An Assessment to Ensure PCI Compliance

Any organization that stores, processes, or transmits credit card data should be complying with the Payment Card Industry Data Security Standard (PCI DSS).

TrustedSec offers a wide range of PCI-related services that helps organizations achieve their compliance goals and build a sustainable compliance program regardless of where they are in the compliance cycle.

TrustedSec will work with an organization to provide services for achieving PCI compliance. TrustedSec is a Qualified Security Assessor (QSA) through the PCI Security Standards Council and can provide full PCI DSS services, including PCI Readiness Assessment, PCI SAQ Assistance, and PCI DSS Report on Compliance (ROC) issuance. TrustedSec works with merchants of all sizes and service providers from level 1 (the highest transaction volume) to level 4 (the lowest transaction volume).

PCI Readiness Assessment

Often referred to as a Gap Assessment, the PCI Readiness Assessment is the first step in ensuring that an organization has the proper foundation to comply with the Payment Card Industry Data Security Standard (PCI DSS). This foundation includes having the appropriate people, processes, and technical controls aligned to an organization’s compliance scope. Whether this is the first time an organization is tackling PCI or it is a veteran and needs additional validation, TrustedSec is willing and able to assist in ensuring PCI compliance.

When should an organization consider this service?

  • This is the first time the organization is formally looking at its security posture related to PCI compliance.
  • The organization needs high-level validation that scoping is implemented correctly and controls are appropriate for the organization.
  • The organization is transitioning from one QSA company to another and wants to ensure a smooth transition between audits.

 

PCI SAQ Assistance

Merchants and service providers, depending on their transaction levels, may be able to submit their attestation through a reduced version, known as the Self-Assessment Questionnaire (SAQ). Different SAQ versions may be able to be used, depending on the payment channels employed throughout the organization. While these attestation documents help in reducing the cost and burden of reporting PCI compliance, they still involve the rigor of ensuring that all the controls are verified as being in place and operating effectively. TrustedSec can help in reducing the internal burden this process carries and ensure that the assessment is done effectively and of good quality.

When should an organization consider this service?

  • A merchant bank requires the submission of an SAQ and an organization wants to ensure the quality and accuracy of the assessment.
  • The organization needs to augment its internal resources from performing and validating this assessment.

 

PCI On-Site Assessment

The PCI On-Site Assessment is a formal assessment that is performed by a Qualified Security Assessor (QSA) company to show the status of PCI compliance over the environment. This includes a combination of on-site interviews with subject-matter experts, reviews of documentation and evidence, and sampling keys systems to ensure that controls are appropriately in place. At the end of the engagement, two (2) artifacts will be produced reflecting the compliance status of the payment processing or supporting environment, including a Report on Compliance (ROC) and an Attestation of Compliance (AOC).

When should an organization consider this service?

  • A merchant bank requires the submission of a ROC and AOC to validate compliance.
  • A customer mandates the validation of a full PCI On-Site Assessment.
  • As a service provider, the organization wants its compliance status listed on either Visa or MasterCard’s compliant service provider list.

PCI Self-Assessment Questionnaire

Questionnaire How Do You Accept Credit Cards?
A

Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EP

E-commerce merchants who outsource all payment processing to PCI DSS validated third-parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
B

Merchants using only:

  • Imprint machines with no electronic cardholder data storage.
  • Standalone, dial-out terminals with no electronic cardholder data storage.
B-IP

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
PSPE-HW

Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
D

For Merchants: All merchants not included in descriptions for the above types.
D

For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.

Strength Training With Transport Cryptology: Part 2

In part 1 of this blog series, we explored objective standards for evaluating application cipher suites using the National Institute of Standards and Technology (NIST) standard. Reviewing that is not required to continue here. For those of us lucky enough to apply cryptology within a Payment Card Industry (PCI) context, this part is for you....
Read