PCI QSA Services

Global PCI QSA consultant services.

As a Qualified Security Assessor (QSA) company, Nettitude has been approved by the PCI Security Standards Council (SSC) to measure an organisation’s compliance to the PCI DSS standard. We are one of less than 10 companies worldwide to be both a PCI QSA company as well as a PCI PA-QSA, PCI P2PE QSA and PCI ASV company.  This is backed by industry leading penetration testing, incident response and security solutions teams that are 100% focused on delivering best-of-breed security consulting and guidance.

Global Reach

Through Nettitude’s presence in both Europe and North America, we are ideally suited to deliver PCI consulting and auditing services for organisations with a global reach.

PCI for all Companies

Our team of QSA consultants deliver PCI consulting services across the globe, for both merchants, service providers and acquirers alike. We work with Level 1 and 2 organisations all the way down to level 3 and level 4 merchants.

Dedicated Service

We ensure that each client is provided with both a primary QSA and secondary QSA on all projects and engagements. This ensures that we maintain a consistent interface with your organisation and generate maximum return on your investment.

Maintain Compliance

Our focus is on delivering high quality PCI guidance, in a pragmatic and risk based approach. It is this approach that sets us out from the crowd and has enabled us to become the trusted partner of many organisations that are working towards, or maintaining PCI DSS compliance.

PCI Methodology

The PCI DSS covers more than 240 requirements and is applicable for all types of businesses, ranging from traditional bricks and mortar retailers, through to contact centres, mail order companies and e-commerce entities.

Nettitude will guide you through these three phases of the PCI DSS journey, to help achieve and maintain compliance.

PCI Gap Analysis

The recommended approach for organisations embarking on the PCI DSS journey is to have a formal gap analysis. During this exercise Nettitude measures an organisation’s current policies, processes, working practices and technologies against the PCI Data Security Standard (DSS).

A gap analysis typically involves a Nettitude QSA travelling to an organisation’s office and conducting a card data flow assessment. This exercise identifies all areas where card data enters the environment, exits the environment and all places where card data is at rest. The exercise will frequently result in a QSA working closely with IT managers/directors, compliance managers and security officers so as to understand the finer details of how card data is handled. In addition, members of finance and HR may be required to feed in to the process so that all aspects of the security standard can be considered.

Once all card data flows have been mapped out, Nettitude will measure the environment against the PCI DSS. This exercise is effectively a backwards facing assessment of the environment against what the PCI DSS requires. Using this data, Nettitude will identify the gaps and provide feedback on areas that are both compliant and non-compliant.

The gap analysis will produce the following documents:

A high level review of the card holder data environment

Identification of all current card holder data processes and storage locations

A fully completed Self Assessment Questionnaire (SAQ)

Fully completed Prioritised Approach Document (PAD)

As part of the gap analysis, Nettitude will also provide a forward facing roadmap on how the gaps can be bridged. This document provides strategic guidance on how to reduce risk, leverage existing technologies and enhance the environment in line with PCI DSS requirements. At the same time, Nettitude will produce a defined project-plan with key milestones that can be realistically achieved.

As part of a gap analysis, Nettitude will also generate the following documents:

Strategic project plan for achieving compliance

Suggested gantt chart for compliance

Nettitude’s gap analysis services are always 100% vendor agnostic. They focus on the PCI DSS requirements, and do not make recommendations about individual vendor solutions or technologies. For organisations that require additional guidance, Nettitude can provide unbiased remediation and solutions advice that leverage existing technology investment, so as to aid in the compliance journey.

PCI Card Discovery Services

One of the most fundamental elements within a PCI DSS project is identifying where card data resides. It is common for organisations to be unaware of the intricacies around card data storage in log files, temporary files, backup files and legacy processes. Virtualisation, snapshotting and cloud based technologies can result in card data being stored in many different files, images and locations, and all of these elements influence the risk of card fraud to an organisation.

So as to address the issues around card data storage, Nettitude provides card discovery services to find PAN data using forensic methods and commercial card discovery tools. As part of this service, Nettitude can identify all areas where card data is stored and provide a road map on how it should be managed.

Complimentary to the card discovery service, Nettitude is also able to purge unwanted data. This approach uses secure deletion techniques to ensure that the information is removed securely and permanently.

For organisations that want to deploy a proactive PAN scanning tool, Nettitude is able to deploy a small snippet of code to continually assess devices for the storage of card data. If a PAN is detected, an alert is generated to a SIEM device or to an SMTP daemon.

PCI Policy & Procedure Services

A large part of PCI DSS is based around having strong policies and procedures. In many instances, organisations may have working practices that fit with PCI DSS, however these processes are frequently organic and not shared amongst the organisation at large.

Start your PCI DSS Journey

To become PCI DSS compliant and reduce the risk of card fraud, organisations need to document the working processes, document the security technology and document the card data flows that exist within the environment. Once many of these elements are documented they need to be communicated to the organisation at large. Through strong documentation and improved staff awareness, organisations will be able to reduce their risk and maintain a posture that is more consistent with the PCI DSS.

Wider Organisation Policies & Procedures

Where organisations have existing security policies as part of ISO 27001/27002 or as part of an employee manual, Nettitude can provide guidance on how these documents can be enhanced and strengthened. Alternatively, in environments where there is no formal documentation, Nettitude can generate a comprehensive set of policy documents, branded and tailored to an organisation’s individual environment and working processes.

Nettitude will ensure that all information security documents fully address the requirements of the PCI DSS as well as being adapted to work within your corporate setting and culture. A full mapping between the policy documents and the PCI DSS is also provided to assist in any audit processes that take place.

