PCI QSA SERVICES
Global PCI QSA consultant services.
As a Qualified Security Assessor (QSA) company, Nettitude has been approved by the PCI Security Standards Council (SSC) to measure an organisation’s compliance with the PCI DSS standard. We are one of less than ten companies worldwide to be both a PCI QSA company as well as a PCI PA-QSA, PCI QSA and PCI ASV company. This is backed by industry-leading penetration testing, incident response and security solutions teams that are 100% focused on delivering best-of-breed security consulting and guidance.
Through Nettitude’s presence in both Europe and North America, we are ideally suited to deliver PCI consulting and auditing services for organisations with a global reach.
PCI For All Companies
Our team of QSA consultants deliver PCI consulting services across the globe, for both merchants, service providers and acquirers alike. We work with Level 1 and 2 organisations all the way down to level 3 and level 4 merchants.
We ensure that each client is provided with both a primary QSA and secondary QSA on all projects and engagements. This ensures that we maintain a consistent interface with your organisation and generate maximum return on your investment.
Our focus is on delivering high quality PCI guidance, in a pragmatic and risk based approach. It is this approach that sets us out from the crowd and has enabled us to become the trusted partner of many organisations that are working towards, or maintaining PCI DSS compliance.
The PCI DSS covers more than 240 requirements and is applicable for all types of businesses, ranging from traditional bricks and mortar retailers, through to contact centres, mail order companies and e-commerce entities. Nettitude will guide you through these three phases of the PCI DSS journey, to help achieve and maintain compliance.
PCI Gap Analysis
The recommended approach for organisations embarking on the PCI DSS journey is to have a formal gap analysis. During this exercise, Nettitude measures an organisation’s current policies, processes, working practices, and technologies against the PCI Data Security Standard (DSS). A gap analysis typically involves a Nettitude QSA travelling to an organisation’s office and conducting a card data flow assessment. This exercise identifies all areas where card data enters the environment, exits the environment, and all places where card data is at rest.
The exercise will frequently result in a QSA working closely with IT managers/directors, compliance managers, and security officers to understand the finer details of how card data is handled. In addition, members of finance and HR may be required to feed into the process so that all aspects of the security standard can be considered. Once all card data flows have been mapped out, Nettitude will measure the environment against the PCI DSS. This exercise is effectively a backward-facing assessment of the environment against what the PCI DSS requires. Using this data, Nettitude will identify the gaps and provide feedback on areas that are both compliant and non-compliant.
The Gap Analysis Will Produce The Following Documents:
- A high-level review of the cardholder data environment
- Identification of all current cardholder data processes and storage locations
- A fully completed Self Assessment Questionnaire (SAQ)
- Fully completed Prioritised Approach Document (PAD)
As part of the gap analysis, Nettitude will also provide a forward-facing roadmap on how the gaps can be bridged. This document provides strategic guidance on how to reduce risk, leverage existing technologies and enhance the environment in line with PCI DSS requirements. At the same time, Nettitude will produce a defined project-plan with key milestones that can be realistically achieved.
As Part Of a Gap Analysis, Nettitude Will Also Generate The Following Documents:
- Strategic project plan for achieving compliance
- Suggested Gantt chart for compliance
Nettitude’s gap analysis services are always 100% vendor agnostic. They focus on the PCI DSS requirements and do not make recommendations about individual vendor solutions or technologies. For organisations that require additional guidance, Nettitude can provide unbiased remediation and solutions advice that leverage existing technology investment to aid in the compliance journey.
PCI Card Discovery Services
One of the most fundamental elements within a PCI DSS project is identifying where card data resides. It is common for organisations to be unaware of the intricacies around card data storage in log files, temporary files, backup files and legacy processes. Virtualisation, snap-shotting and cloud-based technologies can result in card data being stored in many different files, images and locations, and all of these elements influence the risk of card fraud to an organisation.
To address the issues around card data storage, Nettitude provides card discovery services to find PAN data using forensic methods and commercial card discovery tools. As part of this service, Nettitude can identify all areas where card data is stored and provide a road map on how it should be managed.
Complimentary to the card discovery service, Nettitude is also able to purge unwanted data. This approach uses secure deletion techniques to ensure that the information is removed securely and permanently.
For organisations that want to deploy a proactive PAN scanning tool, Nettitude can deploy a small snippet of code to continually assess devices for the storage of card data. If a PAN is detected, an alert is generated to a SIEM device or an SMTP daemon.
Specific PCI Services
For some clients, a gap analysis may not be required. In these instances, Nettitude is able to assist with specific areas of the PCI DSS.
In instances where organisations have conducted their own gap analysis or where gap analysis has been conducted by another QSA company, Nettitude can provide both on-going and focused consultancy to help bridge the gap.
There is no explicit blue-print for achieving compliance and as a consequence, guidance from an experienced assessor that will have seen many types of card data environments can prove to be invaluable.
Nettitude focuses on helping organisations reduce their risk. This may be achieved through numerous approaches and technologies and can frequently result in a PCI DSS scope reduction. These types of approaches can make the compliance journey easier and also reduce the cost of compliance year-on-year.
Examples of areas where assistance is often required in network design and scoping include:
- Card data storage
- Process segmentation
- Role-based access controls encryption
- Key management
- Application design
- Patch management
- Change control
PCI Support Services
The Payment Card Industry Data Security Standard (PCI DSS) has gone through a series of revisions and will continue to evolve as new technologies and payment solutions develop. As a consequence of this, and due to the annual audit requirement, many organisations choose to work with a Qualified Security Assessor (QSA) partner on an on-going basis.
As part of Nettitude’s security services, we are pleased to be able to offer our clients access to a focused PCI DSS support service. Clients can contact us during standard office hours, and gain unlimited access to our skilled team of QSA’s and security consultants. Clients that use Nettitude’s PCI DSS support services will benefit from proactive advice and guidance when information is released from the PCI Special Interest Groups (SIGs) and when clarification is given around some of the hotter topics of the security standard.
Nettitude provides access to real security consultants, with real security expertise. Instead of accessing an anonymous Wikipedia or extranet service, our consultants can offer you pragmatic advice and guidance that is tailored to individual requirements.
PCI QSA Pre-audit Services
PCI DSS audits can be a relatively stressful exercise for organisations approaching their first assessment. To provide organisations with more confidence that they will pass, and iron out any deficiencies before the full audit, Nettitude recommends that they embark upon a pre-audit approximately one month before the final audit.
Pre-audit Compliance Check
A full QSA audit can sometimes take weeks to complete. To maximise the success of this exercise or even to seek confidence before submitting an SAQ, Nettitude can perform a pre-audit compliance check. During a pre-audit, a QSA consultant will walk through all aspects of the audit, from start to finish. All policies, procedures, and working practices will be measured against the PCI DSS requirements.
Configurations will be reviewed, logs will be assessed and vulnerability information will be reviewed and considered. This whole process will be similar to a PCI DSS audit, but with less focus on data collection or data validation.
Final QSA Audit
Once Nettitude commences a final QSA audit, they are governed by relatively aggressive timescales around areas of non-conformance. If non-conformances are identified at the end of a final audit, in some instances, it can result in the clock being reset, with the whole audit being conducted again, post-remediation. By going through the pre-audit phase, this eliminates the possibility of final audit non-conformance. Nettitude encourages all clients pursuing PCI compliance to go through a pre-audit phase. This trial run will provide a degree of assurance that the final audit will run smoothly.
When Nettitude conducts pre-audits, it is common for there to be missing technologies and missing policies and procedures. As a consequence of this, Nettitude delivers strong pre-audit reporting (consistent with the gap-analysis reporting) to enable their clients to bridge any gaps.
PCI QSA Audit & ROC Services
Nettitude is one of only a handful of elite PCI approved companies that is a PCI QSA, a PCI PA-QSA, a PCI P2PE-QSA and a PCI ASV. As a consequence, our highly skilled consultants can offer advice and guidance for all types of organisations embarking on the PCI DSS compliance journey. We provide consulting and audit services in the UK, EMEA, the US and the Asia Pacific and have a strong portfolio of happy customers. For organisations that want to deploy a proactive PAN scanning tool, Nettitude can deploy a small snippet of code to continually assess devices for the storage of card data. If a PAN is detected, an alert is generated to a SIEM device or an SMTP daemon.
What Should You Expect From a PCI QSA Audit?
Nettitude has developed a set of tailored tools and techniques that help us undertake audits both seamlessly and consistently. During our audits, we collect evidence through an interview, through a review of system configuration, through a review of policies and procedures and through a review of working practices. Where sampling can be undertaken, Nettitude’s QSAs will collect representative samples of your working practices.
Report On Compliance (RoC)
One of the outputs from an audit is that Nettitude produces a Report on Compliance (RoC). This report is submitted to either the card brands service provider or to the acquirer for merchants. The RoC provides a full insight into how the organisation interacts with card data and provides both qualitative and quantitative measurement against the standard. Once this RoC is accepted by the acquirer or card brand, the organisation will be classed as being PCI DSS compliant for 12 months from the point of an audit.