Unlike assessors coming from the accounting industry, we’re also business-minded technology experts. We’ll work with you to find products and technology that support your business goals while ensuring you maintain your compliance requirements. That’s the advantage of working with a vendor that deeply understands the PCI DSS requirements and can translate them into business language.
It’s one thing to attain compliance with the PCI DSS standard. But is your compliance program efficient? Are you losing money due to unnecessary scope, or sub-optimal tools? Are you maintaining compliance in a way that enhances your business, rather than holding it back? These are the matters a vendor experienced with PCI compliance can help with. While many firms offer the service, few have the depth of knowledge and expertise to deliver quality PCI compliance solutions in a variety of organizations.
The Payment Card Industry Security Standards Council (PCI SSC) and cardholder brands have adopted fundamental best practices for information security programs. What PCI-DSS requires differs based on your organization. Full compliance with the PCI DSS standard covers six main areas of your system through twelve high-level controls. For most organizations, you must validate them every year. The Truvantis team are PCI DSS experts and Qualified Security Assessors. (Click here to read our extensive guide written on the standard.)
Once you have achieved compliance by implementing the PCI DSS standard, validation certifies that your compliance has been verified and supplied to your acquirer (often your bank or payment gateway) as proof. Validation of compliance happens in one of two ways:
• Perform a Self-Assessment Questionnaire (SAQ) and complete an Attestation of Compliance (AOC).
• Hire a Qualified Security Assessor (QSA) or use an Internal Security Assessor (ISA) to review the organization's security measures with a level 1 security assessment, receive your Report on Compliance (ROC) and complete an Attestation of Compliance (AOC).
The choice between self-assessment and a QSA assessment is complex and based on several criteria including transaction volume. Your acquirer will be able to tell you which route you have to take.
PCI SSC has developed self-assessment questionnaires (SAQ) to help specialist organizations assess the security of their cardholder information. For organizations with low transaction volumes, a properly completed SAQ may be all they need to validate compliance. Truvantis can help you to understand your SAQ requirements in plain English, with honest help for business leaders without a technology background.
The SAQ is designed for you to self-assess your cardholder data security every year. In reality, it can be hard to get it right even if you have a background in cybersecurity. There are at least eight different types of SAQ and choosing the correct one(s) is not always clear.
A qualified security assessor or QSA is an individual or organization accredited to assess compliance with its standards. QSAs are autonomous agents, trained and certified in payment card security methodology. The assessment we perform as a QSA is also sometimes known as a "Level 1 Assessment," referring to the highest burden for validation organizations as identified by the payment card issuers like Visa and Mastercard.
Whether you need a partner for the entire process or just have questions, Truvantis is a certified QSA and we’re here to help you get it done right.
Once the QSA confirms that an organization is compliant, the QSA prepares a Report on Compliance (ROC), including the details of their inspection and submits it to the Payment Card Industry Security Standards Council.
PCI DSS compliance can be expensive. You can reduce effort and cost by relying on a trusted vendor to deal with it for you. Let us deal with compliance so you can invest in your business. The Truvantis team comprises PCI DSS experts and Qualified Security Assessors with extensive experience.
Outsource your payments, segment your networks, tokenize your data and use P2PE/E2EE solutions – all are great ways to reduce your audit scope. But the devil is in the details – contact Truvantis to make sure you get it right.
CHD
As defined by the PCI Security Standards Council, CHD is the only data allowed to be retained after a transaction validation. CHD is limited to the cardholder's name, the payment card's expiry date, and the primary account number (PAN), which must be encrypted if retained.
The PCI DSS requires that an organization prove that it only stores CHD in a properly secured environment. Such proof is often evidenced by scanning systems for CHD and proving that CHD only exists in the defined cardholder data environment (CDE).
SAD
The PCI SSC defines SAD as “Security-related information used to authenticate cardholders and/or authorize payment card transactions. This information includes but is not limited to, card verification codes, full track data (from magnetic stripe or equivalent on a chip), PINs, and PIN blocks.” The most common SAD element is the card verification code/value (i.e., CVC, CVV, CID), the three or four-digit code on the front or back of the card. When conducting a payment transaction, a point-of-sale card terminal also reads the PIN and tracks data from the magnetic tape stripe or the EMV chip.
The critical security attribute of SAD is that once a transaction is processed, SAD MUST BE securely deleted from disk, device memory, telephone recordings, physical documents - anywhere it may exist. The bottom line is that SAD cannot be retained under any circumstances once a transaction is processed.
“Do everything you can not to store SAD. If you must store CHD, you need to ensure security and restrict access to need-to-know personnel only.“ -Jeff Hall CISA, CISM, CDPSE, PCI QSA
You can read this article for more information on SAD, CHD and the PCI DSS Assessment Process. https://www.truvantis.com/blog/pci-dss-sad-vs.-chd
One way to reduce the cost of PCI compliance is by storing only a portion of the card number. This is called truncation. You can still show people the truncated number to see which card you are talking about, (e.g. ####-####-####-1234) but the whole primary account number (PAN) is not saved.
Systems storing only truncated card numbers have a limited scope in a PCI DSS evaluation. If you follow the rules, then handling or storing truncated data does not bring a system into scope.
CAUTION: The new truncation rules are complex even for experienced QSAs. According to PCI guru Jeff Hall, "In December (2023), the PCI SSC has given us an updated FAQ (#1091) on the subject of PAN truncation, and it will likely go down as the most confusing FAQ ever." Read this article to learn more about PCI DSS Truncation Rules. https://www.truvantis.com/blog/pci-dss-truncation-rules-and-guidelines
Truvantis is a security, privacy and compliance consulting firm providing best-in-class services to secure your organization's infrastructure, data, operations and products. At Truvantis, we've built security and privacy programs for organizations, large and small. We specialize in helping our clients improve their business resilience and manage their business risk by implementing testing, auditing and operating information security programs. Our world-class services include security testing and a wide range of flexible compliance and vCISO programs. Truvantis offers PCI Consultancy Services and is a PCI DSS Qualified Security Assessor (QSA) Company.
