A PCI Audit is carried out to ensure your business is up to standards in data security. As a merchant that processes transactions it is good practice to carry out such audits on a regular basis.

PCI stipulates that all Level 1 merchants (those who process more than six million credit card transactions per year) must do a yearly on-site audit of their security systems and procedures. The assessment may be conducted by internal staff (and must include a signoff from a C-level officer) or by a third party.

Organizations categorized below level 1 aren't required to do an audit, but some hire an outside auditor to verify PCI compliance anyway.

whether or not you are required by law, I would look at performing the audit anyways. Check out this link for self assessment https://www.pcisecuritystandards.org/saq/index.shtml

I would also look into using this as a good excuse to take a SANS course. They have lots of classes concerning this, from pen testing to auditing.