PCI DSS Level 1 QSA Assessment

Annual Compliance for High-Transaction Companies

Organizations that process a high volume of credit card transactions are required to have their system professionally assessed for compliance with the Payment Card Industry (PCI) Data Security Standards (DSS).

These Level One Assessments are performed by certified Qualified Security Assessors (QSA).

truvantis-pci-dss-level-1-qsa-assessment

Why Your QSA Assessment is Important

This validation component of the Payment Card Industry Security Standards Council (PCI SSC) is a business’s last step of compliance with this mandatory security standard. Without a Level One Assessment performed by a QSA, businesses can be subject to fines and then additional penalties in the event of a data breach.

Proving your system’s alignment with this security baseline is the foundation for financial data safety.

 

Get Your QSA Assessment Done Right the First Time

Smaller organizations may be able to validate their PCI DSS compliance by using a self-assessment questionnaire (SAQ), then submitting an Attestation of Compliance (AOC) Form. High-transaction organizations, however, require a third-party assessment by a certified QSA vendor (or staff member).

Truvantis is one of only a few hundred organizations in the country that provides services and Level 1 assessments as a Qualified Security Assessor.  

While all QSA vendors seem to be offering the same service, the quality and depth of your experience can vary greatly. Generally, there are two types of QSA vendors: former accountants and tech-industry experts. The latter can see the big picture of your security beyond the checkboxes. 

That’s what we do. 

Not only are we experts in the PCI DSS standard, but we also excel in helping companies to comply using a custom solution that’s best for their business. Our dedicated group of highly-technical specialists is trusted around the world to harden security and protect vital data.

Understanding the QSA Assessment

A PCI DSS QSA Assessment (or  Level 1 Assessment) is an on-site inspection and assessment of an organization’s cardholder data environment (CDE) for compliance with PCI DSS. It concludes with the official documentation of proof, or the Report on Compliance (ROC), that the QSA will prepare at the end of the assessment.

The goal of PCI DSS certification is to perform an annual checkup on the care with which an organization handles its payment cardholder data. With the right partner, a QSA assessment is also a valuable opportunity to understand how well your organization protects your customers' most sensitive data. 

Each Truvantis QSA Assessment includes:

  • A professional assessment of your security procedures in the context of your goals and currently-used technologies.
  • A complete snapshot of your cardholder data environment (CDE) for a bird's-eye view of your risk profile.
  • An accurate picture of how your procedures compare to the PCI DSS security standards.
  • Custom solutions and recommendations to close any gaps between your practices and the standards.
  • Evidence to verify the implementation and effectiveness of controls.
  • A complete ROC that your business partners will accept the first time.
truvantis-pci-dss-qsa-process

The QSA Assessment Process

Our QSA assessment process is designed to be thorough, painless and valuable to you as a business. We begin with a kick-off call to ensure your team understands the process and to request all of the files and access that we’ll need.

Then, we’ll schedule an onsite assessment, followed by requests for further documentation as needed. If no major changes or further onsite visits are required, we’ll draft, finalize and file your Report on Compliance (ROC).

How to Prepare for Your QSA Assessment

Start taking steps to tighten up your cardholder data security before your scheduled assessment. Whether that’s a self-assessment of your system or a full gap analysis, being proactive and aware will help you avoid delays and surprises.

  1. Look at how your organization handles Sensitive Authentication Data (SAD)
    In particular, make sure that you never store it. SAD includes the contents of chips or magnetic stripes, PINs, PIN blocks, and card verification codes.
  2. Look into Your POS
    Ask your POS vendor tough questions about the security of your POS: 
    • Have default settings and passwords been changed? 
    • Have all unsecured or unnecessary applications been removed? 
    • Are controls in place to prevent unauthorized access to the POS?
    • When, why, and how is the POS accessed remotely?
    • Under what kind of authorization? 
    • Has the POS been validated as compliant itself? (In this case, the applicable standard is PA DSS— Payment Application Data Security Standard.) 
    • Does the POS store SAD in a prohibited way? 
    • Can it be removed? 
    • Is there documentation of what is in each stored file? 
    • Is user access protected by complex and unique passwords? 
    • Is everything patched, updated, and logged?
  3. Get Rid of Cardholder Data
    Try to eliminate the storage of cardholder data you don't absolutely need. Check the rules of the different payment brands you accept and make sure your organization follows them. Check storage of the PAN (primary account number), cardholder name, expiration date, and security code. 
    Do you retain any of this data? If so, where and for what purpose? Could that storage be eliminated to reduce the likelihood that the data could ever be compromised?
  4. Consolidate and Isolate Cardholder Data
    If possible, partition your system so that all sensitive data is contained to a portion of your system. This could limit the scope of the QSA assessment, protecting data from the rest of the system by firewalls and other defenses.
  5. Check your Controls
    Try to understand what PCI DSS requires and implement it in advance of the QSA inspection. We'll help you get the rest of the way.
  6. Implement Training and Awareness Campaigns Throughout the Organization
    True data security isn’t obtained by checking boxes. Foster a culture of awareness and promote ethical handling of sensitive data throughout your organization by training members in the safe handling of sensitive card data.

Truvantis is Here to Help

Whether you’re ready for certification of your PCI DSS compliance or far from it, Truvantis is here to help. We are a proud Qualified Security Assessor, certified by the PCI to perform Level One Assessments and beyond. 

We’re geeks at heart and can help you comply with PCI DSS using custom solutions that fit your security and cardholder data system goals. We’ll never sell a one-size-fits-all solution because good security should be a great match for your business and your system and technology stack.

Talk to a Truvantis expert today and get started.