1. Understanding the relationship between PA-DSS and PCI-DSS.  In short, becoming PA-DSS compliant does NOT make an entity PCI-DSS compliant.  Remember, the actual PA-DSS certified application will then still need to be implemented into a PCI-DSS compliant environment, either yours or the entity or entities that are using your PA-DSS application.

2. Determining if your application is truly in scope for PA-DSS. Want to know if your application is in scope and required to undergo PA-DSS certification?  Read pages 5 and 6 of the PCI PA-DSS Requirements and Security Assessment Procedures, v.2.0, which can be found at pcisecuritystandards.org.  These two (2) pages give excellent examples and explanations of what constitutes and does not constitute a requirement for PA-DSS certification.

3. The importance of the two PA-DSS appendices, which are the (a) Implementation Guide (IG) and the (b) Laboratory instructions for testing and validating an actual live environment of the application itself.  Let’s not forget the two (2) of the most important components of PA-DSS compliance are actually the Appendix A and B. These appendices are not simple instructions, afterthoughts, or additional optional guidelines, rather, they speak to the heart of PA-DSS compliance, thus you’d be wise to learn more about them. In short, Appendix calls for an Implementation guide to be in place, while Appendix B requires a number of activities for ensuring that the actual payment application undergoes an extremely thorough and comprehensive set of tests in an actual laboratory environment.  You can obtain the actual PA DSS requirements guidelines at pcisecuritystandards.org.

4. Understanding the need for policies and procedures. Sure, the vast majority of PA-DSS certification is technical and can be challenging, but don’t forget that a fair number of policies and procedures will also need to written. Contacting a highly-qualified PA-QSA will be most helpful in this situation, as they should have templates to provide your organization.

5. Recognizing that a PA-DSS assessment is significantly different from a PCI-DSS assessment. Though it would be a stretch to call them oil and water, there are significant and meaningful difference between the two. Remember, PA-DSS certification is about the application specifically, while PCI-DSS compliance is a higher-level, broader reaching mandate that covers an organization, or a specific platform within an organization that processes, stores, or transmits cardholder data.

Call today and speak directly with PCI-QSA | PA-QSA Charles Denyer at 1-800-277-5415, ext. 705 or email him directly at cdenyer@ndbcpa.com.  Charles will take the time to discuss your PA-DSS certification needs along with any other general Payment Card Industry Data Security Standards (PCI DSS) questions, comments, or concerns you or your organization may have.

What your organization needs is an experienced PA DSS consulting expert that has spent years in the payments industry and can provide your organization with a quality compliance assessment, and with a competitive, fixed-fee pricing model. That’s NDB Advisory, a nationally recognized boutique firm that is a Qualified Security Assessor Company (QSAC) as validated by the Payment Card Industry Security Standards Council (PCI SSC), and more importantly, a firm that employs both PCI and PA Qualified Security Assessors (QSA). The firm’s lead assessor is Mr. Charles Denyer, and individual with years of payments industry experience and who hold both PCI-QSA and PA-QSA designations.  Charles has worked with all types of organizations throughout a large number of industries and can assist you with all your PCI DSS and PA DSS compliance needs.  Notable accomplishments that Charles brings to the table with his PA DSS consulting services for NDB Advisory are the following:

•    Customized template to use exclusively as your “Implementation Guide”.
•    Numerous PA DSS specific policy and procedures template developed by PCI-QSA | PA-QSA Charles Denyer.
•    Competitive pricing structure for PA DSS assessments.

With thirteen (13) requirements and two (2) critically important appendices, PA DSS compliance can be a lengthy and arduous process, thus it’s vital you retain the services of a competent, well-known PA DSS consulting firm, such as NDB Advisory. And it’s just as important that the firm you hire has capable, well-trained PA DSS consulting experts such as Charles Denyer, who is both a PCI-QSA and a PA-QSA. Contact Charles directly at 1-800-277-5415, ext. 705 or email him at cdenyer@ndbcpa.com if you have questions regarding PCI DSS and PA DSS compliance.

Regarding the actual scope of a PA DSS assessment, it consists of thirteen (13) requirements along with two (2) critically important appendix sections. Within each of the 13 requirements are numerous sub-requirements that must be validated by a PA-QSA, an individual who is licensed to perform PA DSS assessments.  Additionally, the 2 appendix sections provide detailed information on the requirements for an Implementation Guide along with laboratory procedures for actually testing the applications and its supporting infrastructure. In short, the scope of a PA DSS assessment is generally considered very encompassing, as it’s much more than just the application itself.

NDB Advisory’s qualified and competent assessors, such as Charles Denyer, who holds the PA-QSA and PCI-QSA designation,  can provide your organization with a scalable, efficient assessment process, and one that include a competitive, fixed-fee for your PA DSS assessment.

Our industry leading PA DSS services include the following:

•    The use of our proprietary, highly sought after PA DSS compliance Implementation Guide template.
•    Readily available policy and procedures template developed exclusively for PA-DSS compliance.
•    Seasoned, veteran assessors with years of experience in the payments industry
•    All at a competitive, fixed-fee price model.

Call today and speak directly with PCI-QSA | PA-QSA Charles Denyer at 1-800-277-5415, ext. 705 or email him directly at cdenyer@ndbcpa.com.  Charles will take the time to discuss your PA-DSS needs along with any other general Payment Card Industry Data Security Standards (PCI DSS) questions, comments, or concerns you or your organization may have.

Looking for a PCI QSA in Birmingham, AL to help assist with your Payment Card Industry Data Security Standards (PCI DSS) compliance needs? If so, then contact PCI QSA Charles Denyer of NDB Advisory at 1-800-277-5415, ext. 705 or email him at cdenyer@ndbcpa.com. Charles has worked with numerous organizations throughout the country regarding PCI compliance, ranging from small, privately held start-ups to large, nationally recognized organizations. He and his dedicated staff at NDB Advisory have developed a proven, efficient, and cost-effective methodology for meeting all your compliance needs, especially that of Level 1 on-site assessments, which require the use of a Payment Card Industry Qualified Security Assessor (PCI-QSA).

NDB Advisory’s PCI QSA Birmingham, AL auditing and consulting services consist of the following phases for meeting your level 1 compliance needs, regardless if you are a merchant or a service provider:

(1) PCI DSS Readiness Assessment

(2) Policy & Procedure (P&P) Analysis and Development

(3) Remediation Activities

(4) Vulnerability Scanning Services

(5) Penetration Services

(6) PCI DSS Assessment | on-site Fieldwork

(7) Issuance of “Report on Compliance” (ROC) and any other necessary reporting deliverables

Each phase is carried out and executed in a thoughtful, diligent manner, thus providing efficiencies of scale, yet producing a comprehensive, quality PCI report, all at a cost-effective fixed fee for your organization. What’s more, Charles and his staff have developed numerous helpful tools, such as policy and procedure templates, for helping organizations with their PCI DSS compliance needs. From a readiness assessment to the final issuance of the PCI Report on Compliance (ROC), our PCI QSA Birmingham, AL auditing and consulting services will get you up to speed with PCI compliance in no time.

9. Policies and Procedures-There are a very large number of various policies, procedures, forms, checklists, etc. that need to be developed for PCI compliance.  And while PCI compliance is considered technical in nature, much is to be done on the more qualitative, soft-side of technical writing. Companies really struggle with this very issue as they simply don’t have the time and resources needed to develop quality, highly customized policies and procedures.  If you take the time to thoroughly analyze each of the twelve (12) PCI DSS requirements and their respective sub-components, you often come across mandates calling for “policies, procedures, authorization forms,”, etc. that need to be developed and implemented into an organization’s daily operational environment.  Your best bet here is to find a reputable, quality firm offering PCI policy and procedure writing or to use a company such as pcipolicyportal.com.

10. Operational Commitments from Internal Personnel-In short, most organizations struggle immensely from an operational perspective with PCI. They either do not have the manpower, applicable skill sets, or budget to provide adequate resources for an engagement of this type. This often leads to delays and missed project milestones for PCI compliance. They have the intent and sincerity of wanting to become compliant, but simply don’t have the resources to achieve their goals in a timely manner.  Thus, one way to remove some of these burdens associated with PCI compliance is to discuss many of these issues mentioned in my top 10 list and what activities can be immediately undertaken to address these pressing concerns.

I hope this list has been helpful to you and please look for more PCI Top 10 lists in the future.

View Part I and Part II of Top Ten PCI Challenges

About Charles Denyer
Charles Denyer is a member of NDB Accountants & Consultants, a nationally recognized boutique CPA and advisory firm specializing in Regulation AB, SAS 70, SSAE 16, ISAE 3402, FISMA, NIST, HIPAA, ISO and PCI DSS compliance, along with other regulatory compliance initiatives. Mr. Denyer is actively involved in numerous professional associations and organizations for a wide range of industries and business sectors. He is also an advanced social media expert, having spent years working in the field of search engine optimization (SEO) and various forms of online marketing and social media.
Mr. Denyer holds numerous accounting and technology certifications along with a Masters in Information and Telecommunication Systems from the Johns Hopkins University and a Masters in Nuclear Engineering. He is also currently an MBA candidate for the Johnson School of Business at Cornell University. He can be reached at cdenyer@ndbcpa.com or at 800-277-5415-ext.705.

•modsecurity, an open-source application based WAF | http://www.modsecurity.org/
•AQTRONIX | WebNight | http://www.aqtronix.com/?PageID=99

5. Audit Trails and Logging-Requirements 10.1 to 10.3.6 is a comprehensive, yet timely process, which calls for all in-scope systems to be configured for audit trails and logging. This undertaking can be a lengthy process, as many systems will need to be provisioned correctly for purposes of audit trails and logging. What’s important to note from a scope perspective is that many organizations undertaking PCI DSS compliance seem to only focus on the operating systems, but you have to keep in mind that all applications must be configured for audit trails and logging also. As such, the unfamiliarity with configuring applications for these requirements can add additional time commitments.

6. Log Server | Syslog-Requirement 10.5.1 to 10.5.4 calls for audit trails to be backed up to a log server, thus some type of centralized syslog server will need to be in place along with the syslog protocol. Generally speaking, I find that many organizations either (A) log to the actual server themselves or (b) have a log server in place, but the number of components for which logging is being received from or reviewed, is marginal at best. I’ve found KIWI (which is now a part of Solarwinds) to be a great and effective tool for logging, but obviously, you’ll still need a server to log to. http://www.kiwisyslog.com/kiwi-syslog-server-overview/

7. File Integrity Monitoring- Requirements 10 and 11 call for this, which is essentially change detection software that detects unauthorized modifications to systems, files, etc. Consistent with many of the points I’ve mentioned, organizations initially struggle with this requirement as they are either (a) unsure of what FIM actually is or (b) incorrectly assume that they have a solution in place that meets PCI DSS requirements. Try using OSSEC, which is actually a host based Intrusion Detection System (HIDS) | File Integrity Monitoring tool: http://www.ossec.net/main/manual/manual-syscheck/realtime-file-integrity-monitoring. Additionally, I’ve heard favorable comments on PA File Site from http://www.poweradmin.com/

Continue to Part III of Top Ten PCI Challenges.

Go back to Part I Top Ten PCI Challenges.

1. Provisioning, hardening, securing and locking-down all in-scope “system components”-For Requirement 2, all network devices (i.e., routers, firewalls, switches, etc.), operating systems and other internal supporting hosts (i.e., their respective O/S, applications, databases, etc.) that are considered in-scope must go through a comprehensive process of being securely provisioned and hardened.  This requires a substantial amount of work, AND must also be documented accordingly for audit evidence.  This can pose significant operational constraints as many of these internal systems have never been adequately hardened in accordance with PCI DSS requirements. My advice? Use best-of-breed hardening standards for all system components and cross-check with the PCI DSS standards for Requirement 2 for ensuring all mandates are met.

