Campus-based organizations, by definition, have multiple merchants and locations accepting payment cards in a variety of different ways. Trying to determine which of your systems, applications, devices, etc. are in scope for PCI, if they are configured in a PCI-compliant manner, or if there is some way to get them out of PCI scope can be confusing.
For most organizations, PCI compliance is just one of their responsibilities. Generally, multiple employees from different areas (e.g. IT, Finance, Purchasing, etc.) are nominated to serve on the PCI Team without a lot of prior training or experience, and they find themselves trying to balance PCI efforts with the rest of their job responsibilities.
This is where a QSA, or Qualified Security Assessor, can help. QSAs are certified by the Payment Card Industry Security Standards Council after completing an extensive training process, and are required to re-qualify every 12 months to ensure their knowledge is up to date. QSAs have a deep understanding of the PCI DSS, the processes involved in card processing, network segmentation, payment card brand validation and reporting requirements, hardware and communications infrastructure, compliance issues, and effective mitigation strategies.
Their training and expert understanding of the DSS enables the QSAs to perform merchant and service provider assessments to help these organizations identify areas of PCI non-compliance. If your organization is required to undergo a formal assessment and submit a ROC (Report on Compliance), you must enlist a QSA to perform the audit. If you are attesting to your compliance through the SAQ process, but have a complex payment card environment, a QSA may be engaged as an advisor. The QSA can share vendor-neutral recommendations for systems or solutions to help reduce PCI scope, recommend best practices, evaluate service provider compliance, and can help ensure your organization is approaching cardholder data security in a PCI-compliant manner.
All CampusGuard QSAs have an extensive information technology and cyber security background, and have also completed the CISSP (Certified Information Systems Security Professional) certification. The CISSP is the gold standard of information security certifications, testing individuals across eight domains in the CISSP Common Body of Knowledge including communication and network security, identity and access management, security assessment and testing, security operations, and software development security. This is an advanced certification for experienced security professionals who have the technical expertise to develop, implement, and manage enterprise security programs.
The ideal QSA is an information security professional with a strong IT and networking background. They must understand overall business and compliance processes, and keep up to date with industry changes and emerging technologies. But perhaps the most important quality for a successful QSA is the ability to understand the business impact of PCI compliance and provide clear, concise advice as to how best the organization can achieve and maintain compliance.
The CampusGuard Security Advisors share what they like most about being a QSA.
[Gilmore]: My favorite part of being a QSA is the chance to stand in front of a crowd of people that are not so familiar with this subject of credit card data or just general information security and explain to them why there must be processes, technical and administrative, in place to protect this information. I get a joy out of taking the standards set forth by the PCI SSC and explaining how they can apply to their local environment. We may throw in some terrible jokes and some shocking information to bring some interest into what can really be a not so exciting training session. Typically, after walking through the sections of the training that we have prepared and even tailored in many cases to the room of diverse merchants there is always a room full of lights that turn on above each of their heads that let me know they understand the purpose of the needed protection. Making the subject pertain to their individual ways of taking information and then explaining potential problems always does the trick to trigger questions during and certainly after the training is complete. Usually it just takes putting merchants in the shoes of their customers to kick start the daily thought process of securing credit card data.
[Ko]: I’m passionate about information security… But I’ve been around the block enough to know that security and usability are found at opposite ends of a teeter-totter. Finding the right (and delicate) balance of securing the environment while still allowing you to have a functioning business is one of the greatest challenges that we face as security advisors. I love being able to think of creative solutions to help you achieve compliance while still allowing your business to thrive and grow.