The Payment Card Industry (PCI) developed Data Security Standards (DSS) which Merchants and Service Providers, who process, transmit or store credit card data, are required to strictly adhere to. Irrespective of the amount of credit card transactions a merchant or service provider handles they are required to comply with the PCI DSS.
Kyte Global is a validated Qualified Security Assessor Company and can offer their services to merchants and service providers in all of Europe, Middle East and Africa, USA, Latin America, Asia as well as other regions. Kyte can assist you in becoming fully compliant and/or can review your operation to certify that you are PCI DSS compliant.
One of the requirements is to have a quarterly scan by an Approved Scanning Vendor to test for vulnerabilities on your website. Kyte Global can provide you with this service as a subscription to our online scanning portal.
The importance of Attack & Penetration Testing
Another very important requirement of PCI DSS is to conduct Attack and Penetration Testing. We are proud to be able to offer this service not only as a means to satisfy the requirement but to ensure there any holes in the system are patched timely. The penetration test involves a considerable amount of manual testing. Testing is conducted both externally and internally and can take the form of white box or black box. Network as well as application layer tests are conducted as part of the exercise. We are confident that customers will find our fees for such a service extremely competitive. Testing will be carried out based on the latest version of the PCI DSS.
We can assist you with PCI DSS Compliance as well as Certification. We know very well that a one-size fits all approach in interpreting PCI DSS requirements does not work. It is this approach adopted by some assessors in fact, which causes many companies to go over time and over budget in their efforts to achieve compliance. We believe that each company has to be assessed by taking into consideration its size, resources, business constraints and risk exposure.
SAQ (Self-assessment Questionnaires)
SAQ A, A-EP, B, B-IP, C, C-VT, P2PE-HW, D
For merchants that are obliged to validate compliance through a Self-Assessment Questionnaire, we are happy to be of service by assisting with understanding the intent behind the requirements, validating whether requirements are actually in place or not and work with the merchant on implementing solutions. Although this is not a certification and hence does not involve a considerable amount of testing, we will walk with you for the entire project until successful competition.
For merchants that process or transmit personal identification numbers (PIN), the PCI Council has published the PIN Security requirements. Kyte is a Qualified PIN Assessor (QPA) and can perform assessments to determine whether organizations are securely managing, processing, and transmitting PIN data during online and offline payment card transactions. An important part of the PIN assessment involves testing of the encryption and key management of PIN transactions, as well as the secure management of processing equipment. The requirement for PIN assessments is such that QPA’s (auditors) need to be rotated after 2 assessments. Contact us if you would like us to perform your next assessment.
3DSecure (PCI 3DS)
Kyte is also validated as a PCI 3DS assessor and can provide Issuers, Acquirers as well as Processors with certification under the PCI 3DS Standard. This certification applies to all those entities who operate under the EMV Co specification.
CaaS (Compliance as a Service)
Our experience in conducting PCI DSS assessments has showed us that despite all the good intentions, companies fail to carry out their compliance tasks diligently, especially when these involve tasks that have to be carried out at given dates. Failure to carry out a tasks on time can have serious consequences, not only because it could results in absence of certain controls which can put the company at risk, but also failure to achieve compliance when the certification renewal date approaches.
Kyte has come up with a service that encompasses all those tasks that are often forgotten or else not carried out in a timely fashion. This service, which is termed Compliance as a Service, sees Kyte working with your team to make sure no requirement is left out. This service is provided in a way as to not constituting a conflict when we are also your assessors.
The service includes:
- Quarterly vulnerability scanning
- Annual training in Secure Coding, Security Awareness and Incident Response
- Reminders and follow up on all those tasks to be carried out monthly, quarterly, six-monthly and yearly
- Incident Response in case of a security event or a breach by making a security engineer available within a few hours.
Can I choose whether to go for full certification or an SAQ?
This usually depends on the Acquirer. Service providers are usually required to undergo a level 1 onsite assessment. The validation method for a merchant is usually dependant on the volume of transactions processed. Any entity processing 6million transactions and over need to carry out an onsite assessment as an SAQ would not be adequate.
Is an SAQ easier than a full certification? Can I choose to validation through an SAQ and plan for a certification at later date?
This depends on whether you are even eligible for an SAQ or not. If you are eligible for an SAQ, you would need to determine which SAQ is right for you, based on the nature of your credit card processing. For the sake of this question, it is pertinent to note that an SAQ D contains all the requirements that are requested for an onsite assessment and consequently the same effort is required to comply. The only difference is that an onsite assessment requires an audit which involves detailed testing by your QSA. The plus side is that for the same effort, an onsite assessment results in a certification whereas an SAQ does not.