Payment Card Industry (PCI) Readiness Assessments
PCI Credit Card & Security Compliance Services
Through its partnership with A-lign Security, A-lign CPAs is positioned well to jointly offer SSAE 16 and SOC 2 services to companies. A-lign Security is a Qualified Security Assessor Company (QSAC) and can provide PCI Compliance services alongside A-lign CPAs performance of SSAE 16 and SOC 2 audit services.
A Payment Card Industry (PCI) Readiness Assessment provides a company subject to PCI Data Security Compliance Standards with recommendations for remediation prior to submission of a self-assessment questionnaire or onsite PCI credit card compliance assessment by a qualified security assessor.
In today’s regulatory environment, stakeholders want to ensure that companies meet PCI credit card compliance and are compliant with regulatory and best practice standards such as standards related to the PCI, international Organization for Standardization (ISO) 27002, Healthcare Information Portability and Accountability Act (HIPAA), and Federal Information Security Management Act (FISMA).
We can ensure that your business operations are aligned for PCI credit card and security compliance and regulatory standards.
PCI Assessment Scope Determination
Aligning your PCI credit card and security compliance needs with your business operations takes a unique blend of experience and execution. Understanding the scope of the PCI security compliance request is often the hardest part of the engagement.
Our experience in performing PCI security compliance assessments will be invaluable in the scope determination phase. A-lign™ offers PCI compliance services and will work with client personnel and if applicable, client’s customer personnel to determine the scope of the compliance project and identify applicable sections of the compliance standard that apply to the project.
Preparation for Fieldwork and Testing Procedures
We understand that our clients’ time is extremely valuable. We will deliver an information request list and request that documentation be gathered prior to our onsite fieldwork. The information request list is typically sent four weeks prior to fieldwork. As necessary, we can conduct meetings to discuss our requests and ensure that the client fully understands each requested item. By gathering the documentation prior to our arrival, the client can ensure the lowest possible audit fee for PCI compliance services and increase the efficiency of their personnel.
Your A-lign point of contact for the audit is always available to answer questions regarding our information request list. We encourage our clients to utilize our secure A-lign™ ClientConnect to upload documentation to fulfill the information request. This allows our team to review the responses for completeness and begin our audit testing even before onsite fieldwork.
We will submit to the client, at least two weeks prior to onsite fieldwork, a project plan that outlines the areas we will be auditing each day of our audit testing. The project plan is reviewed by the client to ensure that no scheduling conflicts exist.
PCI Readiness Assessment Fieldwork and Testing Procedures
Onsite fieldwork and testing procedures are the most time intensive part of the project for both the client and our team. The client’s completion of the information request list prior to our onsite visit greatly impacts the efficiency of the fieldwork and testing procedures phase. Our approach for testing includes both onsite and offsite testing. This method allows our team to limit our intrusion into the daily operation of our clients. Onsite fieldwork will consist of audit team members performing interviews, observation of process and sampling testing for the in-scope areas.
- By utilizing A-lign™ ClientConnect, offsite testing can be performed using the numerous means of electronic communication available.
- By performing a portion of the testing offsite, we are able to provide our clients with an extremely competitive pricing model for the project.
We will perform a gap analysis to identify results of tests that were not in PCI credit card and security compliance with the standard. We will work with client personnel to draft recommendations to remedy the gaps. This is a crucial step in our process to ensure that all client personnel are in agreement with recommendations and findings before presentation to senior management.
Remediation Assistance
As the client remediates the identified gaps, A-lign™ will work hand in hand with the client to be a partner through the process. At no additional cost to the client, A-lign™ will approve the remediation effort and retest the control to ensure it was implemented and operating effectively.
PCI Readiness Assessment Reporting
The reporting format can vary based upon the client’s needs for the report and the audience the report is intended for. If the company is going to utilize the report for internal purposes only, then a non-attest consulting report for the company’s internal purposes only would be the suggested format. If the client’s customer would like the client to provide a report directed at them, an agreed upon procedures report would provide clients with a form of attestation and allow the report to be shared with identified customers.
If multiple customers wish to have a report in the form of a service auditor’s report, the control objectives and criteria could be specified by the client’s customer and the control objectives could mirror the control objectives specified in a regulation.
For a free phone consultation or to learn more about PCI credit card and security compliance, please submit the short form to the right, or call 1-888-702-5446 today.