Payment Card Industry Data Security Standards (PCI DSS) compliance is everywhere these days, or so it seems. As a result, there seems to be some confusing information on what CAN and CANNOT be stored regarding cardholder data. Folks, there really should not be any gray area on this, as the rules and regulations are quite straightforward and black and white. Okay, so here we go. Regarding cardholder data, this is what you CAN store, but it also MUST be protected: The Primary Account Number (PAN), the cardholder name, the service code, along with the expiration date.
So, what CAN’T you store (however, there are exceptions)? Here they are: Full Magnetic Stripe/Track Data, CVC2, CVV2, CID, CAV2 (what are these you ask, the numbers that merchant will often ask to help complete and authorize the transaction, you know, those secret numbers on your card :), and finally you cannot store PIN/PIN block information.
So there you have it. If you want to learn more about the Payment Card Industry Data Security Standards, then visit pciassessment.org
Regarding PCI DSS, as a PCI QSA i’m often asked what’s the most difficult hurdle that organizations need to overcome for ensuring PCI DSS compliance. Well, we could talk at length about some of the technical, I.T. challenges, such as two-factor authentication, encryption (though not required.lol!). But in all seriousness, organizations are very deficient on having documented policies and procedures in place for their critical infrastructure. From change management to tape/media backup and recovery procedures, many organizations fail to have these very policies and procedures documented in an organizational wide corporate security document, or something of a similar nature, such as online WIKI.
So, why is this such a repetitive and persistent problem for companies? For the most part, it has to do with the lack of expertise in writing these documented policies and procedures along with finding the time to do them. They can be painstakingly slow and arduous to complete. The solution; hire a firm that have experience and expertise in developing and writing policies and procedures for PCI DSS and for any other regulatory compliance mandate your company may encounter, such as SAS 70 audits.
That’s right. Compliance for the Payment Card Industry Data Security Standards, simply known as PCI DSS, is mandatory for all merchants and many service providers. How mandatory? Enough for MN Governor Tim Pawlenty to sign into law and codify various provisions of the PCI DSS mantra. Mandatory in that even small merchants processing only a handful of payment transactions (credit, debit, gift cards) have to conduct their own self-assessment for PCI DSS, or obtain help from an external PCI QSA or other qualified payment card specialist. The just of it is this-PCI DSS compliance is not going away, rather, it will only become more paramount in the years ahead. The key to comply with PCI DSS is to know what level you fall under regarding compliance and what needs to be done for that respective level of compliance. Turn to pciassessment.org to learn all you need to know about the Payment Card Industry Data Security Standards compliance.
The Minnesota Plastic Card Security Act, signed by MN Governor Tim Pawlenty, essentially has codified various parts of the Payment Card Industry Data Security Standards (PCI DSS) into law. What’s interesting to not is not so much the specifics of what the law actually has to say, but rather it is a sign of a growing trend that is sweeping the nation in many states. Texas and California also have PCI DSS on their minds, as witnessed by recent legislative attempts in these two states to take action on the PCI standards. This essentially, is a sign of the times, as individuals and businesses alike are demanding more security into today’s heightened technology world we live in. The dollar amount being processed by payment cards (debit, credit and gift cards) is absolutely staggering and will only continue to rise in the coming years. The PCI DSS standards, which evolved out of the former VISA CISP data security standards is here to stay and will only grow over time. As a PCI-QSA, my advice to merchants and service providers who have to become PCI DSS compliant. Learn all you can about the PCI DSS standards and how they ultimately affect your organization. Remember, knowledge is power.
Today’s data centers and managed services providers are complex businesses, providing customers with a wide array of services. As such, SAS 70 audits have become the standard compliance audit for assessing internal controls for data centers and managed services. But buyer beware, not all SAS 70 audits are the same when being conducted on data centers and managed service providers. So, what’s the scope, you say? Well, generally speaking a good quality SAS 70 audit process and its subsequent report should include the following areas for considerations of controls:
1. Executive Management/Strategic Management Drivers
2. Human Resources
3. Quality Assurance Activities
3. Client Contract Processes
4. Technical Client Provisioning Processes and Activities
5. Change Management
6. Incident Management
7. Logical Security
8. Network Security
9. Shipping and Receiving Management
10. Physical Security
11. Environmental Security
Any SAS 70 conducted on data centers, managed services providers and co-locations entities that encompass the following above referenced areas can be considered a quality audit and report, at least in terms of scope. It’s then up to the CPA firm conducting the audit to actually perform testing for these above referenced areas, but that’s a whole other topic of discussion for a later date.
Many service organizations who have to undergo a SAS 70 Type I or Type II audit have never had the ability to see or read what a final report looks like after the audit has been completed. With this now available, service organizations can gain a greater understanding of the auditing standard, while also having an expectation of what the final report should look and “feel” like.
