PCI Qualified Security Assessor | PCI QSA | Call NDB Advisory

Looking for a PCI Qaulified Security Assessor (QSA) who is cost-effective, has years of experience in performing these types of audits and can assist your organizatin with all your PCI DSS needs? If so, then contact NDB Advisory, a nationally recognized boutique QSA firm specializing in PCI DSS assessments.

NDB Advisory offers a comprehensive, cost-effective and workable approach for meeting compliance with the Payment Card Industry Data Security Standards provisions. A structured PCI DSS Roadmap for compliance is undertaken for ensuring your organization is fully aware of the scope of the assessment along with the time, efforts and internal commitments required by you.

NDB Advisory has conducted PCI DSS assessments for a large range of companies. Additionaly, we have also worked with a number of smaller organizations who only have to "self assess" against the PCI DSS standards, but still needed the expert advice of a Qualified Security Assessor (QSA).

Additionally, you can email me directly at cdenyer@ndbcpa.com with any questions you may have regarding Payment Card Industry Data Security Standards (PCI DSS) compliance, and I will be more than happy to assist you in any way I can.

Good luck on PCI compliance.

PCI DSS | Industry Terminology you Should Know

If you are a merchant or service provider and the Payment Card Industry Data Security Standards (PCI DSS) provisions are being required for your organization, then take some time to learn about industry terminology that will ultimately give you a better grasp of the who, what, where and why of PCI DSS compliance.

  • Cardholder: This is the customer purchasing goods either as a "card present" or "card not present" transaction. The customer is the individual who receives the payment card and bills from the issuer.
  • Issuer: Bank or other organization issuing a payment card on behalf of a Payment brand., such as MasterCard and Visa.  Additionally, some payment brands issue cards DIRECTLY, such as American Express, Discover Card and JCB.
  • Merchant: The organization accepting the payment card for payment during a purchase.
  • Acquirer: This is the bank or entity that the merchants uses to process their payment card transactions.  They essentially receive the authorization request from the merchant and forwards it to the issuer for approval. The acquirer also provides authorization, clearing and settlement services to merchants. Lastly, the acquirer is also called a merchant bank, ISO, a payment brand (AMEX, Discover, JCB), but NEVER Visa or MasterCard.

To learn more about the Payment Card Industry Data Security Standards (PCI DSS) provisions, visit the official PCI DSS Resource Guide

Requirements of Service Provider | PCI DSS Service Provider Levels

Requirements of Service Providers for Payment Card Industry Data Security Standards (PCI DSS) compliance are as follows:

VISA (Levels 1 to 3):

  • Annual onsite review by QSA
  • Quarterly network scan by ASV
  • Annual Self-Assessment Questionnaire
    (Canada: SAQ required and must be reviewed by QSA)

American Express (AMEX):

  • Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)
  • Quarterly network scan by ASV

Discover:

Quarterly network scans by ASV AND one of the following:

  • Annual on-site review by QSA (or internal auditor if signed by officer of Service Provider)
  • Annual self-assessment questionnaire

JCB:

  • TPP validation requirements will be outlined in forthcoming JCB rules and regulations.

MasterCard:

  • Level 1 SP's: Annual on-site review by QSA AND Quarterly network scan by ASV
  • Level 2 SP's: Annual self-assessment questionnaire AND Quarterly network scan.

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, visit the official PCI DSS Resource Guide.

PCI Qualified Security Assessors (QSA) | Call NDB Advisory

Looking for a quality, cost-effective PCI DSS Qualified Security Assessor (QSA)? If so, then contact NDB Advisory, as we have years of experience in working with the PCI DSS compliance framework. What's more, we understand where the roadblocks can be and what it takes to eliminate these costly and timely issues that create problems for obtaining PCI DSS compliance for merchants and service providers.

NDB Advisory is a nationally recognized boutique consulting firm specializing in Payment Card Industry Data Security Standards (PCI DSS) compliance for merchants and service providers. We specialize in Level I Report on Compliance (ROC) assessments and we can help you every step of the way. From writing policies and procedures to the issuance of the final ROC report, let us help you obtain PCI DSS compliance in a cost-effective manner.

To learn more about us, visit pciassessment.org, a comprehensive site dedicated to all aspects of PCI DSS compliance for merchants and service providers alike.

 

PCI DSS Qualified Security Assessor (QSA)

Level I (and now Level II compliance for MasterCard Merchants) can be a very time consuming and expensive proposition if you don't know where to begin. There are many pitfalls, roadblocks, and other obstacles in obtaining PCI DSS compliance.

One of the first steps a merchant or service provider needs to undertake is to conduct a PCI DSS Readiness Assessment. This will help your organization clearly understand the scope of the assessment, what it entails, and what areas  your organization may be weak or deficient in for purposes of PCI DSS compliance.

