Back

Manage your PCI DSS compliance with QSA-as-a-Service

Continuous assurance is the future of PCI DSS governance. It allows you to drastically reduce the amount of time between controls failing, discovery of non-compliance, and remedial activities – significantly reducing the chance of a cardholder data compromise.

Launch your continuous assurance programme

Simplifying your PCI DSS compliance journey

We, like many of our clients, believe that security should be embedded into an organisation: ‘security-by-design,’ and not ‘security-by-addition’.

To provide continuous assurance of security activities, whilst reducing the complexity of the on-site assessments, we have created a market-leading compliance programme, called QSA-as-a-Service (QSAaaS).

The key differentiator for the QSAaaS model is year-round monitoring of tasks specified by the PCI DSS, point-in-time collection of evidence, and early warning of actual or potential areas of non-compliance.

The aim of this model is to drastically reduce the amount of time between controls failing, discovery of non-compliance, and remedial activities – significantly reducing the chance of a cardholder data compromise.

As part of the QSAaaS programme, you will have direct access to a PCI DSS QSA and security consultant via our support service, which offers proactive advice on specific matters, as well as guidance on the impact of newly introduced Information Supplements and other documents released by the PCI Security Standards Council and payment card schemes.

Our QSA team is engaged by retail brands, payment service providers, and FTSE 100 companies (including commercial and domestic energy), to provide experienced Qualified Security Assessors that understand complex technical environments in fast-paced industries.


What are you waiting for?

Discover our programmatic solutions to your complex security challenges: contact the team at Data Security People for an informal chat.

Request a call back


Continuous assurance activities included in QSAaaS

Your QSAaaS programme has four distinct phases, each preparing you for the best possible success in your annual formal assessment, whilst truly reducing your risk of cardholder data compromise.

1

Planning

Your PCI DSS QSA will create a 12-month delivery schedule, taking into account the unique needs of your business.

We’ll agree the roles and responsibilities that are crucial to successful delivery of the programme.

We’ll assign a dedicated point of contact, giving your consistency of approach.

2

Initial Assessment

To give you the best possible start to continuous assurance, your PCI DSS QSA will run a gap analysis against the latest version of the PCI DSS, looking to validate your scope, and identify opportunities for scope reduction.

Your assessor will identify and liaise with key services, such as ASV scanning, penetration testing, and employee training.

3

On-going Assurance Activities

Throughout the year, your PCI DSS QSA will collect, verify, and catalogue evidence. And, if you’re behind on a task or activity, they’ll be right there to help you.

Your assessor will also be on-hand for remote support (such as advice on any ‘significant changes’ you are making), and once per quarter they will provide executive management briefings on compliancy status.

4

Formal Assessment

Each year, we’ll conduct a formal Report on Compliance, using with evidence that has been collected throughout the year.

And, once your formal assessment is over, we’ll liaise with your acquirers (and if necessary the card schemes) to file your compliance paperwork.

You’ll then begin another 12-month continuous assurance period.


Data Security People is trusted by:


Passionate work from passionate people

Our work and expertise with the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) was developed to enhance cardholder data security measures across the world. The PCI DSS provides a baseline for your technical and operational controls designed to protect your customer’s payment data.

The PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers. The PCI DSS also applies to all other entities that store, process or transmit cardholder data.

To guide our clients through the extensive requirements of the PCI DSS, we maintain a dedicated team of PCI DSS Qualified Security Assessors (QSA). Our QSA team is engaged by retail brands, payment service providers, and FTSE 100 companies (including commercial and domestic energy), to provide experienced Qualified Security Assessors that understand complex technical environments in fast-paced industries.

Our team has vast operational experience with modern technologies, including containerised and virtualised environments, and is used to providing security advice to everybody from first line support, through to the C-Suite.

Alongside our delivery work, we frequently publish security articles, white papers, and case studies, as well as evidence for research and government.

Crucially, we believe that rationalised information assurance policies – driven by evidence and data, rather than hyperbole and fear – are the best way to improve our clients’ security capabilities.

Read more about our work