Introduction
QSA Companies conduct Payment Card Industry (PCI) Data Security Standard (DSS) assessments to determine compliance of merchants and service providers with cardholder data protection standards. These standards have been built and maintained by the PCI Security Standards Council which is comprised primarily of Visa, Mastercard, Discover, American Express and JCB. Other contributing parties are involved as well. The PCI-DSS has evolved over time to keep up with emerging threats to protection of payment card transactions. Merchants and Service Providers contractually agree to abide by these standards as a sort of self-policing activity to avoid government regulation in this space as much as possible.
Since 1911 Wolf & Company, P.C. has provided their customers with accounting and assurance services. Wolf has a Cyber Security Advisory and Assurance practice that is a PCI Qualified Security Assessor (QSA) company. Wolf’s QSA practice specializes in providing its customers with timely guidance and assessments to keep them compliant with the PCI-DSS.
Challenge
Wolf and Company, like most QSA companies, are challenged by the process of assessing and reporting on compliance. The PCI council trains QSAs and provides a standard reporting template. The DSS is very prescriptive in its guidance for requirements and testing procedures. However, the DSS is large as are most customer environments. It requires solid planning and execution to be sure the PCI DSS assessments are both timely and accurate. The cost of inaccuracy is potentially business breaking so it must be avoided at any expense. There are no end-to-end tools that truly address the complexities of PCI-DSS assessments until now.
Solution
TurboQSA began working with Wolf and Company in March of 2021. TurboQSA setup a demo environment for Wolf and spent the time to understand Wolf’s unique use case for performing assessments. Wolf decided to install the software in their environment and has performed multiple Level 1 PCI assessments. Wolf utilized many of the time saving and accuracy improving features of TurboQSA.
Smart interview scheduling – With this feature, interviews regarding different requirements but with the same personnel are consolidated where it makes sense. This saves repetitive meetings with the same people and aligned the interviewees with the specific PCI Requirements they are responsible for.
Automatic tracking of Documents Reviewed and Persons Interviewed – All items required to be tracked and reported on in Section 4 of the ROC can be added inline throughout the report or added in Section 4 and used throughout the ROC.
Peer Reviews / QA process – With TurboQSA, assigned peer review resources can track control responses assigned to them on a daily or weekly basis rather than back end loading them with the entire report for review. This process allows peer review resources to be engaged throughout the project as well as track the status of the open items within the assessment They will have a better understanding of the nuances and complexities of the projects. All of this leads to higher quality and more accurate assessments.
Multiple channel tracking – TurboQSA helps track multiple payment channel for merchant ROCs and multiple service channels for service provider ROCs. This ensures a response is provided for each channel within each requirement. This guarantees no stone is left unturned in more complicated multi-channel assessments.
Customizable templates for N/A responses across the assessments – This allows Wolf to create a custom template that is reusable for similar assessments. For example, if there is a service provider assessment where the services provided center around equipment destruction, then Wolf can define an assessment template that will require responses for requirement 9 (physical security) and requirement 12 (information security policy). All other requirements would be marked ‘Not Applicable’ with any statement Wolf desires for these responses. This approach is great for all types of assessments including NESA, P2PE, Full Redirect, etc. to speed up these types of assessments considerably.
Result
TurboQSA has allowed Wolf & Company to reduce the amount of back-and-forth required to complete a full Report on Compliance and reduce the time between the completion of testing and the issuance of a final report. Wolf QSAs and clients alike have appreciated the ability tocomplete the testing and peer review process in a more streamlined manner.