Most companies meet PCI DSS through a self-assessment questionnaire. You answer the questions, sign the form, and file it. A Level 1 Report on Compliance operates differently. A Qualified Security Assessor comes to you, examines evidence, interviews your staff, and writes a report their own professional standing depends on.
We led one end to end, from the first scoping call to the signed ROC, and the environment has re-attested every year since. This is what the process looks like from inside.
Scope decides everything
The cardholder data environment defines the audit's boundaries. Every system that stores, processes, or transmits card data falls in scope, along with everything connected to it. The most valuable early work is shrinking that scope through network segmentation and by questioning why each system touches card data at all. Every server removed from scope is a server the QSA never asks about, and scope decisions made in month one determine the size of everything that follows.
Evidence beats intentions
The assessor does not want to hear that patching happens regularly. They want the patch records, the scan reports, and the change tickets, sampled across the whole audit period. We built evidence collection into normal operations so the proof existed before anyone asked for it. Handled this way, the audit becomes a review of your records. Handled the other way, it becomes archaeology.
Remediation runs long
After the gap assessment, a list appears: firewall rules to justify, encryption to upgrade, logging to centralize, access to revoke. Budget months for this phase, and expect the items to interlock. A fix in one area often exposes a gap in another. The teams that struggle most are the ones who scheduled remediation as a two-week sprint.
The QSA is a person
Assessors respond to straight answers and organized evidence the way anyone would. We sat in every interview, answered directly, and raised weak spots before the assessor found them independently. Credibility established early makes the difficult conversations later far more productive. An assessor who catches an evasion will, reasonably, audit everything else more closely.
After the signature
The ROC covers a year, and the next one arrives on schedule. Controls that exist only during audit season decay visibly, and assessors recognize the pattern immediately. The controls we built run as part of daily operations, which is why annual re-attestation has held without drama.
For anyone with an assessment on the calendar, the useful time to talk is before the QSA arrives. We know what they will ask, because we have answered it.