The Payment Card Industry is thriving at unprecedented levels thanks to the Covid-19 pandemic, as reported in our recent PFI investigations post.
With this surge in eCommerce comes a duty of care to protect both yourself and your customers when taking card payments. You are, of course, being trusted with your customer’s private and valuable details, and they will want to be assured that you’re keeping them safe and out of the clutches of fraudsters.
This is where the Payment Card Industry Data Security Standard, known as the PCI DSS, comes in. This industry-wide set of requirements was established in order to provide support and safety for both customers and companies. If you want to take card payments, you will need to become and remain PCI DSS compliant.
Did you know that IntaForensics are accredited to offer specialist consultancy for mandatory PCI DSS Compliance?
We can also add value to your assessment by offering in-house technical expertise to further improve network and information security for a wide range of different sectors – including retail, MOTO, e-commerce organisations and service providers.
All assessments are carried out by a Qualified Security Assessor (QSA), an experienced security professional with a technical and auditing background, who has attained the PCI Qualified Security Assessor certification. A QSA’s role is to assess rather than simply audit. As part of a customer’s PCI Compliance journey, the QSA reviews and samples the environment, including people, processes and systems.
Here we tackle some of the most Frequently Asked Questions about QSA and PCI DSS Compliance
What are the steps involved in the QSA Assessment process?
This initial stage in the process involves:
- Identifying the location of cardholder data within the environment
- Reviewing the use of segmentation
- Reviewing existing controls to descope the environment from PCI DSS compliance
This second stage of the process includes:
- An on-site assessment of the Cardholder Data Environment (CDE)
- A review of the people, processes and systems that interact with the CDE
Remediation (if required)
This intervention stage of the assessment involves:
- The creation of the initial report, highlighting the remediation required
- A review of the remediation activity and evidence, to bring all PCI DSS requirements into a compliant state
The last stage of the QSA assessment includes:
- The creation of a final ‘Report on Compliance’ (RoC), detailing the company’s PCI DSS compliance
- The creation of an ‘Attestation of Compliance’ (AOC) and any required supporting documentation
If I have outsourced the handling and processing of my customers card data surely I don’t need to think about PCI DSS compliance?
Unfortunately, this is an all-too-common misconception. Whilst it often makes sense to offload your customers card data responsibilities to third party service providers, you do still have some responsibilities towards those third parties. In addition to this, you are likely to be paying for those services, so surely it makes sense to monitor the service providers to ensure they are doing what they say they do, to ensure that you are getting good return on your investment.
The PCI DSS includes specific requirements to empower you and your staff with the tools and knowledge to monitor the service providers’ performance. IntaForensics staff can also share their experience and knowledge to further enhance your understanding of what you can do to reduce the risk of data loss.
For instance, there are web browser plug-ins which can be used to perform a light touch review of your e-commerce environment. You can request service review meetings to allow the third-party service providers a chance to report to you on their performance, and on any other news which may be relevant to your environment.
IntaForensics staff can guide you in all aspects of due diligence to ensure what you’re told you are paying for is what you are getting. Unfortunately, in our experience, this is not always the case. We can help you manage the environment more effectively.
I have been asked by my acquirer to fill in something called a “Self-Assessment Questionnaire”, and I don’t know what to do, can you help?
The Self-Assessment Questionnaire, or SAQ, is a set of documents freely available on the PCI SSC website (https://www.pcisecuritystandards.org/).
Each one relates to specific environments and must therefore be chosen carefully to match your situation. The SAQ documents do not concern themselves with how many card details you transact, but focus on the mechanisms and technology used to store, process and/or transmit card data.
This could be a fully outsourced environment where your company staff do not interact with card data, right through to organisations which store, process and transmit card data and everything in between.
Whilst the PCI DSS is relatively mature, it can still be open to misinterpretation. This is where our experienced QSAs can help translate the standard into understandable everyday language, to help you navigate through your compliance journey.
I have been asked what PCI DSS level my organisation is, where do I find that information?
The levels for merchants are as follows:
Level 1 – over 6 million card transactions per annum
Level 2 – between 1 million and 6 million card transactions per annum
Level 3 – between 20,00 and 1 million card transactions per annum
Level 4 – up to 20,000 card transactions per annum
Level 4 and 3 merchants can report their own compliance to their acquirer using the relevant SAQ document/s. Level 2 can report their own compliance, but Mastercard encourage Level 2 merchants to have a QSA led formal assessment. Level 1 merchants must perform a QSA led formal assessment.
IntaForensics provides a comprehensive range of security services designed to prevent, monitor, and respond to security breaches.
We boast a team of 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI/DSS QSA, PCI/DSS PFI, Cyber Security and Incident Response.
Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.
To find out more about our services Tel: 0247 77 17780 to speak with a member of our team or fill-in our online contact form.