE have completed annual security training, including PCI DSS-specific content.
• Risk assessment documentation from your most recent annual risk assessment of the CDE, identifying threats and vulnerabilities to cardholder data.
• Service provider management evidence - AOCs from all third-party service providers, written agreements acknowledging their PCI DSS responsibilities, and monitoring records.

Common First-Assessment Failures

These are the findings that most frequently derail first-time QSA assessments for UAE businesses:

Incomplete or inaccurate scoping. The QSA discovers systems or data flows that were not included in the initial scope. This triggers scope expansion mid-assessment, requiring additional evidence collection and potentially revealing uncontrolled systems.

Missing or incomplete documentation. Having the technical controls in place but lacking the documented policies, procedures, and standards that PCI DSS requires. Every requirement needs both implementation evidence and documented process.

Inconsistent log review. Organizations that generate logs but cannot demonstrate consistent daily review with documented investigation of anomalies. Automated alerting without documented triage is insufficient.

Weak change management. Changes to in-scope systems that bypass the documented change management process, or a change management process that exists on paper but is not consistently followed.

Service provider gaps. Third-party service providers without current AOCs, or without clear responsibility matrices defining which PCI DSS requirements the provider covers versus which remain the assessed entity’s responsibility.

Compensating controls without documentation. PCI DSS allows compensating controls when a requirement cannot be met as stated - but compensating controls require a formal Compensating Control Worksheet documenting the constraint, the objective, the compensating control, and how it mitigates the risk. Claiming a compensating control verbally during the assessment without this documentation is a finding.

Day-of-Assessment Preparation

Designate a single point of contact for the QSA team. This person coordinates interview schedules, evidence requests, and system access. Having a dedicated coordinator reduces assessment friction significantly.

Pre-stage evidence in an organized repository. Create a folder structure mapped to PCI DSS requirements (Requirement 1, Requirement 2, etc.) with all evidence documents labeled clearly. The QSA will request evidence by requirement number.

Brief all interviewees. The QSA will interview system administrators, developers, security personnel, and management. Each interviewee should understand which requirements they are being interviewed about, what evidence they need to demonstrate, and where documentation is located.

Ensure system access is ready. The QSA will need to inspect configurations on firewalls, servers, databases, and other in-scope systems. Have credentials, VPN access, and any required access approvals arranged before the on-site visit begins.

Prepare a clean, private workspace for the QSA team with network access, a whiteboard, and proximity to the personnel they will be interviewing.

Contact pcidss.ae to schedule a QSA-readiness review before your first on-site assessment - we identify gaps, organize your evidence, and ensure your assessment runs smoothly on the first attempt.