What many people don’t know is that a Qualified Security Assessor (QSA) assessment is integral to the Payment Forensic Investigation (PFI) process. Once a PFI has been completed, the follow-up QSA procedure ensures that the PFI recommendations (or pain points) are actioned, in order to help clients achieve their full mandatory Payment Card Industry Data Security Standards (PCI DSS) compliance.
Whilst PCI DSS is not a legal obligation, it is a standard which applies to any merchant that stores, processes and/or transmits cardholder data. Involving a QSA in the outset of any discussion on compliance will ensure you know exactly what to do (and conversely exactly what not to do).
By implementing the controls within the PCI DSS, your business will benefit from robust measures to drastically reduce the risk of card data compromise and reputational damage. The added benefit from an organisational perspective is a firm understanding of your responsibilities and your environment, to enable you to maintain and manage on-going compliance and embed the processes within your day-to-day operations.
A QSA is an experienced security professional with a technical and auditing background, who has attained the PCI Qualified Security Assessor certification. As part of a customer’s PCI compliance journey, the QSA reviews and samples the environment as a whole –including people, processes, and systems.
To ensure that our clients don’t receive any unwelcome surprises, we’ve outlined the post-PFI QSA procedure below.
1. PFI Process and Report Delivery
IntaForensics QSAs will detail the compliance process as early as possible after the merchant has contacted us. This ensures there are no surprises down the line and enables us to be on hand to respond to any client questions.
The PFI final report will be delivered and the QSA team will then contact the client and agree the scope, which is then used to initiate proposal/schedule Stage 1 Prioritised Approach Report (PAR) work.
2. Client Contact and QSA Discussions
The QSA will discuss the next steps in detail and suggest performing the Stage 1 work as soon as possible. This will also involve contacting the merchant’s acquirer to inform them of the QSA involvement and an initial indication of when the PAR will be submitted. During this call the QSA will identify the environment to determine what areas are non-compliant.
The QSA will also follow up with an email to the merchant to get the Stage 1 proposal prepared and sent out. If the environment is known and is not likely to change, we can then issue both a Stage 1 and a formal assessment (Stage 2) proposal if the client agrees. In the interest of full transparency, the total costs are known from here on.
3. Stage 1 – Prioritised Approach Report (PAR)
This part is performed remotely, although the QSA will need to visit the client location/s during Stage 2. It can be a good indication of the security culture of the client, and sometimes an opportunity to discuss other areas of interest to the client if required.
A PAR can be used to identify areas which may be hard for the client to reasonably comply with such as Mail Order/Telephone Order (MOTO). Telephony generally brings the entire network into scope which means nearly every PCI DSS requirement will, whilst still being achievable, be time consuming and costly.
The QSA will also identify any possible de-scoping options for the client to reduce the cost/management overhead.
After that, the QSA will confirm with the acquirer as to which channels they are expecting the PAR to cover. This is usually the breached Merchant ID (MID), but sometimes the acquirer will only ask for the channel that was breached, which usually makes that particular compliance easier and quicker to report.
However, this leaves the merchant only ‘partially’ compliant, which means their acquirer may contact them in future to request compliance for other channels.
4. Stage 2 – Formal Assessment
Now it’s time to initiate Stage 2 of the process. The time taken to perform the Stage 2 formal assessment can vary depending on the scope of the environment .
The QSA will work with the merchant to confirm the scope, and once this has been agreed, the QSA will work with our sales team to create the proposal.
The formal assessment also involves the QSA working through the applicable PCI DSS requirements, and requiring the merchant to demonstrate how they comply.
The QSA gathers evidence provided by the merchant to verify compliance which could include logs, screenshots, emails, documents, photographs and even records of conversations. Essentially it involves providing as much information as possible to demonstrate that the merchant is compliant and that our QSA has performed the assessment effectively. We are required by the Payment Card Industry Security Standards Council (PCI SSC) to retain the evidence for a period of three years, after which we dispose of it securely.
Once all of the requirements have been evidenced correctly, the QSA will create the Report on Compliance (RoC) and the associated Attestation of Compliance (AoC).
These documents are then put through our rigorous quality assurance process. The AoC is signed by the merchant and the QSA prior to being released to both the merchant and the acquirer.
5. Acquirer Involvement
The acquirer manages risk on the merchant’s behalf and reports the compliance of the merchants it manages to the payment card companies (such as Visa, MasterCard and American Express).
The QSA will keep the acquirer updated at all stages of the work. Any compliance queries must be confirmed with the acquirer. This includes queries such as merchant level, PAR expectations and anything else where the QSA will be required to deliver to the acquirer.
And that completes the process! We are accredited to offer specialist consultancy for mandatory PCI DSS compliance and can also add value by offering in-house technical expertise to further improve network and information security for retail, MOTO, e-commerce organisations and service providers.
IntaForensics provides a comprehensive range of security services designed to prevent, monitor, and respond to security breaches.
We boast a team of over 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI/DSS QSA, PCI/DSS PFI, Cyber Security and Incident Response.
Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.
To find out more about our services Tel: 0247 77 17780 to speak with a member of our team or fill-in our online contact form.