One area where most organizations need assistance is in the development of policies and procedures for PCI DSS compliance. This can be extremely time-consuming for a number of relevant reasons: 1. You have no policies and procedures. 2. You don't have the skills or time to write the policies and procedures. 3. You have some policies and procedures, but they are out of date and not current and relevant.

Visa PCI DSS Service Provider Requirements | pciassessment.org

Listed below are the VISA Service Provider Requirements in regards to PCI DSS compliance.

Level 1 for Canada, Europe and USA

  • Annual on-site review by QSA
  • Quarterly Network Scan by ASV
  • Annual Self-Assessment Questionnaire (Note: Self Assessment Questionnaire required in CANADA and must be reviewed by a QSA)

Level 2 for Canada, Europe and USA

  • Annual on-site review by QSA
  • Quarterly Network Scan by ASV
  • Annual Self-Assessment Questionnaire (Note: Self Assessment Questionnaire required in CANADA and must be reviewed by a QSA)

Level 3 for Canada, Europe and USA

  • Annual on-site review by QSA
  • Quarterly Network Scan by ASV
  • Annual Self-Assessment Questionnaire (Note: Self Assessment Questionnaire required in CANADA and must be reviewed by a QSA)

In summary, if you are a Service Provider, an annual on-site assessment/review by a QSA will have to be conducted.

 

PCI Compliance for Service Providers | What You Need to Know

Many service providers requiring PCI DSS compliance are required to undergo an annual PCI DSS Level I assessment. This assessment proces is conducted by a Qualified Security Assessor (QSA) as approved by the Payment Card Industry Security Standards Council (PCI SSC).

PCI compliance for service providers can be a taxing and time consuming process, so it's best that you undertake a PCI DSS Readiness Assessment for properly preparing your organization for the rigors of compliance.

These readiness assessments are very helpful because they help "unearth" and identify gaps and weaknesses that will need to be corrected before fieldwork actually begins for the PCI DSS assessment for your organization.

More and more organizations that provide services to entities involved in credit card transactions are being required to be PCI DSS Level I compliant.  

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, then visit the official PCI DSS Resource Guide at pciassessment.org.

 

PCI DSS Readiness Assessment | Expert Advice from a QSA

A PCI DSS Readiness Assessment is a MUST for any merchant or service provider that will be going through a Level I Payment Card Industry Data Security Standards (PCI DSS) assessment. Level I assessments can be very complex and time consuming, thus it is vital you have a firm understanding of the scope and time commitments needed to successfully comply with the PCI DSS standards.

A quality PCI DSS Readiness Assessment conducted by a reputable QSA firm will help remove the common roadblocks for PCI DSS compliance. You'll gain a comprehensive understanding of the overall assessment process along with identifying critical areas of the actual assessment that will require work to be done, such as having documented policies and procedures in place.

Most QSA firms will include this fee into the actual engagement. Don't look at it as an extra cost of compliance, rather, a proactive and useful activity for ensuring you meet your goals for PCI.

PCI DSS Requirements for Merchants | Level 1 through Level 4

PCI DSS Requirements for Merchants vary based on the number of transactions an organization processes on a yearly basis.  There are currently four (4) Merchant levels for Payment Card Industry Data Security Standards (PCI DSS) compliance.

What's important to note is that "most" (there are some exceptions) Merchants that fall into Levels 2 through 4 can "self assess" via the PCI DSS self assessment questionnaires, which can be found on the official PCI DSS website (www.pcisecuritystandards.org).

However, Level I Merchants will actually have to undertake an on-site PCI DSS assessment by a Qualified Security Assessor, simply known as a QSA.  These are very in-depth, technical, and time-consuming assessments, so be prepared to spend a considerable amount of time and effort for the initial Level I compliance.  Listed below are helpful links to the Merchant Levels, what the thresholds are for transaction volume and what the requirements are for each Merchant level.

PCI DSS Compliance Roadmap | What You Need to Know

A PCI DSS Compliance Roadmap should consist of a number of predefined phases for helping ensure your organization (be it a merchant or a service provider) is able to become PCI DSS compliant in an efficient and cost-effective manner.

With that said, listed below are the three main phases that encompass your PCI DSS Compliance Roadmap:

  • Phase I: PCI DSS Readiness Assessment
  • Phase II: Remediation & Implementation for PCI DSS
  • Phase III: Assessment & Reporting for PCI DSS

To learn more about these three (3) phases, visit pciassessment.org, an informative and in-depth website developed by a leading Payment Card Industry Data Security Standards (PCI DSS) consulting firm, NDB Advisory.

Generally speaking, this roadmap is for Level I Merchants and Service Providers who have to undergo and actual on-site assessment by a PCI Qualified Security Assessor (QSA) as approved by the Payment Card Industry Security Standards Council (PCI SSC).

Author: Charles Denyer