Tag Archives: penetration testing

PCI DSS | PCI QSA Compliance Auditors, Assessors, Consultants for Alabama

Looking for high-quality, cost-effective PCI DSS compliance auditors, assessors, and consultants for Alabama businesses?  Then contact the Payment Card Industry Data Security Standards (PCI DSS) experts at NDB Advisory today. With years of experience helping businesses in today’s ever-growing regulatory compliance laws and mandates, NDB Advisory – under the guidance of PCI-QSA Charles Denyer (1-800-277-5415 – ext. 706 | cdenyer@ndbcpa.com) can get your Alabama business compliant in an efficient, comprehensive, and cost-effective manner.  We’ve helped companies all throughout the Southeast – and North America – in becoming PCI DSS compliant, and we can help you also – call today and let’s discuss your needs.

If you are involved in the storing, processing, and/or transmitting of cardholder data, compliance with the Payment Card Industry Data Security Standards (PCI DSS) is a must – no exceptions.  From helping organizations with the widely-known Self-Assessment Questionnaires to performing Level 1 onsite assessments as required by a Payment Card Industry Qualified Security Assessor (PCI-QSA) NDB is your “go to” firm when it comes to Alabama PCI compliance auditors, assessors, and consultants.  We’ve helped numerous businesses in the state of Alabama, and can help you also.

It’s also important to note that one of the largest and most often overlooked areas of PCI compliance is documented operational and information security policies and procedures.  Companies loathe developing them, what policies they do have in place are highly antiquated and outdated, and they never seem to find time in dedicating resources to such initiatives.  We’ve spent years developing our own highly customized set of PCI DSS specific policies and procedures, and they’re available for you to use!  Whatever your industry is – manufacturing, technology, healthcare – the experts at NDB can put together a comprehensive and cost-effective roadmap for PCI DSS compliance.  Call and speak directly with our top PCI-QSA, Charles Denyer, at 1-800-277-5415, ext. 706, or email him at cdenyer@ndbcpa.com today for PCI compliance auditor, assessor and consultants for Alabama.

8 PCI Compliance Requirements Every Business Needs to Know About

PCI compliance requirements are affecting virtually every industry and business sector, ultimately requiring organizations to undergo extensive measures for ensuring adherence to the Payment Card Industry Data Security Standards (PCI DSS) provisions. It’s thus important for merchants, service providers, and all other entities involved in the storage, processing, and/or transmission of cardholder data to understand what PCI compliance really means, that is, the “who, what, when, where, and why” of this ever-growing and expanding framework.  Charles Denyer, a noted Payment Card Industry Qualified Security Assessor (PCI-QSA), discusses the following 8 PCI compliance requirements that every business should know about:

1. Compliance is mandatory – Are you an organization that stores, processes, and/or transmits cardholder data, or have some type of credible nexus with such cardholder data? If so, then welcome to the world of PCI DSS compliance, which seems to be growing and expanding more and more.  For purposes of PCI, organizations are identified as either merchants or service providers, and along with these designations come varying compliance requirements, ranging from onsite assessments by a Payment Card Industry Qualified Security Assessor (PCI-QSA) to self-assessment procedures via the Self-Assessment Questionnaires (SAQ) available from the PCI Security Standards Council (PCI SSC).  

2. Policies and Procedures are a Must – One of the biggest mistakes I see as a PCI-QSA is merchants and service providers failing to understanding the fundamental importance of having documented policies and procedures in place for PCI compliance.  Sure, there are many technical requirements that must be met – no question about it – but the policy requirements can be just as arduous and taxing to complete. I recommend finding high-quality PCI compliance polices, such as those provided by pcipolicyportal.com.

3. Quarterly Scanning – Compliance with PCI for all merchants and service providers (regardless of transaction level) also consists of quarterly network scans, also known as "vulnerability scans", and it requires them to undergo both internal and external network scans.  And for initial PCI DSS compliance, four (4) passing quarterly scans is NOT required, but it is a strict requirement thereafter.  Additionally, scans are to be conducted by an Approved Scanning Vendor, known as an ASV, which is an organization ultimately approved by the Payment Card Industry Security Standards Council (PCI SSC) for conducting scans. Lastly – and this is important to note – internal and external scans are to be performed after any "significant" changes. What is "significant" – that's a question to discuss with a PCI-QSA, such as me, so give me a call if you have any questions at 1-800-277-5415, ext. 706.

4. Penetration Testing – PCI compliance requirements also include penetration testing, which is detailed in Requirement 11 of the actual Payment Card Industry Data Security Standards. In short, organizations will need to conduct a comprehensive pen test, which includes both external and internal tests, both from a network layer and application layer perspective.

5. Report on Compliance – If it’s an onsite assessment that’s required for your organization, then you’ll need to contact a Payment Card Industry Qualified Security Assessor (PCI-QSA), such as myself (Charles Denyer | 1-800-277-5415, ext. 706 | cdenyer@ndbcpa.com).  The end deliverable for an onsite assessment is known as the Report on Compliance, or “RoC” as it’s called in the industry.

6. SAQ vs. Onsite Assessments – The vast majority of merchants and service providers can meet PCI compliance via the self-assessment process, which essentially means completing a “Self-Assessment Questionnaire” and the accompanying Attestation of Compliance (AoC). However, a small, but growing number of organizations still require onsite assessments by an actual PCI-QSA.  The SAQ vs. Onsite Assessments are apples vs. oranges – very different in many ways – with costs being one of the most important to note.

7. If you process, store or transmit cardholder data, you’re in scope for PCI compliance – It’s really that simple and clear-cut. If you are involved in working with cardholder data in any way, then PCI compliance will surely be something to discuss amongst your organization.  Not only is non-compliance not a good idea, but your customers and other entities are starting to demand it now, more than ever before.  And this holds true especially for service providers, who are now being required to undertake compliance via SAQ D, or with an actual onsite assessment by a Payment Card Industry Qualified Security Assessor (PCI-QSA), such as Charles Denyer of NDB Advisory (cdenyer@ndbcpa.com | 1-800-277-5415, ext. 706).

8. PCI is a moving target – Forget about the "one and done" notion – compliance with the PCI DSS provisions requires a constant commitment, so just remember that.