It’s one of the elements that was missing in the compliance industry, so we thought it was necessary and helpful to put forth an excellent example of a SAS 70 Type II service auditor’s report. And remember, because of the looseness within the auditing standard, no two reports are going to look exactly alike. Sure, there are slightly different variations of SAS 70 reports, but they should encompass and include most of the elements contained within our sample sas 70 available to all who wish to read on and learn more about statement on auditing standards no. 70.
Please take time to educate yourself on this highly used auditing standard by visiting a number of other areas on the website, such as the white papers section, industry news section, along with the what is sas 70 section.
SAS 70 Type I and Type II audits have become common for many organizations providing critical outsourcing services to companies. Known as service organizations, they have all landed on the regulatory radar of having to be SAS 70 compliant, due in large part because of Sarbanes Oxley (SOX) or any other large number of federal regulatory compliance mandates.. I’m often asked how much does a SAS 70 Type I or Type II audit cost. Well, that depends on a number of factors and circumstances that will be discussed today.
Issue #1: Choosing a Firm for the SAS 70 Audit
There are a number of providers available for SAS 70 audits, ranging from regional CPA firms to the nationally recognized big four firms. And as with anything in life, most organizations try to find the most value for their money, but remember, you get what you pay for. Small firms may be cost-effective, but they may lack the expertise and name recognition of other firms. The big four accounting firms will charge you a heavy premium audit fee, yet you get their name on the report, ultimately giving it a high level of recognition, simply based on who they are.
Remember, SAS 70 Type I and Type II audit prices have a wide range, so it’s probably a wise choice to pick in between, that is, a firm who is specialized, nationally known, not too large and bureaucratic, and provides you with a cost-effective, “fixed fee” that is fair, equitable, and you can live with.
Issue #2: Scoping the SAS 70 Audit
Numerous factors ultimately come into play for pricing considerations, but scoping is extremely important. It tells you and the CPA firm what will be tested, where it will be tested, and how long the test period will be, if a SAS 70 Type II audit is being performed.
To learn more about SAS 70 audits, visit the official sas 70 resource guide.
As an auditor, I am constantly approached by my clients desperately wanting to know if efficiencies can be obtained within the audit and assessment process for companies undergoing both a SAS70 audit and a PCI DSS assessment. There’s no simple yes or no, black or white answer to this, as many variables come into play when conducting a SAS70 audit or a PCI DSS assessment for organizations.
What I can tell you though is that there are some common themes and drivers seen in both a SAS70 audit and a PCI DSS assessment. Both a SAS70 audit and a PCI DSS assessment rely heavily on the existence of documented policies & procedures. Furthermore, both of these examinations also examine various aspects of physical security, network security, logical security, change management, to name a few. Quickly, you can see some overlapping themes in both a SAS70 audit and a PCI DSS assessment. So, that’s the YES answer to “audit efficiencies can be obtained” when a company has to undertake a SAS70 audit and a PCI DSS assessment. So, what’s the NO or the gray erea? Keep in mind that the PCI DSS assessment is a very technical examination, much more so than a SAS70 audit. At the same time, a SAS70 audit also covers comprehensive business process controls applicable to that specific entity being examined for a SAS70. A PCI DSS assessment does generally not cover or assess these specific business processes that a SAS70 would. Thus, you can see the gaps between these two examinations.
To learn more about what SAS70 is, visit the official SAS70 Resource Guide
To learn about Payment Card Industry (PCI) DSS compliance, visit the official PCI Resource Guide.
The impacts, in my opinion, are the following. Interestingly, the last decade has seen somewhat of a shift in auditing. That’s not to say there has been a decrease in this specialized service, quite to the contrary. The shift has occurred as financial statement auditing has begun to see somewhat of a flat line in growth, while highly specialized audits, such as Statement on Auditing Standards No. 70 (SAS 70) have been given the limelight. Regulatory legislation, such as the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and numerous other federal and state laws have pushed audits, such as SAS 70, into the forefront. Additional audit or examination procedures that are non-financial in nature include the Payment Card Industry (PCI) audits, which are undertaken by entities that process credit card transactions, along with numerous ISO quality audits.
From a regulatory compliance perspective, impacts of audits to the economy have resulted in many service organizations having to become SAS 70 Type II compliant. It all starts with Section 404 of the Sarbanes-Oxley Act of 2002. In simple terms, section 404 states that management must establish effective internal controls as it relates to financial reporting and must also gain assurances from outsourced third-party vendors (i.e., service organizations) whose controls can affect financial reporting. Though it may sound somewhat vague and blurred, it’s really quite straightforward. Take note of the following example to see the effect SAS 70 has on section 404 of publicly traded companies.
Many people often ask me what exactly is the relationship between SOX and SAS 70. The relationship between SOX and SAS 70 begins with Section 404. Because management must report annually on it’s effectiveness of internal controls, it then has an obligation to inquire and inspect on all controls considered vital to the organization as a whole, but more importantly, to it’s financial reporting process. Since a large number of publicly traded companies outsource a host of critical services, these outsourcer providers, commonly referred to as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” So, there you have it. If you want to learn more about SAS 70, visit the most in-depth web site available on Statement on Auditing Standards No. 70, at www.sas70.us.com