Hi, has anyone had any experience of an audit being performed where they work yet? How deep does it go in terms of other areas of your business.. like for example licensing of software.. is that checked? If i'm 1 CAL short on windows server will it be noticed and frowned upon.. or are they just there to check your PCI compliance?

;) Just PCI DSS compliance. No need to worry about anything else as it is completely out of scope and the QSAs don't want the aggravation of having to check any more than they already have.

Well sometimes when you dont have license you are not able to receive patches which will make you incompliant for example with req 6 and patch management.

So it could be interesting to have a look at that even though it is not stated anything about licenses in PCI DSS.