PCI Qualified Security Assessor (QSA)

We are a Payment Card Industry (PCI) Qualified Security Assessor (QSA) Company, offering specialist consultancy for compulsory PCI DSS compliance.

PCI Data Security Standard (PCI DSS) compliance is mandatory for Merchants and Service Providers involved in the storage, processing or transmission of cardholder data. Additionally, Service Providers that can impact upon a Merchants cardholder data needs to also ensure services are PCI DSS compliant. PCI DSS is a complex process and can be a minefield without the right level of knowledge or technical support.

As a QSA Company, Sec-1 is qualified to offer specialist consultancy for PCI DSS compliance. We can also add value by offering in-house technical expertise to further improve network and information security across all industry verticals.

PCI DSS Phased Approach

Sec-1 has developed a 5-stage process to a PCI DSS project. Working with organisations of all sizes, Sec-1 can work with customers at varying stages of their PCI DSS project as follows:

  • New to PCI
  • Struggling with PCI
  • Far along the PCI Journey
  • Maintaining Compliance
  • Fulfilling Specific PCI DSS Requirements

Depending on the organisations PCI DSS progress will depend upon which stage Sec-1 will typically start to assist. Whatever stage you are at, we have the knowledge and experience to tailor our solution around your individual needs. These stages are briefly discussed as follows:


Stage 1

It is extremely important for organisations to understand the scope of their PCI DSS environment. Organisations need to implement controls against the defined cardholder data environment, therefore if this is in-accurately scoped, then in-scope system components may be missed from the PCI DSS program and assessment activities.

The types of things this stage looks at understanding;

  • the payment flows,
  • the SAQ eligibility,
  • which system components are in scope,
  • the defined cardholder data environment, and
  • in-scope third parties.

Additionally, this stage will often look at de-scoping options to feed into Stage 2.

Stage 2

This stage is very much driven by the organisation since this looks at the various de-scoping options to determine which ones are viable. Organisations will typically look at various factors in determining which, if any, de-scoping options are best. These factors may include; customer journey, costs, implementation challenges and customer demographics.

Once de-scoping options are decided, the organisation should look to implement said options.

Stage 3

This is the stage where organisations start to implement applicable PCI DSS requirements. Stage 1 and 2 are important to determine the scope of PCI DSS and which requirements (i.e. SAQs the payment channels align to) are likely to be in scope for assessment activities.

Organisations can then start to deploy the necessary policies, processes and technology to meet all applicable requirements.

Stage 4

Stage 4 is an assessment phase. This may be a self-assessment or an onsite QSA lead assessment. It is important that each requirement is assessed and validated.

Stage 5

This stage is a maintenance stage where the organisation ensures that the organisation continues to meet all the requirements of PCI DSS after an assessment is complete. This will include ensuring that any daily, quarterly, 6-monthly and annual tasks are completed.

This stage will loop back to Stage 4 each year.

What PCI DSS services can Sec-1 offer?

Sec-1 offers a range of services aimed at different stages of this phased approach. These services include:

