At ControlScan, our Qualified Security Assessors (QSAs) look under the hood of many, many companies to determine whether they are actively complying with the Payment Card Industry Data Security Standard (PCI DSS). We’ve seen the good, the bad and the ugly… but nothing’s worse than having to tell a client that a PCI-compliant QSA report (RoC) is out of their reach.
ControlScan was recently hired to perform an annual PCI QSA assessment for a company providing technology services to payment processors. We recommended beginning with a PCI DSS readiness assessment, but the customer felt they were ready to go ahead without it, citing budget constraints.
Unfortunately, the formal assessment revealed serious compliance issues. Numerous required controls were missing: penetration testing, antivirus, vulnerability scanning, SIEM/log management, file integrity monitoring, policy and procedure development… It was impossible to make all the necessary corrections before their reporting deadline.
Our client was suddenly in a real financial bind:
- Their compliance assessment was more expensive than forecast;
- They would likely incur heavy non-compliance penalties from their acquirer; and
- Their rush to remediate would drive costs higher.
Of course, none of these were planned expenses. In hindsight, the client realized a readiness assessment would have saved them far more than its cost.
Sometimes a little advice is all you need
Sadly, our client could have avoided their predicament with some timely preparation and a bit of expert guidance. If your company is facing its first PCI assessment, we recommend consulting with a QSA before your assessment comes due.
Investing in some advisory hours is a good place to start. A few hours of phone consultation or a day with a QSA on site is not very expensive and you’ll get answers to your questions and help with the finer points of PCI compliance. If you ask your bank or processor, they’ll tell you: “Ask a QSA.”
By engaging a QSA well ahead of your reporting deadline, you’ll be getting guidance from a partner, rather than an auditor. That expert advice can make a huge difference in terms of reducing scope and saving you unnecessary time and money.
Consider a PCI DSS readiness assessment
Finally, once you’ve done what you can following your QSA’s recommendations, consider participating in a QSA-led readiness assessment, also known as a gap analysis.
A PCI DSS readiness assessment is an effective method for finding and fixing compliance holes efficiently and economically, without the rush. With time for remediation afterward, a QSA can help you uncover ways to tighten scope, simplify compliance and reduce long-term costs.
We believe every company that handles cardholder data should have a readiness assessment performed at least once, even if they have no contractual obligation for Level 1 compliance. It’s a sound practice for both data security and your business in general. We’ve seen numerous customers benefit significantly from having a readiness assessment performed in advance of their formal audit.
A readiness assessment can pay off for years to come
Now here’s a story of how a readiness assessment saved the day (and the years to come) for one of our clients…
A small-business client chose to undergo a PCI DSS readiness assessment prior to their formal QSA assessment. Like the client I mentioned earlier, they had significant compliance issues, so much so that achieving compliance with their existing cardholder data environment (CDE) configuration would have necessitated a large-scale upgrade project costing hundreds of thousands of dollars.
We recommended they integrate a PCI-validated P2PE solution. This solution yielded $70,000 in upfront savings, plus an annual savings of $115,000 compared to the compliance upgrade to their existing CDE. Plus, numerous controls could be eliminated, thereby greatly simplifying their annual assessment and significantly reducing its cost.
With just a small initial outlay for a readiness assessment, this client netted significant savings, not just for one year, but year over year. This client’s annual assessment is now one of our quickest. Its cost is one-third that of a normal PCI DSS assessment. And, they’re fully compliant every time.
Learn more about preparing for a PCI assessment
Whether it’s your first or your fifteenth, properly preparing for your annual PCI assessment is always a smart move. Learn more about how best to prepare with our latest white paper, Preparing for Your First PCI QSA Assessment – 7 Steps to Uncomplicated Compliance.