PCI DSS Compliance will continue to be one of the most talked about regulatory compliance initiatives for 2010, without question. First and foremost, data breaches are still occurring, companies are still losing sensitive cardholder data, and lastly, PCI compliance is finally (yes finally) being taken seriously by merchants and service providers in today’s business arena.
As i’ve noted many times in previous posts, as a Payment Card Industry Qualified Security Assessor (PCI QSA), i’m seeing more and more organizations having to comply with PCI DSS, specifically with an on-site PCI DSS assessment. This can only be done by a QSA and be quite arduous of an undertaking, to say the least. As 2010 ramps up and eventually whines itself down, I fully expect many merchants and service providers to undergo an annual on-site PCI assessment, more so than ever before. Technology is here to stay, cardholder data and the use of these small, but powerful pieces of plastic are here to stay my friends! Let’s do what we can to protect them
Properly scoping a SAS 70 Type I or SAS 70 Type II audit is an extremely important component of the audit process itself. Why? Because as a service organization undergoing a SAS 70 audit, your goal is to have a report produced and issued to you that meets your clients expectations for quality and covers all critical components within your operations. Too small an audit scope and the report may lack the quality you or your clients expect.
All SAS 70 reports start off with a baseline of highly accepted and recognized control objectives that you would test for in essentially any organization, regardless if they are a data center or a widget company. Control “areas” such as Human Resources, Executive Management, Physical Security, Environmental Security, just to name a few, are excellent examples. The ingredient to success for your SAS 70 audit is the ability to adequately identify the specific “business process” controls within your organization. For example, a data center could possibly test various controls related to “managed services”, while a widget company would test controls related to the building of widgets and what operational activities surround these activities. Simple example, but get the point? Talk to the CPA firm conducting your SAS 70 audit to ensure they will be testing for specific “business processes” within your SAS 70. After all, this is what creates true value in your report.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
As a SAS 70 Auditor, I’m often asked if a SAS 70 Type I is needed before conducting a SAS 70 Type II? The answer, YES and NO!
Yes, in that if an organization has never gone through a SAS 70 audit, has time to conduct a Type I audit, or has “cold feet” about going right into a SAS 70 Type II, which can be an extensive undertaking for any organization not familiar with Statement on Auditing Standards No. 70.
As for the NO answer. Well, if organizations have a compelling regulatory requirement to obtain SAS 70 Type II compliance, then you know the answer. Also, if an organization is continuing to roll forward every year with a Type II, then obviously, one would never go back to do a Type I, unless it was on a completely different business line (but that is a whole different topic to discuss at a later time).
As an auditor, my advice is to “crawl” before you “walk”, that is, get your feet wet and become acquainted with the SAS 70 process by conducting a Type I audit first and foremost-if you CAN.
Want to learn more about SAS 70 audits, then visit the official SAS 70 Resource Guide.
Sure, this sounds like great news from the SEC in that it’s trying to build an image (that has been badly tarnished in recent years) that it does have teeth, can enforce rules, and has the public’s best interest at heart.
However, the problem is that under the new rules, only about 1,900 of the approximately 11,300 advisory firms registered with the SEC will be required to obtain surprise audits. Why? The SEC simply folded under intense pressure from various business groups, thus excluding a large number of advisory firms with a surprise audit (Which, by the way will more than likely be a SAS 70 Type II audit)
And if the asset threshold for SEC registration is raised to $100 million from $25 million, then the 1,900 advisory firms will become even smaller.
Nevertheless, the new audit rules “grow out of the Madoff Ponzi scheme and other frauds in which investor assets were misappropriated by investment advisers,” SEC Chairman Mary Schapiro said in a statement. “Such frauds have caused investors to question whether their assets are safe when they entrust them to an investment adviser. I believe today’s rules will help put their minds at ease.”
To learn more about SAS 70 audits, please visit the official SAS 70 Resource Guide.
Well, i’m sure by now millions of people have read the article in Newsweek about how Sarbanes-Oxley (SOX) could be brought down to it’s knees and killed.
Compliance auditors are getting cold hands thinking of the unemployment line! Not so fast, read into the article some more and I would argue that the real issue being asserted within this article is the legal framework of how the PCAOB is structured, overseen, and how it appoints members to this organization. Sure, there are rumblings about the effectiveness of SOX, but the thought of taking away most of it’s original intent is not something too many politicians would angle for. Section 404 has been a success and so has the advent of SAS 70 audits on third party providers and service organizations. Think any of these provisions on attesting on outsourcing entities are going away; I highly doubt it. So, while we may see the PCAOB and SOX “watered down”, it’s doubtful key provisions would be killed all together. Could you imagine another Enron, Worldcom without any SOX provisions in place because they were killed? Again, highly doubtful.
What has gained so much traction from SOX are SAS 70 audits, and with or without SOX, SAS 55 requires SAS 70 audits for purposes of financial statement reporting. Additionally, companies will not just stop asking for SAS 70 audits even if key provisions for SOX have been amended. Why? Because they have become very familiar, comfortable, and interested in what controls third party providers have in place.
