Re: How does a customer get PCI audited?

[amatachick () gmail com]

Scott,

I'm actually at a conference right now with Gartner and just this afternoon they brought up some interesting 
information on this that I wasn't aware of. In the past a company has only been audited if they had a breach. This 
seems to be changing. According to the last survey Gartner had merchants fill out, 8% of merchants received an audit 
from Visa to make sure they were compliant even though they hadn't had a breach. Additionally an attendee at the 
meeting spoke up to say that Discover had contacted his company to verify compliance as well. It seems that a shift is 
starting in the industry and credit card companies are becoming more proactive on this. 

In the 8% of cases where companies were reviewed without a breach for cause some fines were incurred from lack of PCI 
compliance. Fees ranged from $10,000 - $25,000 a month and there was also an increase in the interchange fee.

If you're a level 1 merchant or a service provider you will need to have a Qualified assessor come out to assess you, 
that is a different thing than a "PCI audit" however. I assume you were not speaking about the assessment.