All organisations storing, transmitting or processing debit or credit card data are required to comply with the Payment Card Industry Data Security Standard (PCI-DSS), or face potentially hefty fines and reputational damage should a breach occur.
We have successfully helped organisations of all sizes, with high and low volumes of annual cardholder transactions meet their compliance requirements by identifying process flows, carrying out initial gap analyses against the standard, reviewing self completed SAQs and providing advice on achieving compliance, and we can help you – whether you are already compliant or still have that hill to climb.
An additional benefit we offer, apart from our total independence to any product or service supplier, is our holistic approach to security. We have experts in all aspects of information security including physical security – a key requirement of the standard and one that is often overlooked.
Many of the ISO 27001 controls also map directly with the requirements in the PCI-DSS. So, if you are already complying with ISO 27001 or intending to, you may find compliance to PCI-DSS less arduous.
Do I Need a QSA?
For most organisations the answer is ‘probably not’. A QSA is generally required to sign off a completed SAQ and in effect acts as an external auditor to show you are compliant with the controls. The standard however does not mandate that a QSA is required to sign off SAQs for Merchant levels 2, 3 and 4. Even if your Acquirer insists on a QSA signing off the SAQ, you can still take advantage of independent, cost effective advice and guidance from consultancies such as Advent IM.
It is our role to assess your current situation, guide you through the standard and assist you in identifying appropriate controls to meet compliance. It is a QSA’s role to ensure controls are in place by conducting an evidential audit against the SAQ. The two activities should be carried out independently as clearly it is not recommended best practice to audit your own work. Many QSA’s are also part of a product or managed service provider, which makes it difficult for them to demonstrate unbiased and independent advice.
Advent IM is not a QSA but can offer a comprehensive, complete review based on recommended best practice across all requirements of PCI-DSS, at a price you can afford.