Specific PCI Services

For some clients a gap analysis may not be required. In these instances Nettitude is able to assist with specific areas of the PCI DSS.

In instances where organisations have conducted their own gap analysis or where gap analysis has been conducted by another QSA company, Nettitude is able to provide both on-going and focused consultancy to help bridge the gap.

There is no explicit blue-print for achieving compliance and as a consequence, guidance from an experienced assessor that will have seen many types of card data environments can prove to be invaluable.

Nettitude focuses on helping organisations reduce their risk. This may be achieved through numerous approaches and technologies and can frequently result in a PCI DSS scope reduction. These types of approaches can make the compliance journey easier and also reduce the cost of compliance year-on-year.

Examples of areas where assistance is often required in network design and scoping include:

Card data storage

Process segmentation

Role based access controls encryption

Tokenisation

Key management

Application design

Patch management

Change control

PCI Support Services

The Payment Card Industry Data Security Standard (PCI DSS) has gone through a series of revisions and will continue to evolve as new technologies and payment solutions develop. As a consequence of this, and due to the annual audit requirement, many organisations choose to work with a Qualified Security Assessor (QSA) partner on an on-going basis.

As part of Nettitude’s security services, we are pleased to be able to offer our clients access to a focused PCI DSS support service. Clients can contact us during standard office hours, and gain unlimited access to our skilled team of QSA’s and security consultants. Clients that use Nettitude’s PCI DSS support services will benefit from proactive advice and guidance when information is released from the PCI Special Interest Groups (SIGs) and when clarification is given around some of the hotter topics of the security standard.

Nettitude provides access to real security consultants, with real security expertise. Instead of accessing an anonymous Wikipedia or extranet service, our consultants can offer you pragmatic advice and guidance that is tailored to individual requirements.

PCI QSA Pre-Audit Services

PCI DSS audit can be a relatively stressful exercise for organisations approaching their first assessment. So as to provide organisations with more confidence that they will pass, and to iron out any deficiencies prior to the full audit, Nettitude recommends that they embark upon a pre-audit approximately one month before the final audit.

Pre-Audit Compliance Check

A full QSA audit can sometimes take weeks to complete. In order to maximise the success of this exercise or even to seek confidence before submitting an SAQ, Nettitude can perform a pre-audit compliance check. During a pre-audit, a QSA consultant will walk through all aspects of the audit, from start to finish. All policies, procedures and working practices will be measured against the PCI DSS requirements.

Configurations will be reviewed, logs will be assessed and vulnerability information will be reviewed and considered. This whole process will be similar to a PCI DSS audit, but with less focus on data collection or data validation.

Final QSA Audit

Once Nettitude commences a final QSA audit they are governed by relatively aggressive timescales around areas of non-conformance. If non-conformances are identified at the end of a final audit, in some instances it can result in the clock being reset, with the whole audit being conducted again, post remediation. By going through the pre-audit phase, this eliminates the possibility of final audit non-conformance. Nettitude encourages all clients pursuing PCI compliance to go through a pre-audit phase. This trial run, will provide a degree of assurance that the final audit will run smoothly.

When Nettitude conducts pre-audits, it is common for there to be missing technologies, and missing policies and procedures. As a consequence of this, Nettitude delivers strong pre-audit reporting (consistent with the gap-analysis reporting) to enable their clients to bridge any gaps.

PCI QSA Audit & ROC Services

Nettitude is one of only a handful of elite PCI approved companies that is a PCI QSA, a PCI PA-QSA, a PCI P2PE-QSA and a PCI ASV. As a consequence, our highly skilled consultants are able to offer advice and guidance for all types of organisations embarking on the PCI DSS compliance journey. We provide consulting and audit services in the UK, EMEA, the US and Asia Pacific and have a strong portfolio of happy customers.

PCI Credentials

Nettitude has been involved in PCI DSS since the beginning. Starting as a QSA and ASV and then moving on to become a PA-QSA and P2PE-QSA, Nettitude delivers Information Security services for a diverse range of clients. As part of the Payment Card Industry reporting requirements, Level 1 Merchants and Services providers must go through a formal audit once a year. Nettitude provides strong QSA consulting and auditing services to support this requirement.

Improved Auditing

Nettitude is more than just an auditor. At the heart of our QSA consulting organisation lies security practitioners with many years of experience implementing, securing and testing payment card systems. When we engage with a client around PCI DSS, we become a part of their team, supporting them and encouraging them to secure their environment, reduce their risk and achieve PCI DSS compliance. We shape our auditing approach to help our clients to succeed. We audit every environment with a strong degree of rigour, however we also recognise that pragmatism and flexibility are necessary ingredients to make the relationship work.

What should you expect from a PCI Audit?

Nettitude has developed a set of tailored tools and techniques that help us undertake audits both seamlessly and consistently. During our audits, we collect evidence through interview, through review of system configuration, through review of policies and procedures and through review of working practices. Where sampling can be undertaken, Nettitude’s QSAs will collect representative samples of your working practices.

Report On Compliance (ROC)

One of the outputs from an audit is that Nettitude produces a Report On Compliance (ROC). This report is submitted to either the card brands service provider or to the acquirer for merchants. The ROC provides a full insight in to how the organisation interacts with card data, and provides both qualitative and quantitative measurement against the standard. Once this ROC is accepted by the acquirer or card brand, the organisation will be classed as being PCI DSS compliant for 12 months from the point of audit.

Intelligent Cyber Security and Risk Management   0345 5200 085    solutions@nettitude.co.uk