2. Anti-virus-Requirement 5 calls for having various anti-virus initiatives in place, thus organizations should either move to a enterprise-wide AV server or put in place protocols whereby every laptop is on the most current, updated version of anti-virus.  I’ve found over the years that many small and medium size businesses seem to ignore the fundamental importance of anti-virus protection, as witnessed by employees using wide variations of products, many which have not been updated to the most current version, and some users not employing any anti-virus software at all. Anti-virus and malware are serious threats to one’s organization, so take this requirement to heart and implement a strong and formalized AV platform throughout your network.

3. Two-factor authentication-Requirement 8 mandates that organizations “Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties”.   Remember, with two-factor authentication, two (2) of the three  (3) factors (i.e., 1.Something you know. 2. Something you have. 3. Something you are) must be met. This does not mean (and I’m asked this all the time!): “Is using two different passwords at two different levels two factor authentication?” The answer is NO, that is single-factor done twice and will NOT suffice for PCI DSS compliance. Additionally, I’m often asked what specific employees must use two-factor? This question often arises due to the general vagueness of the requirement itself that is put forth within the PCI DSS standards. With that said, my stance as a PCI QSA is the following:  Any user that is remotely (i.e., outside the network) using, interacting with/or relying on a system component that resides within the scope of the cardholder data environment and that system component for which they are using, interacting, or relying on undertakes actions that relate to the processing, storage, or transmission of cardholder data, then these users must invoke two-factor authentication.  The point is to cast a wide net on all users that have an actual or even potential possibility of interacting with systems in the cardholder data environment.  And lastly, there are a number of reputable vendors that provide two-factor solutions at very reasonable rates.  Please email me at cdenyer@ndbcpa.com and I’ll be more than happy to share those with you.

Continue to Part II and Part III of Top Ten PCI Challenges

NDB Advisory is offering Atlanta, GA PCI QSA services for businesses requiring an on-site PCI DSS assessment by a Qualified Security Assessor (QSA). With proven industry experience and the ability to deliver a cost-effective, efficient assessment process, all within a fixed-fee budget, NDB Advisory is your “go to” Firm for Atlanta, GA PCI QSA services. What’s more, you can call and speak directly to QSA Charles Denyer at 1-800-277-5415, ext. 705 or email him at cdenyer@ndbcpa.com.

Charles and his staff at NDB Advisory have performed numerous on-site PCI DSS assessments for a wide range of organizations, ranging from data centers to Software as a Service (SaaS) entities, just to name a few. Charles’ years of experience in the payments industry and as a regulatory compliance consultant has afforded him the opportunity of developing a comprehensive PCI roadmap for any organization seeking transparency and efficiency within the assessment process itself, all at a cost-effective fixed fee rate.

NDB Advisory has also developed numerous industry leading tools and assessment methods that greatly assist in the overall process for PCI compliance, such as policy and procedure templates to utilizing our customized penetration testing and scanning tools. It’s all available from a well-recognized accounting and consulting firm that specializes in Atlanta, GA PCI QSA services for merchants, service providers, and any other business or organization seeking an on-site PCI DSS assessment from a QSA.

Contact QSA Charles Denyer directly at 1-800-277-5415, ext. 705 or email him at cdenyer@ndbcpa.com. Charles can help immediately analyze your compliance needs and put in place an efficient and cost-effective program consisting of proven Atlanta, GA PCI QSA services.

Consider NDB Advisory as your Atlanta, GA PCI QSA provider. To learn more about the Payment Card Industry Data Security Standards (PCI DSS) provisions, please visit the PCI DSS Resource Guide, developed by NDB Advisory.

NDB Advisory’s California PCI QSA consulting services consist of competitive, fixed-fee engagements from a well-respected, highly skilled firm with deep-seeded roots in the Golden State. From San Diego to Sacramento, we’ve been helping clients become PCI compliant and we can help you too. Call and speak directly with Charles Denyer, QSA, at 1-800-277-5415, ext. 705 to discuss your PCI Level 1 assessment needs.

Our California PCI consulting services are geared directly to the growing number of businesses who are being required to not only become PCI compliant, but compliant via a Level 1 on-site assessment by a Qualified Security Assessor (QSA). Knowing that these costs could be financially devastating for many small and medium businesses, NDB Advisory has put together a workable and scalable five phase approach for PCI compliance, and one that includes all necessary policies and procedures for PCI compliance. In short, data centers, Software as a Service (SaaS) entities, web hosting, just to name a few, are all falling under the umbrella of Level 1 PCI compliance, which means an on-site assessment by a QSA.

Level 1 on-site assessments need not be a financial and operational burden to your organization, rather they should be an exercise in efficiency, while still implementing sound internal controls for security.

NDB Advisory’s California PCI QSA consulting services will give you a fixed-fee, ultimately giving you peace of mind knowing exactly what you’ll be paying, right down to the penny.

The five phase process, developed by NDB Advisory, for PCI Level 1 on-site assessments, consists of the following:

(1) PCI DSS Scoping & Readiness Assessment

(2) Policy and Procedure (P&P) Analysis and Development

(3) PCI DSS Remediation Activities

(4) PCI DSS Scanning and Penetration Services

(5) PCI DSS Assessment and Issuance of “Report on Compliance (ROC) and any other necessary reporting deliverables.

NDB Advisory, your California PCI QSA provider for Level 1 on-site assessments. Along with calling Charles Denyer, QSA, directly at 1-800-277-5415, you can also email him at cdenyer@ndbcpa.com.

Additionally, you can learn more about PCI compliance by visiting the PCI DSS Resource Guide, developed by NDB Advisory.

About NDB Advisory

With proven PCI DSS experience, deep seeded roots in information systems, regulatory compliance, and many other security related technology issues, NDB Advisory’s team of well-skilled employees can help your organization achieve PCI DSS compliance. Services range from initial PCI DSS Readiness Assessments to helping organizations meet self-assessment goals, along with issuing PCI Report on Compliance assessments as allowed by only a “Qualified Security Assessor” company that has met the strict requirements set forth by the Payment Card Industry (PCI) Security Standards Council (SSC)-PCI SSC in Wakefield, MA.

If you’re searching for Southern California PCI QSA services for Level 1 on-site assessments and need a competitive, fixed-fee from a nationally recognized firm, then look no further than NDB Advisory. We’ve developed a proven and scalable five phase process for PCI compliance that will save your organization time and money. Call and speak directly with our lead QSA, Charles Denyer, at 1-800-277-5415, ext. 705.

Our Southern California PCI QSA services are a result of our deep-seeded roots in the Golden State, as NDB Advisory has performed numerous regulatory compliance audits for clients, ranging from data centers in San Diego to Software as a Service (SaaS) providers in Sacramento. In short, NDB Advisory has developed a strong presence in California and we’ll continue to showcase our skills by providing businesses with proven and cost-effective PCI QSA services, from Southern California to the Bay area.

The secret in obtaining Level 1 PCI DSS compliance is putting in place a proven and workable assessment process consisting of sequential phases that seamlessly flow from one after the other. What’s more, with proven skills led by our most senior QSA, Charles Denyer, NDB Advisory will get you up to speed on PCI compliance with all the essential tools that we have out our disposal.

Your five phase process for compliance is as follows:

(1) PCI DSS Scoping & Readiness Assessment

(2) Policy and Procedure (P&P) Analysis and Development

(3) PCI DSS Remediation Activities

(4) PCI DSS Scanning and Penetration Services

(5) PCI DSS Assessment and Issuance of “Report on Compliance (ROC) and any other necessary reporting deliverables.

Looking for Southern California PCI QSA services and also for the Bay area? Then contact NDB Advisory and speak directly with Charles Denyer, QSA, at 1-800-277-5415, ext. 705 or email him at cdenyer@ndbcpa.com

Want to learn more about PCI compliance? Then visit the official PCI DSS Resource Guide.

About NDB Advisory

With proven PCI DSS experience, deep seeded roots in information systems, regulatory compliance, and many other security related technology issues, NDB Advisory’s team of well-skilled employees can help your organization achieve PCI DSS compliance. Services range from initial PCI DSS Readiness Assessments to helping organizations meet self-assessment goals, along with issuing PCI Report on Compliance assessments as allowed by only a “Qualified Security Assessor” company that has met the strict requirements set forth by the Payment Card Industry (PCI) Security Standards Council (SSC)-PCI SSC in Wakefield, MA.