2-sec have strong experience of PCI DSS and have available some of the top QSA consultants globally, some of whom were the very first to be certified back in 2004. We were setup and founded by experienced senior consultants whom have worked previously for blue chip consulting firms. We have been working with PCI DSS since it was introduced as version 1.0 in 2004, and prior to that as Visa AIS and MasterCard SDP programs and have helped hundreds of clients with PCI DSS requirements. Our approach is very much to step back, understand the scope, eradicate insecure business processes, remove unnecessary card data and apply PCI DSS to the smallest common denominator possible. It is simply not appropriate to apply PCI DSS to a whole organisation – it’s a very specific and a very secure data standard designed to protect one thing, card data.
What to look for in a PCI DSS QSA?
There is a low barrier of entry for a security company to become a certified QSA Company. As long as a reasonable amount of security experience can be documented and an annual fee paid, the resultant PCI DSS QSA examinations are trivial to pass. This unfortunately leads to a market that is awash with inexperienced auditors, that have made some very expensive decisions on behalf of merchants whom have had to demonstrate validation against the standard. We would recommend you consider the following points prior to engaging a QSA:
- Insist on a named auditor that you can verify.
- Check the auditor’s credentials – do they have at least 5 years experience working with companies such as yours?
- Validate the company on the PCI Security Standards website.
- Check the consultant has actually performed a PCI DSS Audit before and ask how many audits they have previously completed?
- Get written references from the QSA’s previous customers. Not just for the QSA Company, but for the actual auditor you will be using.
- Interview your auditor prior to the engagement starting and ensure they understand your technology, infrastructure and business.
- Make sure you have selected the correct scope, validation and compliance route prior to the audit. Audits are expensive to repeat!
- Insist that the audit is completed within a set amount of time and at an agreed job rate. The QSA should know how to structure an audit to save you time and an “open day rate” is inadvisable for audit work, as might indicate the QSA does not have a structured methodology.
- Keep your Audit, Advisory and Penetration Testers separate. These should never be the same people and preferably not the same company, as is a breeding ground for conflicts of interest.
- Rotate your Auditors and Penetration Testers. They might become complacent if given the same piece of business year on year, and a different auditor will bring a different perspective and opinion on how you may be able to improve payment operations.
- Don’t make a decision solely on cost. An experienced QSA will perhaps cost more to start with, but will save you money in the long run by assisting with any payment re-architecture and improvement of business processes.
The PCI SSC are making clear efforts to clean the market up and remove inexperienced QSAs from the program, and also those that have made continual errors and fail quality checks, but they cannot vet everybody and it is essential you perform due diligence prior to engagement, as it’s doubtful that anyone else has.
PCI DSS QSA Compliance Services
PCI DSS QSA Scope Review
The aim of the PCI DSS QSA Scope Review is to ensure that the correct PCI DSS audit scope has been chosen in relation to the storage, processing and transmission of card numbers within your infrastructure. Accurate scoping is essential, so that all systems that interact with cardholder data are identified, along with any systems and third parties that connect to them, or can have an impact on security.
The review is consultant-led and requires key personnel from the network, server, desktop, application and security teams, and consists of an onsite workshop and offsite report writing in PCI DSS compatible format.
PCI DSS QSA Gap Analysis
A PCI DSS QSA Gap Analysis determines the current level of compliance and the specific steps required to achieve PCI DSS compliance before performing the formal assessment. 2-sec have a proven methodology that reduces the time and effort taken to perform a Gap Analysis, whilst producing a high quality result.
The Gap Analysis includes interviews, a review of network and server configuration, an understanding of current policies and procedures, and recommendations with respect to obtaining PCI DSS Compliance. An in depth analysis of physical and logical data flows is performed and you will gain a full understanding of all business instances where PCI DSS applies, and how to protect or remove data from these instances to limit the scope and impact of PCI DSS.
We don’t focus on quick, easy wins, as these generally do not improve security posture and can present a skewed compliance score. We tell you how it is. We would anticipate a 40-50% compliance score at this stage and an aggressive work programme may be required if compliance deadlines need to be reached. Benefits include:
- Independent assessment of risks and vulnerabilities in your current environment
- Objective and vendor-neutral reporting
- Use of the 2-sec methodology, which will minimize impact on your resource
- Presentation of findings using 2-sec’s Prioritized Approach, to enable you to tackle high/medium risks first
- Compliance Management software is available to streamline the analysis if an obvious, early benefit is perceived
PCI DSS QSA Audit
The formal PCI DSS Assessment, known as the Report on Compliance (RoC) is what needs to be assessed against in order to demonstrate compliance to third parties, business partners, clients and of course the card schemes, if a listing on card scheme websites such as Visa Europe is required.
Following a PCI DSS Gap Analysis and remediation efforts, your company should be well prepared for the final audit and we generally anticipate a 90-95% score, at which point we can put the Audit on hold until the final few controls are resolved.
Qualified Security Assessors (QSAs) are governed by the PCI SSC to produce similar, consistent results through the PCI SSC Quality Assurance Programme – the only differentiators in this space are efficiency, quality and accuracy, which through years of experience is what 2-sec delivers to satisfied clients worldwide.
Compliance Management software is available to streamline the audit if an obvious, early benefit is perceived
PCI DSS Remediation
2-sec are well known as specialists and innovators in the PCI DSS space, with solid experience of the standard since 2004. We can provide cost effective solutions for any PCI DSS control and we do not just mean technology. There can be many ways to address PCI DSS controls, including:
- Adaption and reconfiguration of existing technology
- Developing simplified processes
- Rationalising security policies
- Compensating controls (risk based approach)
- Using open source solutions
Our view is that security technology is generally mature and it is not often that a new solution is required, as this generally involves cost and extensive resource in configuring and maintaining. That’s not to say at some point within the security lifecycle you are not going to need investment in new technology, but it is to say we will always take a balanced, neutral approach and work out exactly what is right for you.
It’s becoming increasingly common to separate Audit and Advisory services. It somehow just doesn’t feel right if you use your PCI DSS QSA Auditor to assist with PCI DSS Remediation, and it is often better to have two sets of eyes looking the same challenge independently.
Of course 2-sec’s Auditors are professional, experienced and fully versed in managing (and declaring) any conflict of interest, inline with the Information Systems Security Association Code of Ethics. Our prime focus is to act in your best interests at all times, rather than anybody else’s.