Charles Denyer, who holds both the PCI-QSA and PA-QSA designations, can answer all your pressing questions regarding PCI DSS compliance, and can also provide a sustainable, scalable PCI roadmap consisting of a number of predefined phases and steps. Charles can also help assist in many other ways, such as the following:

1. Provide policy and procedure writing for PCI along with supplying your organization with all the templates needed to develop well-written PCI documentation.

2. Assemble a list of recommended, cost-effective open-source tools for PCI compliance. That’s right, there’s no need to spend tens of thousands of dollars on regulatory compliance tools when a number of high-quality open source tools are readily available. Charles has developed an extensive list of tools that he can share with you.

3.Discuss with you the Top 10 PCI issues that cause constraints, compliance delays and many other problems for organizations seeking to become PC compliant. And yes, there’s quite a few.

4. Assist with filing your Report on Compliance (ROC) to VISA along with also obtaining clearance to be listed on the highly coveted VISA service provider list. This alone can be a very daunting challenge, sometimes taking months for organizations who are unsure of how to proceed. NDB Advisory’s PCI DSS experts, such as Charles Denyer, have successfully helped a number of organizations with the VISA certification process.

Give Charles Denyer a call at 1-800-277-5415, ext. 705 or email him directly at cdenyer@ndbcpa.com.  Charles is one of NDB Advisory’s most trusted PCI DSS Experts and can help assist organizations with Payment Card Industry Data Security Standards (PCI DSS) compliance.

As you may very well know, payment applications that store, process, or transmit cardholder data as part of authorization or settlement, and that are sold, distributed, or licensed to third parties must become PA DSS compliant.

And here are some other notable points you might want to remember about PA DSS compliance:

• Use of a PA DSS compliant application by itself does not make an organization PCI DSS compliant, and that’s because an application must be implemented into a PCI DSS compliant environment.
• The requirements for PA DSS are actually derived from the PCI DSS standards themselves.
• PA DSS has thirteen (13) Requirements and supporting assessment procedures along with two (2) critically important appendices.
• Appendix A discusses the content and overall requirements for the actual PA DSS Implementation Guide (IG) specific to the application itself.
• Appendix B includes measures regarding the testing of an actual PA DSS application in a laboratory environment.
• One of the main goals of PA DSS is to allow applications to further enable, rather than prevent PCI compliance, by the companies who actually implement a given application. Thus, developing software that requires customers to disable security features that are required by the actual PCI DSS standards, is not recommended.
• PA DSS compliance does apply to payment applications that are generally sold “off the shelf” with minimal customization.

This is just a small sample of issues you’ll need to know about regarding PA DSS compliance.  Thus, if you have PA DSS questions, call the experts at NDB Advisory and ask to speak directly with PA QSA Charles Denyer. Additionally, you can email your PA DSS questions to him at cdenyer@ndbcpa.com

Payment applications that store, process, or transmit cardholder data as part of authorization or settlement, and that are sold, distributed, or licensed to third parties must become PA DSS compliant.  The sheer growth of e-commerce systems, Software as a Service (SaaS) platforms and many other web-facing technologies have propelled many vendors into the regulatory compliance spotlight, particularly that of Payment Application Data Security Standards (PA DSS) compliance. You’ll need to consult with a proven PA DSS QSA for helping you understand the unique dynamics of PA DSS compliance, particularly scope assessment, technical requirements, and many other PA DSS mandates.

In short, if you’re a software vendor with a payment application, you’ll need to become PA DSS compliant, which means being responsible for the following measures:

• Creating a PA DSS compliant payment application that facilitates and does not prevent their own customers’ PCI DSS compliance (Please keep in mind that your payment application cannot require an implementation or configuration setting that violates a PCI DSS requirement).
• Following the best practices of the PCI DSS requirements, if, you, the software vendor, store, process, or transmit cardholder data.
• Creating a PA DSS Implementation Guide, specific to each application, in accordance with the requirements in the Payment Application Data Security Standard Appendix A.
• Educating customers, resellers, and integrators and all other applicable parties on the importance of the installation and configuration of the payment application in a PCI DSS-compliant manner.
• Ensuring your payment application meet PA-DSS requirements by successfully passing a PA-DSS review as specified in PCI PA DSS Requirements and conducted by a PA DSS QSA.
• Providing customers with a copy of the validated payment application’s PA-DSS Implementation Guide.

