Home > IT Blogs > Regulatory Compliance, Governance and Security >

Regulatory Compliance, Governance and Security:

PCI DSS Level 1 compliance

Jun 16 2009   2:35AM GMT

SAS 70 Audits and PCI DSS | Yes, There is a Big Difference



Posted by: Charles Denyer
charles denyer, sas 70 type ii audit, PCI DSS, payment card industry data security standards, PCI DSS Level 1 compliance, report on compliance, ROC, audits, assessments, cpa firm

SAS 70 audits, especially Type II reports and PCI DSS Level 1 Report on Compliance (ROC) assessments are dominating today’s regulatory compliance arena. Painfully, as a SAS 70 auditor and a PCI DSS assessor, I keep hearing people talk about these two compliance initiatives as if they are one in the same…..stop…….they are different.

Don’t get me wrong, efficiencies of scale can be had and I will talk about that in a later post, but generally speaking, this is like comparing apples to oranges. Here’s why.

The SAS 70 auditing standard is a loose and flexible standard, allowing auditors to employ (and they do) various methodologies, benchmarks, standards, and frameworks for SAS 70 audits.

The Payment Card Industry Data Security Standards (PCI DSS) requirements are much more rigid, less open to interpretation, if you will.

Ever read one SAS 70 report from a CPA firm then picked up another report on a similar company that was issued by another CPA firm? If so, you probably noticed they looked and “read” quite differently. Well, no surprise there.

Now, try that with a PCI DSS Level 1 Report on Compliance. Sure, they won’t be identical, but they’ll be much more similar than the two SAS 70 audits.

Want to learn more about SAS 70 audits and PCI DSS assessments? If so, visit the official SAS 70 Resource Guide and the Official PCI DSS Assessment Resource Guide.

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend

May 26 2009   6:22PM GMT

PCI DSS Level 1 Compliance | Helpful Tips from a PCI QSA



Posted by: Charles Denyer
payment card industry data security standards, PCI DSS, pci qsa, charles denyer, PCI DSS Level 1 compliance, requirement 12, policies and procedures, pciassessment.org

Payment Card Industry Data Security Standards (PCI DSS) Level 1 compliance can be a very arduous, time-consuming and costly undertaking for any organization. However, there are a number of proactive steps that should be put in place for helping ensure an efficient and transparent assessment process is in place.

I stress the word “transparency” because the more information you provide a PCI QSA, the better understanding her/she will have when engaging to conduct the PCI DSS Level 1 assessment on your organization.

Here are some helpful tips:

1. Develop in-depth network topology documents that clearly illustrate the cardholder environment. Do not omit any “system components” from these drawings as PCI QSA’s need a true understanding of network topology.

2. Take a hard look at Requirement 12 of the PCI DSS standards-Policies and procedures play a big and important role in ensuring compliance for PCI DSS. If you do not have these PP in place, you need to start writing them internally, or expect to pay a king’s ransom for external auditors or consultants to write these documents for you.

3. Make a list of all external, third party vendors and outsourcing entities that your organization uses. This is important because data centers and other types of managed services entities often fall into the scope of a PCI DSS assessment.

If you want to learn more about PCI DSS compliance, visit pciassessment.org

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend