PCI QSA: Frequently asked question

• What markets does atsec serve?
• What if I am not sure if I need to comply with the standard?
• How do I decide whether I need an independent assessment or a self-assessment?
• What happens during an assessment?
• How do I find a Qualified Security Assessor?
• How long does an assessment take? How much does it cost?
• What is the scope of an assessment?
• How do I know if I am likely to pass?
• What happens if my business is not in compliance with the PCI DSS?
• Who should be contacted in case of a breach and loss of data?
• What can atsec do to help me with PCI compliance?
• I didn't find an answer to my question, where else can I look?

What markets does atsec serve?
atsec is able to offer consultancy services for any market. atsec is currently able to perform compliance assessment for the U.S., Europe and China. If you have requirements for other markets please contact us.

[up] 

What if I am not sure if I need to comply with the standard?
All merchants and service providers need to be in compliance with the standard. The precise rules and requirements for how they have to demonstrate this compliance to the payment brand vary by brand.

[up] 

How do I decide whether I need an independent assessment or a self-assessment?
In general independent assessments are required for those who process large volumes of transactions, are at high risk, or who have already experienced breaches. The different payment brands have varying requirements regarding the assessments. For example, merchants are typically attributed to a certain "Level" based on their transaction volume, and for specific levels the individual brands may require a compliance assessment performed by a Qualified Security Assessor (QSA). atsec can help you understand what is needed for your case, alternatively you can contact your acquiring bank or the payment brand(s) directly to understand which kind of assessment is required of you.

[up] 

What happens during an assessment?
In essence, assessments follow the PCI DSS Security Audit Procedures, which provide a sort of checklist and testing procedures. Typically, a Qualified Security Assessor (QSA) will want to see the documentation of your environment and procedures first. After reviewing this, an onsite-assessment will be performed to verify that your documentation is correct, and that sensitive data is processed and stored in a manner compliant with the standard. Eventually, the QSA will either provide you (and the brand, as appropriate) with a Report of Compliance (ROC) stating that you meet the standard's requirements, or provide you with a list of issues that need to be resolved before a ROC can be issued.

For more information please take a look at the Security Audit Procedures.

[up] 

How do I find a Qualified Security Assessor?
The PCI Security Standards Council (SSC) maintains on its website a list of QSAs that are recognized by the SSC (and therefore the individual brands) to perform assessments.

[up] 

How long does an assessment take? How much does it cost?
This varies because the scope of the assessment is very variable. For some organizations this can be as small as a single PC. For others several data centers may be spanned.
Producing a ROC (Report of Compliance) takes some additional time.
Please complete our RFQ (Request for Quote) form for an estimate of time and costs.

[up] 

What is the scope of an assessment?
All systems that store, process or transmit Primary Account Numbers (credit card numbers), and all systems that are within the same logical network as these, must be in compliance with the PCI Data Security Standard. Reducing the number of systems that are involved in transaction processing or have the possibility of accessing related data, implementing network segmentation e.g., by means of firewalls, and other measures can be employed to effectively reduce the effort for compliance assessments.

[up] 

How do I know if I am likely to pass?
We recommend that you complete the Self-Assessment Questionnaire produced by the PCI SSC at https://www.pcisecuritystandards.org/pdfs/pci_saq_v1-0.pdf.
For those with non-trivial environments or who would like an independent opinion and support in reaching compliance we recommend that you contact us for a readiness assessment.

[up] 

What happens if my business is not in compliance with the PCI DSS?
In case of a breach, a non-compliant merchant or service provider might face financial and operational consequences from their payment brand(s). Organizations who can demonstrate that they were in compliance with the standard may receive reduced fines, depending on the exact circumstances.

[up] 

Who should be contacted in case of a breach and loss of data?
If you suspect or have confirmed a security breach that involves the potential disclosure of card data, you should active your incident response procedures and follow the brand-specific procedures for notification. This includes informing the affected payment brands within the mandated time frame and law enforcement agencies as appropriate. atsec can help you determine what needs to be done.

[up] 

What can atsec do to help me with PCI compliance?
atsec can be your one-stop provider for compliance with the PCI DSS, and information security questions related to your payment operations in general. We can help you to achieve compliance with the Data Security Standard, we are recognized as QSA by PCI SSC to perform compliance assessments, and we have a reputation for providing reliable and trustworthy information security testing, management and technology consulting.

[up] 

I didn't find an answer to my question, where else can I look?
For more information about the PCI SSC and the PCI DSS please visit
https://www.pcisecuritystandards.org/about/faqs.htm or email us at info@atsec.com.

[up]