Call today and speak directly with PCI QSA | PA QSA Charles Denyer at 1-800-277-5415, ext. 705 or email him directly at cdenyer@ndbcpa.com.  Charles will take the time to discuss your PA DSS needs along with any other general Payment Card Industry Data Security Standards (PCI DSS) questions, comments, or concerns you or your organization may have.

Additionally, PA DSS assessments are also earning a reputation as complex, expensive, and time-consuming engagements, forcing organizations to spend considerable time and effort in hopes of achieving compliance.  Organizations need to be aware that PA DSS compliance is much more than simply checking the box on a number of prescriptive requirements, rather, it take a collaborative effort between all parties, working closely together in building, and ultimately validating a payment application and its supporting infrastructure.

PA DSS assessments are here to stay, thus turn to a trusted industry leader in providing PA DSS compliance, and that’s Charles Denyer, who holds both the PCI-QSA and PA-QSA designations as awarded by the Payment Card Industry Security Standards Council (PCI SSC) in Wakefield, Massachusetts.  Charles and his staff at NDB Advisory have spent years helping organizations with their growing regulatory compliance needs, and Mr. Denyer can provide your organization with a fixed fee pricing model for your PA DSS assessments. Call Charles today at 1-800-277-5415, ext. 705 or email him directly at cdenyer@ndbcpa.com. He’ll be happy to speak with you about PA DSS assessments,  costs involved, and any other issues you want to discuss.

NDB’s lead QSA, Mr. Charles Denyer, has spent years working in the payments industry and has developed a lock-step process for the entire on-site assessment process. It starts with a PCI compliance audit Readiness Assessment, followed by the issuance of a gap analysis, whereby you  correct any areas of remediation found, and move on to other areas of the assessment process, such as developing policies and procedures.

Specifically, the NDB Advisory PCI Level 1 assessment process consists of the following phases:

(1) PCI DSS Readiness Assessment

(2) Policy & Procedure (P&P) Analysis and Development

(3) Remediation Activities

(4) Vulnerability Scanning Services

(5) Penetration Testing Services

(6) PCI DSS Assessment | on-site Fieldwork

(7) Issuance of “Report on Compliance” (ROC) and any other necessary reporting deliverables

(8) Closing Meeting and general auditor comments issued to client

In summary, it’s a proven methodology that’s been constantly refined over the last four years, resulting in a highly efficient and cost-effective assessment process for any entity seeking to undergo an on-site PCI compliance audit in accordance with the Payment Card Industry Data Security Standards (PCI DSS) provisions.

Want to learn more about NDB’s PCI compliance audit services? Then contact PCI-QSA Charles Denyer directly at 1-800-277-5415, ext. 705 or email him at cdenyer@ndbcpa.com.  Charles will be take the time to discuss you PCI needs, the scope of your engagement, along with providing you a competitive, fixed fee proposal.

1. Understanding the relationship between PA-DSS and PCI-DSS.  In short, becoming PA-DSS compliant does NOT make an entity PCI-DSS compliant.  Remember, the actual PA-DSS certified application will then still need to be implemented into a PCI-DSS compliant environment, either yours or the entity or entities that are using your PA-DSS application.

2. Determining if your application is truly in scope for PA-DSS. Want to know if your application is in scope and required to undergo PA-DSS certification?  Read pages 5 and 6 of the PCI PA-DSS Requirements and Security Assessment Procedures, v.2.0, which can be found at pcisecuritystandards.org.  These two (2) pages give excellent examples and explanations of what constitutes and does not constitute a requirement for PA-DSS certification.

3. The importance of the two PA-DSS appendices, which are the (a) Implementation Guide (IG) and the (b) Laboratory instructions for testing and validating an actual live environment of the application itself.  Let’s not forget the two (2) of the most important components of PA-DSS compliance are actually the Appendix A and B. These appendices are not simple instructions, afterthoughts, or additional optional guidelines, rather, they speak to the heart of PA-DSS compliance, thus you’d be wise to learn more about them. In short, Appendix calls for an Implementation guide to be in place, while Appendix B requires a number of activities for ensuring that the actual payment application undergoes an extremely thorough and comprehensive set of tests in an actual laboratory environment.  You can obtain the actual PA DSS requirements guidelines at pcisecuritystandards.org.

