A PCI DSS audit is a detailed examination of the security of an organization's credit-card processing system. PCI QSA Audit consists of both onsite and off-site activities and is performer by a Qualified Security Assessor (QSA) who evaluates an entity's payment and credit card security implementation against PCI DSS standard.
SC2labs provides the PCI DSS audit service, as accredited by the PCI SSC
PCI QSA auditor
Published on March 2022 the new version 4.0 of the PCI Data Security Standard (PCI DSS) replaces version 3.2.1 to address emerging threats and technologies and enable innovative methods to combat new threats.
Level 1 Service Providers that store, transmit, or process more than 300,000 credit card transactions annually.
Level 1 Merchant that store, transmit, or process more than 6 000,000 credit card transactions annually.
any other entities required by their acquirer (regardless of annually upon of transactions)
On-site Annual Security Audit
A detailed on-site assessment provided is by a PCI SSC certified QSA (Qualified Security Assessor) or by a certified ISA (Internal Security Assessor). The Audit is a detailed review of an organization’s card data environment that result in a RoC (Report on Compliance) and AoC (Attestation of Compliance).
External Vulnerability Scan PCI ASV
External network vulnerability scanning is conducted quarterly by a PCI SSC Approved Scanning Vendor (ASV) of all Internet-facing system components that are a part of or provide a path to the cardholder data environment.
Kickoff and Planning
The kickoff is considered the start of the engagement after the agreement is executed. We will discuss the certification process, identify the point of contact from both organizations and timelines for assessment, define a project roadmap and plan the next steps.
Preparation Phase
In the preparation phase, we offer tailor – support approach. It can consist of:
PCI DSS training/workshop - our dedicated to the project QSA auditors will conduct the training at an early stage and explain all requirements of the PCI Standard, which will lead to a better understanding of the process and proper preparation for formal validation
PCI DSS scoping – to take a closer look at network segmentation, inclusion and dependency of any third party/ outsourcing.
Pre-Assessment or full Gap Assessment. Pre-assessment consists of interviews, reviews of documentation and a broadly walk-through to identify gaps and provide recommendations. The GAP Analysis is a more detailed process, we will conduct an “as-is” assessment of your organization to identify gaps in security controls, systems, documentation and the environment against all PCI DSS requirements. The GAP executive summary includes any identified discrepancies and necessary recommendations for action.
Remediation/ Advisory Support. Assistance to provide advisory support for mitigating gaps and collecting evidence software development.
Formal validation
Once all controls are confirmed to be in place, the on-site assessment will begin. It is the formal process in which accredited auditor will conduct the formal assessment against all requirements.
Reporting
The report will be provided within 3 weeks of the last day of successful completion (all required documents are delivered and collected by the QSA).
The deliverables include:
PCI DSS RoC – Report on Compliance
PCI AoC – Attestation of Compliance
Certificate of Compliance
Continual Support
After your successful certification, we provide continual at an in the ongoing maintenance of organization’s compliance – we will provide and discuss changes to the security standard itself, as well as explain and at with emerging issues and questions.
You may also be interested in :
GAP
ANALYSIS
INFORMATION SECURITY POLICY
TRAINING
ASV SCANNING
PENTESTS
PCI QSA Audit - an examination of IT systems, organisational documents, policies, procedures and employee interviews performed at the client's premises for compliance with the PCI DSS standard.
PCI ASV Audit - PCI ASV scan - services to check the security level of external information systems in accordance with the requirements of the PCI DSS standard.
GAP Audit - testing the degree of compliance of the client's system with the requirements of the PCI DSS standard.
PCI QSA - Payment Card Industry Qualified Security Assessor - an accredited auditor, certified by the PCI SSC, qualified to verify information systems for compliance with the PCI DSS standard.PCI ASV - Payment Card Industry.
Approved Scanning Vendor - an accredited auditor, certified by PCI SSC, with the authority to verify information systems for compliance with the PCI DSS standard.
Attestation of Scan Compliance (AoSC) - a document confirming passing or failing a PCI ASV scan (issued after PCI ASV scanning as a part of report) with PCI DSS requirement 11.2.
Report on Compliance (RoC) – large document (over 300 pages) that is completed during PCI QSA on-site audit. This document is usually only shared with card organizations (such as VISA/Mastercard)
Attestation of Compliance (AoC) - a formal document confirming compliance with PCI DSS. It is completed either by Merchant/Service Provider (if they are eligible to fill SAQ) or by PCI QSA at the end of PCI QSA on-site audit.
Issuer - a bank or other organisation issuing a card under the authority of a payment organisation, e.g. VISA or MC.
Acquirer - a bank or organisation that the merchant uses to process payment card payments. Receives authorisation requests and sends them to the issuer (Issuer) for acceptance. Provides services in the processes: authorization, clearing and settlement for the merchant. The Acquirer usually is:
Merchant bank,
Settlement agent,
Service provider (sometimes),
Card organisation (JCB, Discover, Amex),
Never VISA or MC.
SAQ – Self Assessment Questionnaire – the form of self-check for merchants and service providers with low transaction volume (see compliance levels) if they are compliant with PCI DSS.
CoC – Certificate of Compliance – issued by SC2labs for marketing and PR purposes. This is not a formal confirmation on compliance (AoC is a formal document).
Merchant - an organisation that accepts credit card payments at the time of purchase.
Service Provider - transaction Processor.