June, 2009

Jun 26 2009   3:37PM GMT

SAS 70 Audit | Why a Readiness Assessment is Crucial

Posted by: Charles Denyer
sas 70 audit, charles denyer, sas 70 readiness assessment, type i, type II, internal control framework

If your organization is seeking to become SAS 70 Type I or Type II compliant in the near future, then it is a wise decision to embark on a SAS 70 Readiness Assessment. These assessments essentially help you identify your control environment, the scope of the audit, and what deficiencies or gaps may be present within your overall internal control framework within your organization. It should not be looked upon as an additional cost of a SAS 70 audit, but that of a useful and proactive exercise in preparing your organization for the rigors of going through an actual SAS 70 audit.

Working right towards SAS 70 Type I or Type II compliance without conducting a SAS 70 Readiness Assessment can be a daunting and challenging task. Many problems can arise out of this, such as not properly scoping the audit, not adequately identifying weaknesses within your control structure, along with other critical and material issues. The result can be cost and time overruns to correct these issues that should of been addressed prior to the actual audit.

To learn more about SAS 70, visit the official SAS 70 Resource Guide.

Jun 26 2009   3:16PM GMT

PCI DSS Requirements and PCI DSS Merchant Levels | American Express | AMEX

Posted by: Charles Denyer
PCI DSS Requirements and PCI DSS Merchant Levels | American Express | AMEX, charles denyer, 50, 000 to 2.5 million American Express transactions, processing less than 50, 000 American Express, Annual onsite review, Quarterly Network Scan by ASV

While most individuals focus on Merchant Levels for VISA, it’s important to note that the additional payment brands, such as American Expresss (AMEX), have defined their own respective merchant levels based on transaction volume and what the requirements are. With that said, listed below are AMEX’s Merchant Levels and their corresponding requirements:

Level 1: Merchants processing over 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1.

Level 2: Merchants providing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems Level 2.

Level 3: Merchants processing less than 50,000 American Express transactions annually.

Level 4: NA. (AMEX does not have a 4th level, such as VISA).

Level 1 Requirements: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV.

Level 2 Requirements:Quarterly Network Scan by ASV.

Level 3 Requirements:Quarterly Network Scan by ASV.

To learn about PCI DSS compliance and the varying requirements for merchants and service providers, please visit pciassessment.org

Jun 26 2009   3:08PM GMT

PCI DSS Requirements and PCI DSS Merchant Levels | VISA

Posted by: Charles Denyer
PCI DSS Requirements and PCI DSS Merchant Levels | VISA, annual report on compliance, ROC, annual self assessment questionnaire, SAQ, Quarterly network scan by approved Scan Vendor, asv, Attestaion of compliance form, Merchant Levels 1, 2, 3, 4, charles denyer

PCI DSS Requirements for Merchants is dependent on the “Level” your organization falls into. Currently, there are four (4) Merchant Levels for PCI DSS compliance. What’s important to note is that these merchant levels are based on transaction volume of cardholder data. But also keep in mind that many merchants who do not meet the more stringent Level 1 requirements because of lower transaction volumes may still have to become Level 1 compliant based on customer demands, marketing efforts for their company, or possible regulatory requirements (i.e, you’ve been notified by your acquirer that you need to be level 1 compliant).

Thus, here are the VISA Merchant Levels:

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 1 Requirements:
* Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
* Quarterly network scan by Approved Scan Vendor (“ASV”)
* Attestation of Compliance Form

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 2 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 3 Requirements:
* Annual Self-Assessment Questionnaire (“SAQ”)
* Quarterly network scan by ASV
* Attestation of Compliance Form

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Level 4 Requirements:
* Annual SAQ recommended
* Quarterly network scan by ASV if applicable
* Compliance validation requirements set by acquirer

To learn more about PCI DSS compliance and merchant level requirements for other payment brands (MasterCard, American Express, Discover Card, and JCB), visit pciassessment.org

Jun 20 2009   3:31AM GMT

PCI COMPLIANCE

Posted by: Charles Denyer
pci compliance, merchants, level 1, PCI DSS, payment card industry data security standards (PCI DSS), payment card industry security standards council, charles denyer

Payment Card Industry Data Security Standards (PCI DSS) compliance means many different things to many people. And after all, it should, based on the complexities of truly understanding what the phrase “PCI Compliance” or being “PCI compliant” really means.

For an ounce of clarity, remember this. All merchants that fall into Level 1 of the transaction volume parameters for PCI will have to undertake an on-site PCI DSS assessment by a Qualified Security Assessor; somebody who has gone through the training and certification process by the Payment Card Industry Security Standards Council (PCI SSC).

“Most” other levels (and i stress most, because there are exceptions) can conduct their own self-assessment for PCI compliance. The world “self” is misleading because most organizations trying to comply will need assistance from a PCI QSA.

To learn more about PCI DSS, visit pciassessment.org.

Jun 20 2009   3:20AM GMT

SAS 70

Posted by: Charles Denyer
Statement on Auditing Standards No. 70, sas70, type II, general controls report, control environment, charles denyer, sarbanes oxley act of 2002, SAS 70 Type I

Statement on Auditing Standards No. 70, simply known as SAS 70 to many, has had a profound impact on regulatory compliance since the passage of the Sarbanes Oxley Act in 2002. As a SAS 70 auditor for many years, i’ve been asked a broad and wide range of questions regarding the who, what, where, when and why of SAS 70 Type I and SAS 70 Type II audits. Thus, if you need to learn everything you possibly can about SAS 70, then visit the official SAS 70 Resource Guide, where a voluminous amount of information is available.

Now, with that said, let me touch on a subject that has been brought up so many times it feels like a broken record: SAS 70 PRICING. So, what do they cost? What SHOULD they cost? These are some of the questions i fielded over the years. With that said, i can tell you what my honest best assessment is for pricing on these engagements, so here you go.

A general controls SAS 70 Type I that covers no real business processes and all fieldwork can be done at one location should be between $15,000 and $25,000.

A general controls SAS 70 Type II that covers no real business processes and all fieldwork can be done at one location should be between $25,000 and $35,000. Thus, subsequent years “could” see a decrease in fees (marginal, that is) if the control environment stays somewhat static.

If you start adding in requirements to test a wide array of specific “business process” controls, the price will go up. Keep in mind, some firms may charge (and do) a slightly cheaper fee than i’ve just quoted. But remember, you get what you pay for, especially for auditors. Find that healthy medium from a quality, boutique CPA firm that specializes in SAS 70 audits and you should be fine.

Jun 19 2009   10:00PM GMT

PCI DSS Level 1 Compliance for Merchants and Service Providers | Helpful Tips

Posted by: Charles Denyer
charles denyer, PCI DSS, service providers, merchants, pci qsa, PCI DSS Level 1 compliance for merchants and service providers, 12 requirements

PCI DSS Level 1 Compliance for Merchants and Service Providers can be a daunting task, but there are a number of proactive steps to take to help mitigate and hopefully eliminate cost and time overruns.

There’s quite a bit you can do to help prepare your organization for PCI DSS Level 1 compliance, so let’s start with some of the basics and move forward in subsequent blogs.

First and foremost, READ the PCI DSS standard, from front to back. Sure, it will take some time, but you will be able to much better grasp and understand the dynamics of PCI compliance. There are 12 main requirements, each one is quite specific in their demands, so break them up and spend time truly digesting what each Requirement means.

Second, conduct a PCI DSS Readiness Assessment (either internally or preferably with a PCI QSA). Why? You need to be able to generate a gap analysis to see where your weaknesses are and what steps you will need to take to correct them. So, that’s just a start. I’ll be writing more in later blogs, so stay tuned.

To learn more about PCI compliance, visit pciassessment.org

Jun 16 2009   11:40AM GMT

PCI DSS Requirements for Service Providers | Expert Advice from a QSA

Posted by: Charles Denyer
charles denyer, PCI DSS, payment card industry data security standards (PCI DSS), service providers payment card compliance, visa, amex, mastercard, Discover Card, jcb, pci qsa, qualified security assessor, pci dss compliance, transaction processors, payment gateways, web hosting providers, data centers, managed service providers, ISO

PCI DSS compliance is becoming a requirement for many service providers involved in the processing, storage, transmission, and switching of transaction data and cardholder data.

In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.

So, here are some common examples of service providers:

Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)

And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.

AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.

And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.

Jun 16 2009   2:35AM GMT

SAS 70 Audits and PCI DSS | Yes, There is a Big Difference

Posted by: Charles Denyer
charles denyer, sas 70 type ii audit, PCI DSS, payment card industry data security standards, PCI DSS Level 1 compliance, report on compliance, ROC, audits, assessments, cpa firm

SAS 70 audits, especially Type II reports and PCI DSS Level 1 Report on Compliance (ROC) assessments are dominating today’s regulatory compliance arena. Painfully, as a SAS 70 auditor and a PCI DSS assessor, I keep hearing people talk about these two compliance initiatives as if they are one in the same…..stop…….they are different.

Don’t get me wrong, efficiencies of scale can be had and I will talk about that in a later post, but generally speaking, this is like comparing apples to oranges. Here’s why.

The SAS 70 auditing standard is a loose and flexible standard, allowing auditors to employ (and they do) various methodologies, benchmarks, standards, and frameworks for SAS 70 audits.

The Payment Card Industry Data Security Standards (PCI DSS) requirements are much more rigid, less open to interpretation, if you will.

Ever read one SAS 70 report from a CPA firm then picked up another report on a similar company that was issued by another CPA firm? If so, you probably noticed they looked and “read” quite differently. Well, no surprise there.

Now, try that with a PCI DSS Level 1 Report on Compliance. Sure, they won’t be identical, but they’ll be much more similar than the two SAS 70 audits.

Want to learn more about SAS 70 audits and PCI DSS assessments? If so, visit the official SAS 70 Resource Guide and the Official PCI DSS Assessment Resource Guide.

Jun 3 2009   6:34PM GMT

SAS 70 | Surprise Examination | Internal Control Report for Investment Advisers

Posted by: Charles Denyer
The investment Advisers Act of 1940, surprise examination, internal control report, charles denyer, SAS 70, sample sas 70 type II report, qualified custodian, client funds, securities, File No. S7-09-09

The SAS 70 auditing standard is sure to become a necessary element of the proposed changes for the Investment Advisers Act of 1940. The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09). In short, this comprehensive document is proposing the use of “surprise examinations” and a “internal control report” on entities that have custody of client funds or securities or instead serves as a qualified custodian for client funds or securities.

Currently the “surprise examination” is discussed as a “written report from an independent public accountant” while the “internal control report” is being described as that of a SAS 70. At this point, what distinctions will be made, if any, between the auditing framework for the “surprise examination” and “internal control report” are not completely clear. More than likely, the SAS 70 auditing standard will be utilized for both the “surprise examination” and the “internal control report”.

You can obtain a sample SAS 70 Type II Report and list of sample custodial control objectives by visiting the SAS 70 Resource Guide.