The term PCI DSS auditors is technically incorrect, as one really should be looking for a Payment Card Industry Data Security Standard (PCI DSS) Qualified Security Assessor (QSA).
So what really is a QSA? A QSA is an individual who has been through the rigorous training and certification process that is overseen by the Payment Card Industry Security Standards Council, commonly known as the PCISSC. In short, only a QSA is allowed to be a lead assessor or lead auditor, when conducting an on-site Level 1 Payment Card Industry (PCI) assessment.
Though most people simply refer to QSA’s as “PCI Auditors”, it is important to understand really what a “PCI Auditor” is and what they do. Many QSA’s actually help companies perform their annual PCI self-assessments also. Why? Because a self-assessment is much easier said than done, as most merchants and service providers simply lack the knowledge and understanding of PCI to self-assess with no help.
a QSA can also assist in recommending various hardware and software solutions for PCI compliance along with giving a company excellent guidance on how to meet the rigorous demands of PCI compliance.
There is nothing wrong with also using an I.T. expert, but when it comes to compliance and certification for PCI, you need to use a QSA.
Looking for a PCI compliance Roadmap? As a Payment Card Industry Data Security Standards Qualified Security Assessor (PCI QSA), I’m often asked about the who, what, where, and why of PCI compliance. Most organizations (merchants and service providers) are simply overwhelmed with the entire process and are not too sure really where to begin, hence the need for a PCI Compliance Roadmap.
I’ve written extensively on this issue and I urge you to read about the PCI DSS Roadmap, which essentially highlights three (3) main phases that your organization should undertake. Within these three (3) phases, there are many sub-categories and drivers that you will need to undertake, but for now, focus on these three (3) areas, which are the following:
* Phase I: PCI DSS Readiness Assessment
* Phase II: Remediation & Implementation for PCI DSS
* Phase III: Assessment & Reporting for PCI DSS
The biggest challenge (and goal) for organizations is Phase I, that is, simply getting one’s arm around the entire PCI DSS process and understanding what the scope of a PCI DSS assessment really is. Once you have successfully completed this phase, you can then move on to remediation and other aspects that are vital for PCI success.
To learn more about PCI compliance, visit the official PCI DSS Resource Guide.
SAS 70 audits and PCI DSS assessments are truly starting to dominate the regulatory compliance landscape. For a large number of our firm’s clients, we actively assess them for yearly SAS 70 and PCI DSS compliance. The chatter of late is surrounding what efficiencies of scale, if any, can be had by conducting both a SAS 70 audit and a PCI DSS assessment for an organization that needs both.
I urge you to read a very compelling article I wrote regarding both of these major compliance initiatives.
Titled “SAS 70 Audits and PCI DSS | a Technical White Paper” it discusses these very issues and brings to light some extremely important points for both SAS 70 and PCI DSS compliance.
In summary, tread cautiously when thinking that doing both is simply a “two for one”, meaning you can conduct both a SAS 70 audit and a PCI DSS assessment at the same time.
Need a PCI Qualified Security Assessor? Curious as to how to choose a QSA? First and foremost, make sure the QSA has ample experience in performing on-site PCI DSS Level 1 assessments for merchants and service providers. Additionally, make sure the QSA has ample knowledge of policies and procedures, or can at least point you into the right direction of what policies and procedures should be used to help facilitate compliance for you.
Additionally, talk to the QSA directly and inquire about how he or she conducts the entire PCI assessment and compliance process, from beginning to end, that is, what specific phases or PCI Roadmap to Compliance does he or she follow. What specific areas throughout these phases is the QSA going to assist your organization on.
QSA’s are human, so each has their own respective style on conducting PCI DSS assessments. Talk to them to find out which methodology fits best for your organization.
Compliance with the Payment Card Industry Data Security Standards (PCI DSS) provisions can be costly and time-consuming, you want to pick a QSA who truly understands your needs and challenges for PCI DSS.
The 12 PCI requirements are essentially the areas that merchants and service providers will need to be compliant with regarding the Payment Card Industry Data Security Standards (PCI DSS) provisions. What’s important to note is that each and every requirement has very explicit “requirements” for what truly needs to be in place for PCI DSS. Additionally, some of the requirements are more arduous and time-consuming than the others. The very first step that any merchant or service provider needs to do for PCI DSS compliance is to undertake a PCI Readiness Assessment. This essentially means going through all 12 PCI requirements and conducting a GAP analysis to see what areas you are compliant in and what areas you are not compliant in. This helps define the scope of the assessment along with giving you a very clear idea on what areas will need to be corrected before you can even think of obtaining PCI DSS compliance.
Whether you are doing a self-assessment or an actual on-site assessment by a Qualified Security Assessor, known as a QSA, a PCI readiness assessment is crucial.
To learn more about PCI DSS compliance, visit the official PCI DSS Resource Guide.