4. Understanding the need for policies and procedures. Sure, the vast majority of PA-DSS certification is technical and can be challenging, but don’t forget that a fair number of policies and procedures will also need to written. Contacting a highly-qualified PA-QSA will be most helpful in this situation, as they should have templates to provide your organization.

5. Recognizing that a PA-DSS assessment is significantly different from a PCI-DSS assessment. Though it would be a stretch to call them oil and water, there are significant and meaningful difference between the two. Remember, PA-DSS certification is about the application specifically, while PCI-DSS compliance is a higher-level, broader reaching mandate that covers an organization, or a specific platform within an organization that processes, stores, or transmits cardholder data.

Call today and speak directly with PCI-QSA | PA-QSA Charles Denyer at 1-800-277-5415, ext. 705 or email him directly at cdenyer@ndbcpa.com.  Charles will take the time to discuss your PA-DSS certification needs along with any other general Payment Card Industry Data Security Standards (PCI DSS) questions, comments, or concerns you or your organization may have.

What your organization needs is an experienced PA DSS consulting expert that has spent years in the payments industry and can provide your organization with a quality compliance assessment, and with a competitive, fixed-fee pricing model. That’s NDB Advisory, a nationally recognized boutique firm that is a Qualified Security Assessor Company (QSAC) as validated by the Payment Card Industry Security Standards Council (PCI SSC), and more importantly, a firm that employs both PCI and PA Qualified Security Assessors (QSA). The firm’s lead assessor is Mr. Charles Denyer, and individual with years of payments industry experience and who hold both PCI-QSA and PA-QSA designations.  Charles has worked with all types of organizations throughout a large number of industries and can assist you with all your PCI DSS and PA DSS compliance needs.  Notable accomplishments that Charles brings to the table with his PA DSS consulting services for NDB Advisory are the following:

•    Customized template to use exclusively as your “Implementation Guide”.
•    Numerous PA DSS specific policy and procedures template developed by PCI-QSA | PA-QSA Charles Denyer.
•    Competitive pricing structure for PA DSS assessments.

With thirteen (13) requirements and two (2) critically important appendices, PA DSS compliance can be a lengthy and arduous process, thus it’s vital you retain the services of a competent, well-known PA DSS consulting firm, such as NDB Advisory. And it’s just as important that the firm you hire has capable, well-trained PA DSS consulting experts such as Charles Denyer, who is both a PCI-QSA and a PA-QSA. Contact Charles directly at 1-800-277-5415, ext. 705 or email him at cdenyer@ndbcpa.com if you have questions regarding PCI DSS and PA DSS compliance.

Regarding the actual scope of a PA DSS assessment, it consists of thirteen (13) requirements along with two (2) critically important appendix sections. Within each of the 13 requirements are numerous sub-requirements that must be validated by a PA-QSA, an individual who is licensed to perform PA DSS assessments.  Additionally, the 2 appendix sections provide detailed information on the requirements for an Implementation Guide along with laboratory procedures for actually testing the applications and its supporting infrastructure. In short, the scope of a PA DSS assessment is generally considered very encompassing, as it’s much more than just the application itself.

NDB Advisory’s qualified and competent assessors, such as Charles Denyer, who holds the PA-QSA and PCI-QSA designation,  can provide your organization with a scalable, efficient assessment process, and one that include a competitive, fixed-fee for your PA DSS assessment.

Our industry leading PA DSS services include the following:

•    The use of our proprietary, highly sought after PA DSS compliance Implementation Guide template.
•    Readily available policy and procedures template developed exclusively for PA-DSS compliance.
•    Seasoned, veteran assessors with years of experience in the payments industry
•    All at a competitive, fixed-fee price model.

Call today and speak directly with PCI-QSA | PA-QSA Charles Denyer at 1-800-277-5415, ext. 705 or email him directly at cdenyer@ndbcpa.com.  Charles will take the time to discuss your PA-DSS needs along with any other general Payment Card Industry Data Security Standards (PCI DSS) questions, comments, or concerns you or your organization may have.

Looking for a PCI QSA in Birmingham, AL to help assist with your Payment Card Industry Data Security Standards (PCI DSS) compliance needs? If so, then contact PCI QSA Charles Denyer of NDB Advisory at 1-800-277-5415, ext. 705 or email him at cdenyer@ndbcpa.com. Charles has worked with numerous organizations throughout the country regarding PCI compliance, ranging from small, privately held start-ups to large, nationally recognized organizations. He and his dedicated staff at NDB Advisory have developed a proven, efficient, and cost-effective methodology for meeting all your compliance needs, especially that of Level 1 on-site assessments, which require the use of a Payment Card Industry Qualified Security Assessor (PCI-QSA).

NDB Advisory’s PCI QSA Birmingham, AL auditing and consulting services consist of the following phases for meeting your level 1 compliance needs, regardless if you are a merchant or a service provider:

(1) PCI DSS Readiness Assessment

(2) Policy & Procedure (P&P) Analysis and Development

(3) Remediation Activities

(4) Vulnerability Scanning Services

(5) Penetration Services

(6) PCI DSS Assessment | on-site Fieldwork

(7) Issuance of “Report on Compliance” (ROC) and any other necessary reporting deliverables

Each phase is carried out and executed in a thoughtful, diligent manner, thus providing efficiencies of scale, yet producing a comprehensive, quality PCI report, all at a cost-effective fixed fee for your organization. What’s more, Charles and his staff have developed numerous helpful tools, such as policy and procedure templates, for helping organizations with their PCI DSS compliance needs. From a readiness assessment to the final issuance of the PCI Report on Compliance (ROC), our PCI QSA Birmingham, AL auditing and consulting services will get you up to speed with PCI compliance in no time.

9. Policies and Procedures-There are a very large number of various policies, procedures, forms, checklists, etc. that need to be developed for PCI compliance.  And while PCI compliance is considered technical in nature, much is to be done on the more qualitative, soft-side of technical writing. Companies really struggle with this very issue as they simply don’t have the time and resources needed to develop quality, highly customized policies and procedures.  If you take the time to thoroughly analyze each of the twelve (12) PCI DSS requirements and their respective sub-components, you often come across mandates calling for “policies, procedures, authorization forms,”, etc. that need to be developed and implemented into an organization’s daily operational environment.  Your best bet here is to find a reputable, quality firm offering PCI policy and procedure writing or to use a company such as pcipolicyportal.com.

10. Operational Commitments from Internal Personnel-In short, most organizations struggle immensely from an operational perspective with PCI. They either do not have the manpower, applicable skill sets, or budget to provide adequate resources for an engagement of this type. This often leads to delays and missed project milestones for PCI compliance. They have the intent and sincerity of wanting to become compliant, but simply don’t have the resources to achieve their goals in a timely manner.  Thus, one way to remove some of these burdens associated with PCI compliance is to discuss many of these issues mentioned in my top 10 list and what activities can be immediately undertaken to address these pressing concerns.

I hope this list has been helpful to you and please look for more PCI Top 10 lists in the future.

View Part I and Part II of Top Ten PCI Challenges

About Charles Denyer
Charles Denyer is a member of NDB Accountants & Consultants, a nationally recognized boutique CPA and advisory firm specializing in Regulation AB, SAS 70, SSAE 16, ISAE 3402, FISMA, NIST, HIPAA, ISO and PCI DSS compliance, along with other regulatory compliance initiatives. Mr. Denyer is actively involved in numerous professional associations and organizations for a wide range of industries and business sectors. He is also an advanced social media expert, having spent years working in the field of search engine optimization (SEO) and various forms of online marketing and social media.
Mr. Denyer holds numerous accounting and technology certifications along with a Masters in Information and Telecommunication Systems from the Johns Hopkins University and a Masters in Nuclear Engineering. He is also currently an MBA candidate for the Johnson School of Business at Cornell University. He can be reached at cdenyer@ndbcpa.com or at 800-277-5415-ext.705.