atsec

Deutsch | 汉语

PCI QSA: Frequently asked questions

• What markets does atsec serve?
• What if I am not sure if I need to comply with the standard?
• How do I decide whether I need an independent assessment or a self-assessment?
• What happens during an assessment?
• How do I find a Qualified Security Assessor?
• How long does an assessment take? How much does it cost?
• What is the scope of an assessment?
• How do I know if I am likely to pass?
• What happens if my business is not in compliance with the PCI DSS?
• Who should be contacted in case of a breach and loss of data?
• What can atsec do to help me with PCI compliance?
• I didn't find an answer to my question, where else can I look?

What markets does atsec serve?
atsec offers consultancy services for any market. atsec is currently able to perform compliance assessment for the U.S., Europe, and China. If you have requirements for other markets, please contact us.

[up] 

What if I am not sure if I need to comply with the standard?
All merchants and service providers need to be in compliance with the standard. The precise rules and requirements for how they have to demonstrate this compliance to the payment brand varies by brand.

[up] 

How do I decide whether I need an independent assessment or a self-assessment?
In general, independent assessments are required for those who process large volumes of transactions, are at high risk, or have already experienced security breaches. The different payment brands have varying requirements regarding the assessments. For example, merchants are typically attributed to a certain "level" based on their transaction volume. For specific levels, the individual brands may require a compliance assessment performed by a Qualified Security Assessor (QSA). atsec can help you understand what is needed for your situation. Alternatively, you can contact your acquiring bank or the payment brand(s) directly to understand which kind of assessment is required of you.

[up] 

What happens during an assessment?
Assessments follow the PCI DSS Security Audit Procedures, which provide a checklist of sorts as well as testing procedures. Typically, a Qualified Security Assessor (QSA) will first ask to see the documentation for your environment and procedures. After reviewing this, an onsite-assessment will be performed to verify that your documentation is correct, and that sensitive data is processed and stored in a manner compliant with the standard. Eventually, the QSA will either provide you (and the brand, as appropriate) with a Report of Compliance (ROC) stating that you meet the standard's requirements, or provide you with a list of issues that need to be resolved before a ROC can be issued.

For more information please take a look at the Security Audit Procedures.

[up] 

How do I find a Qualified Security Assessor?
The PCI Security Standards Council (SSC) maintains on its website a list of QSAs that are recognized by the SSC (and therefore, by the individual brands) to perform assessments.

[up] 

How long does an assessment take? How much does it cost?
Associated time and cost differs because the scope of the assessment is widely variable. For some organizations, this can be as small as containing only a single PC. For others, several data centers may be spanned.
Producing a ROC also takes additional time.
atsec can provide you with an estimate of time and costs for your situation. If you would like an estimate, please complete our PCI QSA Request for Information form.

[up] 

What is the scope of an assessment?
All systems that store, process, or transmit Primary Account Numbers (credit card numbers), and all systems that are within the same logical network as these, must be in compliance with the PCI Data Security Standard. However, reducing the number of systems that are involved in transaction processing or have the possibility of accessing related data, implementing network segmentation e.g., by means of firewalls, and other measures can be employed to effectively reduce the effort for compliance assessments.

[up] 

How do I know if I am likely to pass?
We recommend that you complete the Self-Assessment Questionnaire produced by the PCI SSC.
Those with non-trivial environments or those who would like an independent opinion and support in reaching compliance, atsec can perform a readiness assessment.

[up] 

What happens if my business is not in compliance with the PCI DSS?
In cases where a breach exists, a non-compliant merchant or service provider might face financial and operational consequences from their payment brand(s). Organizations who can demonstrate that they were in compliance with the standard may receive reduced fines, depending on the exact circumstances.

[up] 

Who should be contacted in case of a breach and loss of data?
If you suspect (or have confirmed) a security breach that involves the potential disclosure of card data, you should active your incident response procedures and follow the brand-specific procedures for notification. This includes informing the affected payment brands within the mandated time frame and law enforcement agencies as appropriate. atsec can help you determine what needs to be done.

[up] 

What can atsec do to help me with PCI compliance?
atsec can serve as your single provider for compliance with the Data Security Standard. We can also provide answers to any information security questions related to your payment operations in general. We can help you to achieve compliance with the PCI DSS. We are recognized as a QSA by PCI SSC to perform compliance assessments. We have a reputation for providing reliable and trustworthy information security testing, management, and technology consulting.

[up] 

I didn't find an answer to my question, where else can I look?
For more information about the PCI SSC and the PCI DSS please visit the PCI DSS website or email us at info@atsec.com.