Through its partnership with A-lign Security, A-lign CPAs is positioned well to jointly offer SSAE 16 and SOC 2 services to companies. A-lign Security is a Qualified Security Assessor Company (QSAC) and can provide PCI Compliance services alongside A-lign CPAs performance of SSAE 16 and SOC 2 audit services. 

 

The Payment Card Industry Security and Standards Council was formed by the five major payment brands, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., to align their individual security requirements for the payment card industry. Navigating the requirements of the Payment Card Industry Data Security Standards (“PCI DSS”) requires a deep understanding of information security and the PCI DSS requirements. A-lign’s security professionals have a broad range of experience in the payment card industry from processor, merchant and compliance perspectives. If your company stores, processes or transmits cardholder data, you need to understand the compliance requirements that impact you. We are positioned to help you through each of the phases of compliance with one of our PCI DSS services.

As a PCI Security Standards Council (“PCI SSC”) registered Qualified Security Assessor Company (“QSAC”), A-lign is authorized by the PCI SSC to perform security assessments to validate organizations’ compliance with the requirements of the PCI DSS. A-lign’s team of information security professional has extensive experience validating clients’ compliance with the PCI DSS.

A-lign can assist your organization through the following stages. Each stage can be performed individually or as a complete PCI DSS engagement.

PCI Assessment Scope Determination

Understanding the scope of the PCI DSS compliance audit is often the biggest challenge for companies in the payment card industry. An improperly scoped PCI DSS cardholder environment will lead to expending unnecessary resources in order to bring systems and processes in compliance with PCI DSS that should not be included. A-lign™ offers PCI compliance services to determine the scope of the compliance project and identify applicable sections of the compliance standard.

 

Whether you are new to the requirements of the PCI DSS or are transitioning from a self-assessment questionnaire to an onsite engagement performed by a Qualified Security Assessor (“QSA”), we can ensure your organization is prepared by performing a PCI DSS readiness review. This high-level assessment benchmarks your current processes and controls against the requirements of the PCI DSS without the need for extensive document collection and report preparation which reduces the impact on your organization, both operationally and financially.

We will perform a gap analysis to identify gaps between your current controls and the PCI DSS requirements. We will work with the process owners to draft recommendations to remediate the gaps. This is a crucial step in our process to ensure that all personnel are in agreement with recommendations and findings before presentation to senior management. As you remediate the identified gaps, we will work hand in hand with you to partner through the process of implementing controls. At no additional cost to you, we will review the remediation efforts and retest the controls to ensure they were implemented properly and operating effectively.

 

Our approach to performing PCI DSS assessments is tailored to our clients. Our QSAs view each client as a unique partnership to learn, understand and work with you to validate your compliance with the PCI DSS. We understand the impact an information security assessment of this type can have on your organization. A-lign has developed an efficient process for gathering evidence, performing on-site fieldwork and drafting the Report on Compliance (“ROC”) and Attestation of Compliance (“AOC”) to minimize impact to your organization.

Prior to coming on-site A-lign provides a detailed documentation and evidence request list to provide your personnel sufficient time to identify and gather the requested evidence. The documentation is then provided to and reviewed by A-lign prior to coming on-site so the QSA is familiar with your processes and procedures. This helps mitigate the “fire drill” approach to gathering evidence while we are on-site.

In addition to the request list, we will provide a project plan and an interview schedule to allow your PCI DSS project coordinator to schedule the necessary time with the process owners in advance so they are aware of the time commitment needed during the on-site assessment.

While on-site, the QSA works efficiently to perform the required fieldwork with minimal impact to your company. Our team of professionals has over 10 years of information systems security and auditing experience. We understand what it takes to complete the on-site portion of the work and have developed a process to complete the on-site testing as quickly as possible, while performing thorough testing procedures.

At the conclusion of the fieldwork, the QSA provides a status report identifying areas where you are not in compliance with the PCI DSS. Our QSA works closely with you to remediate the open items and will review the new evidence to ensure the requirements are met.

Once all items are remediated and you are fully compliant with PCI DSS, the QSA will draft the ROC and AOC in accordance with the PCI SSC reporting guidelines. We will work with your management team to guide the submission of the appropriate documentation to the card brands or sponsoring financial institution to confirm your compliance with the PCI DSS.