  • PCI DSS CDE Mapping: This service is designed to help organisations understand the scope of PCI DSS, defined the CDE, identify payment flows, provide relevant de-scoping options, identify in-scope service providers and identify necessary reporting requirements (i.e. SAQ eligibility)
  • CHD Discovery Scanning: This service helps organisations to identify cardholder data within the environment. This utilises a third-party tool which customers purchase to provide ongoing CHD Discovery scanning.
  • SAQ Walkthroughs: With this service, a Sec-1 QSA will walk through relevant SAQs, explaining what the intent of each requirement is and how it pertains to the organisations environment.
  • PCI Credits: This service provides organisations with time which they can call off if they have PCI DSS queries. Credits are added at a day rate (7½ hours per day purchased) and is called off in 15min chunks. For example, if a query takes 35 mins to research and respond, 45mins will be deducted from the allocated PCI Credits.
  • Scope Reduction Reviews: Where organisations are implementing de-scoping options, Sec-1 can be asked to review proposed changes prior to deployment to ensure that the changes will achieve the desired result.
  • GAP Analysis: Sec-1 provides two types of GAP Analysis:
  •      - Interview led; requirements ‘in place’ and ‘not in place’ status is determined based on the responses to interview questions.
         - Assessment driven; each applicable requirement is manually assessed to determine if it is being met or not.
  • Risk Assessments: PCI DSS Requirement 12.2 requires an annual risk assessment. Sec-1 can conduct this risk assessment activity through interviews with key stakeholders.
  • PCI QSA as a Resource: The Sec-1 PaaR service provides an onsite resource to help drive the organisations PCI DSS project forward. Usually a GAP Analysis will be carried out to determine how much work is required for the organisation to become PCI DSS compliant. This, coupled with how quickly the organisation wants to attain PCI DSS compliance will determine how many days per month the organisation wants to sign up to a QSA being onsite to work on the project.
  • Report on Compliance Assessments: Level 1 Merchants and Level 1 Service Providers will need to undergo a QSA led assessment. Sec-1 is a QSA Company and can provide QSAs to carry out this level of assessment.
  • SAQ Assisted Audit: Some organisations want assurance that self-assessments are carried out correctly. Often our clients ask for an SAQ assessment, which is signed off by the QSA to confirm that the SAQ is completed accurately.
  • Prioritised Approach Audit: Where organisations are utilising the PCI DSS Prioritised Approach to report progress to their Acquirers, Sec-1 can sometimes be asked to perform an assessment based upon the milestone which the organisation is reporting to have reached.

Additional Services to Support PCI DSS

We can also help with the following standalone or add-on services, depending on your current context and specific requirements:

  • Anti-virus solutions (Requirement 5)
  • Patch management solutions (Requirement 6.2)
  • Securing web applicable training (Requirement 6.5.b)
  • Multi-factor authentication solutions for remote access and non-console access (Requirement 8.3)
  • Logging/SIEM (Requirement 10)
  • Wireless Scanning IDS solution (Requirement 11.1)
  • Internal vulnerability assessment solutions (Requirement 11.2.1)
  • External ASV scanning (Requirement 11.2.2)
  • PCI focused penetration and segmentation testing (Requirement 11.3)
  • Technical remediation services (Following requirement 11.3)
  • IDS/IPS solution (Requirement 11.4)
  • Change-detection solutions {File-Integrity Monitoring} (Requirement 11.5)
  • User awareness training (Requirement 12.6)

Why use Sec-1?

The following facts help to position Sec-1 as a leading name in PCI DSS:

  • We are a PCI Qualified Security Assessor (QSA) company,
  • We are a PCI Approved Scanning Vendor (ASV) company,
  • We offer vast in-house PCI-specific expertise,
  • Sec-1 works within all verticals,
  • Our solution is tailored to meet the latest PCI DSS compliance standard, whatever stage you are currently at,
  • We follow a standard methodology across consultants and penetration testers for quality assurance, and
  • We are CHECK ‘Green Light' & CREST accredited (Infrastructure & Application)

How can I find out more?

You can request a copy of our full standard PCI DSS methodology here.

For PCI DSS advice or to obtain a quote for your requirements, contact us on 01924 284 240 or email info@sec-1.com

Further information:

PCI DSS for global data security

The PCI DSS is a network and information security standard for applicable organisations involved in the storage, processing or transmission of card holder data. Compliance to the standard is mandatory for all acquirers, merchants and service providers dependent on transaction volume. The PCI DSS requires each entity involved in credit card processing to undergo an annual assessment to validate compliance to the standard.

The PCI DSS is intended to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. This is built upon 12 different requirements consisting of over 320 individual sub-requirements.

History

The PCI Data Security Standard was originally formed by Visa and MasterCard to bring together their individual compliance programs. Three other payment brands, American Express, Discover and JCB then joined up which lead to the start of the PCI SSC (Payment Card Industry Security Standards Council) being formed as an independent body providing oversight of the development and management of Payment Card Industry Security Standards on a global basis.

More information

You can access more information and a range of useful resources on the PCI SSC website here where you can also find the latest version of PCI DSS.

 

You may also find the following pages interesting:

Request callback Make an enquiry Receive newsletter?

'Following (our) initial meeting Sec-1 was requested to provide a Penetration Test for the Halcrow Group. The standard of report received has resulted in Sec-1 being the provider of choice for Penetration and Application Testing for the Halcrow Group and are retained for the foreseeable future.'

David Grant
Halcrow Group