PCI Qualified Security Assessor (QSA)
The Payment Card Industry (PCI) Data Security Standard (DSS) requires any organization that processes credit card information to be compliant with a set of data control, IT security, physical security, and policy requirements that mitigates risk of credit card loss, theft, or abuse. Adherence to the standard is a contractual obligation. Canadian merchants’ and payment service providers not complying may be levied fines, experience loss of service, and increases in validation requirements.
NCI has one of Canada’s largest full-time Qualified Security Assessors (QSA) teams helping organizations navigate the requirements for PCI compliance. Offering services in both English and French, NCI offers a customized methodology to assist our clients in gaining PCI compliance. Our team includes highly skilled and experienced IT security professionals that are QSA, CISSP, CISA and SANS certified, providing a tremendous breadth of knowledge and experience to assist our clients. NCI takes pride in providing guidance and assistance throughout the PCI Certification Process.
The NCI Approach
NCI proposes a five phase customized methodology:
Phase 1: Scope Discovery and Reduction
NCI’s consultant will engage in an information gathering exercise to determine the scope of PCI DSS for your organizations’ environment and produce a report detailing:
- all cardholder (credit card) data flows through your organization
- where cardholder data inlets and outlets
- all processes applied to cardholder data
- recommendations to reduce your PCI scope
Phase 2: Readiness Assessment and Gap Analysis
NCI will review each PCI requirement as to:
- whether or not it is currently in place
- whether you have the necessary evidence to validate that it is in place
The consultant will detail a complete analysis presenting ‘gaps’ in PCI requirements and provide high level remediation recommendations in order to attain PCI compliance.
Phase 3: Remediation
In addressing your questions and concerns regarding remediation of identified PCI gaps, NCI will provide guidance to ensure you stay on path to PCI Compliance. Our QSA assigned to your PCI project will access all of NCI’s consultants/engineers expertise to ensure that the gaps are closed properly.
This engagement involves purchasing blocks of consulting time which may be used to discuss any security related concern in addition to PCI compliance. All of NCI’s full range of cyber-security products and services may be leveraged during this phase.
Phase 4: Assessment
NCI’s PCI QSA certified consultant will perform a full PCI DSS assessment and provide a Report on Compliance (RoC) or Self Assessment Questionnaire (SAQ). Evidence will be collected in regards to compliance with PCI SSC ROC Reporting procedures for each requirement within the PCI Standard.
NCI will provide a Report on Compliance for submission to acquirers or card brands formatted as outlined by the PCI SSC Council documenting:
- your organization’s architecture
- your business process
- each PCI DSS requirement’s compliance status
Your high level assessment will include a Self-Assessment Questionnaire (SAQ) confirming:
- your organization’s understanding of the intent of the requirement
- the controls you have in place are adequate
- that your organization could produce the necessary evidence as required
- an optional ‘Compliance Manual’ describing the roles and responsibilities for individual requirements and the evidence demonstrating compliance
Phase 5: Maintenance
PCI compliance is not static at a point in time, requiring ongoing maintenance. NCI can assist your organization with the following to maintain compliance with PCI requirements:
- threat risk assessments
- security architecture sessions
- training and awareness of PCI and cybersecurity
- penetration testing
- ASV scans
- Internal and external vulnerability scans
- PCI PAL (bank of hours) – may be used to discuss any related PCI concerns you have
Looking for a yearly PCI Managed Service?
Passing a PCI validation once is a milestone. However, PCI Compliance – and protection against financial liabilities – is much more than simply passing an annual validation. You must maintain compliance with the PCI standards throughout the entire year.
NCI is Canada’s leader in Managed PCI Compliance Services. The NCI Cloud & Managed Services Team can execute a wide range of compliance activities on your behalf with its structured 12 month program. With NCI, passing your yearly validations will be as easy and cost effective as ever. Contact NCI Cloud & Managed Services for more information.
How confident are you that your organization’s card payment processes are secure?
Contact us for more information: