Regulatory Compliance, Governance and Security


November 13, 2008  3:28 AM

PCI DSS Readiness Assessment for Payment Card Industry Compliance

Charles Denyer Charles Denyer Profile: Charles Denyer

Are you a merchant or service provider that needs to be Payment Card Industry Data Security Standards (PCI DSS) compliance? Are you an entity directly involved in the processing, storage, or transmission of transaction data or cardholder data? If so, then read on because one of the most important steps for ensuring PCI DSS compliance is done in an efficient manner is to start with a PCI DSS Readiness Assessment. Why? Well, you crawl before you walk don’t you? As with PCI DSS compliance, its not wise to jump right in and obtain an assessment without doing any type of due diligence work on your organization.

One of the main benefits of a PCI DSS Readiness Assessment is the ability to identify gaps, deficiencies, and core weaknesses that will be need to be strengthened and corrected before obtaining any type of PCI DSS assessment from a Qualified Security Assessor Company, commonly known as a QSAC. Learn more about a PCI DSS Readiness Assessment at pciassessment.org

November 13, 2008  2:53 AM

Minnesota (MN) Plastic Card Security Act | Payment Card Industry (PCI DSS) Compliance

Charles Denyer Charles Denyer Profile: Charles Denyer

The state of Minnesota recently codified part of the Payment Card Industry (PCI) Data Security Standards (PCI) framework into actual law. Thus, Minnesota has essentially become the first state to codify the PCI standards into actual law; an actual watershed decision to say the least, with many states soon to follow in their footsteps. In fact, Texas and California have taken great interest in PCI, as witnessed by both their respective bodies of legislatures introducing PCI provisions into the Senate and House chambers. Though TX and CA were unsuccessful in passing any actual law that would of become codified, it does signal the growing strength that the Payment Card Industry Data Security Standards (PCI DSS) initiatives are having around the country.

It seems likely that many other states will follow in the footsteps of MN, TX, and CA. Thus, merchants and service providers should be aware that they will be soon, if not already, under the compliance radar regarding PCI DSS compliance.

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, visit pciassessment.org


November 13, 2008  2:40 AM

SAS 70 Audit Costs and Pricing | What You Need to Know

Charles Denyer Charles Denyer Profile: Charles Denyer

If your organization is planning on undertaking a SAS 70 audit, be it a Type I or a Type II, then there are some important points you need to learn about SAS 70 audit pricing.

First and foremost, make sure to get a “fixed fee” for the SAS 70 engagement a fixed fee includes all out of pocket, travel, and other miscellaneous expenses that are incurred by the auditor for purposes of conducting the audit. More and more firms are moving to the fixed fee model, so take advantage of this type of pricing.

Second, scope greatly determines the price of the SAS 70 audit, so be sure to properly scope the audit. That means answering the who, what, when, where and why for the audit. Who needs the report and are there any specific requirements they are looking what. What is the audit test period. When will testing be done. Where will testing be done, such as what facilities will be part of the SAS 70 audit scope. These are all important points to cover when assessing scope for a SAS 70 Type I or SAS 70 Type II audit.

To learn more about SAS 70 audits, what is a SAS 70 and to obtain a wealth of information on the auditing standard itself, then visit the official SAS 70 Resource Guide.


November 12, 2008  3:55 PM

Payment Card Industry Data Security Standards (PCI DSS) | Tips and Strategies

Charles Denyer Charles Denyer Profile: Charles Denyer

If you are a merchant or service organization and need to be payment card industry (PCI) compliant with the PCI DSS provisions, then there are a number of important points you need to know. First and foremost, you need to identify what level you are in accordance with PCI DSS requirements. You can find this information at pciassessment.org.

Second, you will need to find a qualifed QSAC (Qualified Security Assessor Company) that can assist you with all levels of PCI compliance, regardless of what level you fall under. Third, you will need to have the QSAC conduct a PCI DSS readiness for understanding your cardholder transaction environment and what gaps, holes, and deficiencies you may have that could hinder the overall PCI DSS assessment process. Easier said than done? It sure is, as most companies are good at what they do, but are very weak in having documented policies and procedures in place for PCI DSS compliance. I stress this because it is one of the biggest and most often overlooked areas of PCI DSS compliance. While we all get carried away talking about firewalls, routers, anti-virus, DMZ, etc, many times organizations fail to recognize the importance of documented policies and procedures.

To learn more about PCI DSS compliance, visit pciassessment.org


November 10, 2008  6:23 PM

PCI DSS | Payment Card Industry Data Security Standards

Charles Denyer Charles Denyer Profile: Charles Denyer

PCI DSS requirements, also known as the Payment Card Industry Data Security Standards, is becoming quite commonplace in today’s heightened regulatory compliance environment. The state of Minnesota, under Governor Tim Pawlenty, even codified part of PCI compliance, putting it into law.

Merchants, service providers and a host of other entities directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as PCI DSS candidates for compliance. What’s important to note is that just as you need to crawl before you walk, you also need to make sure you have a number of policies, procedures, and initiatives in place before trying to tackle PCI DSS compliance.

What’s needed is an effective PCI DSS Roadmap to compliance; A step by step process for ensuring that your organization achieves PCI compliance in a cost-effective, scalable and efficient manner.


October 27, 2008  9:22 PM

SAS 70 Audits | Make Sure to Get a “Fixed Fee” for the Audit

Charles Denyer Charles Denyer Profile: Charles Denyer

SAS 70 audits today are being conducted by CPA firms large and small, big and tall. Though they vary greatly in size, complexity and audit skills, what seems to be the industry standard is a “fixed fee” for the audit. Fixed in meaning that all the fees for the engagement are wrapped and bundled into one price. This “fixed fee” also includes any out of pocket travel and miscellaneous expenses that the CPA firm would incur for doing the audit.

Buyer beware, as not all “fixed fees” are the same. Some “fixed fee” have clauses that say the “fixed fee” is only for the engagement itself and does not include travel or any other expenses you may incur. Additionally, some fixed fees may include the travel and out of pocket expenses may also bill you for preparing reports, after audit consulting fees, etc.

In short, read the fine print and make sure the “fixed fee” really is fixed. Another point, make sure the fixed fee gradually goes down after year one. Why? Because the CPA firm conducting the audit should have a good working knowledge of your company, thus fees should be marginally reduced for subsequent years (5 to 10 percent). However, if your scope changes, then expect the fees to go up.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.


October 27, 2008  9:03 PM

SAS 70 Audit Reports | What You Need to Know About Them

Charles Denyer Charles Denyer Profile: Charles Denyer

SAS 70 Type I and SAS 70 Type II audits are fast becoming a mainstay in today’s regulatory compliance environment. If your organization is seeking to become SAS 70 Type I or SAS 70 Type II compliant in the near future, then here are some helpful tips in adequately preparing for all aspects of the audit.

1. Requirements-Do you need a SAS 70 Type I or SAS 70 Type II audit?
2. What is the scope of the audit? What business lines, services, and operations have to be covered in the SAS 70 audit. Are their specific demands that need to be within the audit that somebody is asking for?
3. Pricing-Always obtain three (3) quotes and get a “fixed fee” for the audit, that is, the entire audit, including travel and all out of pocket expenses, are included within the fixed fee.
4. Testing period-If moving forward with a SAS 70 Type II audit, what is the test period going to be (note: test periods are traditionally 6 or 10 months long-you will have to identify this with the CPA firm that will be conducting the SAS 70 audit)
5. SAS 70 Readiness-Make sure you conduct a Readiness Assessment before moving forward with the audit. It will prove invaluable in understanding your control environment.

To learn more about SAS 70 audits, visit the official SAS 70 Resource guide, where you can obtain a wealth of information on SAS 70 audits, including a sample SAS 70 report.


October 27, 2008  8:51 PM

PCI DSS Compliance in Today’s Heightened Security World

Charles Denyer Charles Denyer Profile: Charles Denyer

PCI DSS stands for Payment Card Industry Data Security Standards. If you are a merchant or service provider who is directly involved in the processing, storage, or transmission of transaction data or cardholder data, then you should be looked upon as PCI DSS candidates for compliance.

As with any compliance mandate, costs can be expensive, it can be time consuming to go through the assessment, and it’s something that has to be conducted annually.

The very first thing organizations should do to prepare for PCI DSS compliance is to make sure their organization has documented policies and procedures in place. And why? Because a large part of the success of obtaining PCI DSS compliance is dependent on having these very documented policies and procedures in place. Don’t believe me? Well, take a look at the PCI DSS standards for yourself and read between the lines and you will quickly find that this is an absolute necessity.

If you do not have them or do not have the time and skills to write them, then I highly recommend you hire a consulting firm who is an expert at writing policies and procedures for PCI DSS.

Time and time again, this is one of the biggest weaknesses I seen in merchants, service providers and any other organization looking to become PCI DSS compliant.


October 27, 2008  8:43 PM

PCI DSS | Payment Card Industry Compliance Tips to Use

Charles Denyer Charles Denyer Profile: Charles Denyer

PCI DSS is fast becoming a requirement for many merchants and service providers in todays economy that are directly involved in the processing, storage, or transmission of transaction data or cardholder data. In short, they should be looked upon as PCI DSS candidates for compliance.

If you have to become PCI DSS compliant, here are a few tips and strategies for making sure you go through the process in an efficient and cost-effective manner.

1. Find out exactly what your requirements are for PCI DSS, that is, what level do you fall under for compliance. Many of the levels allow you to do a PCI DSS self-assessment. But before you move forward, get the facts from a qualified PCI firm.

2. Policies and Procedures: Make sure you have the ability, knowledge and know how to write effective policies and procedures for your organization. Why? Because a large part of PCI DSS success centers around having effective PCI DSS policies and procedures in place. If you do not have them or do not have the time or skills to write them, then find a qualified firm who is an expert at writing policies and procedures for PCI DSS compliance.

3. Understand the scope of PCI DSS. Regardless of what level you fall under for PCI DSS compliance, your scope may be limited or expanded; this is all depending on the services you provide in accordance to the processing, storage, or transmission of trandaction data or cardholder data should be looked upon as PCI DSS candidates for compliance.

To learn more about PCI DSS, visit www.pciassessment.org


October 19, 2008  11:54 PM

PCI DSS | Helpful Tips on Becoming PCI DSS Compliant

Charles Denyer Charles Denyer Profile: Charles Denyer

PCI DSS-It’s a well-known phrase in today’s growing regulatory compliance landscape. Because PCI DSS and it’s standards, requirements, and other supporting factors are relatively new, there still seems to be a high degree of uncertainty of who needs to be PCI DSS compliant and why. the who, what, where, when, and why is still unclear for many merchants, service providers, and other entities involved, directly or indirectly, in the overall payment cycle.

Here is what is for certain. If you do have to be PCI DSS compliant, then its wise you start to immediately look at and inspect your organization’s documented policies and procedures. Why, you ask? Because most companies are very good at what they do, but typically weak at documenting what they do. Add to the mix that a fair amount of PCI DSS compliance is dependent on documented policies and procedures, and you can quickly see the importance. But who is going to write them and how long will it take?

My recommendation is to hire an experienced PCI QSA firm that has the skills and the templates ready for your organization to use. Remember, this is one of the most arduous and time consuming efforts of PCI DSS compliance, so start early before it’s too late.

To learn more about PCI DSS compliance, visit www.pciassessment.org.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: