While some companies do elect to develop, deploy, assess and penetration test a compliance strategy on their own, others find that there are certain advantages to using a third-party vendor for these activities. For some organizations, an outside vendor can provide external validation that the appropriate processes and policies are in place; this validation can provide reassurance to customers, partners, shareholders and card issuers. A third-part vendor can also provide an objective analysis, of your current compliance status, along with recommendations for closing any gaps.
When compliance validation activities are executed in house, company officials become fully liable for any ommissions or erros. Using a third-party vendor can shift the risk away from corporate management. Companies can conduct their own penetration testing if they prefer. Quarterly external network scans are required for the majority of merchants and service providers, and these scans must be performed by an approved third-party assessor. When companies reach a certain threshold of payment card transactions, a ceritified PCI assessor must be used to validate PCI compliance. The PCI Security Standards Council manages a Qualified Scurity Assessor (QSA) program, ensuring that assessors are fully certified to conduct PCI assessments.
Selecting a Third-Party Vendor:
Allowing a third-party assessor to shift through your data can be a scary proposition, so it's important to choose a trusted, experienced, certified provider that understands the PCI standard in relation to your industry. The ability to handle all phases of your PCI compliance validation, from pre-assessment through report of compliance (ROC) submission, is key. Your vendor should be willing to offer you multiple alternatives for achieving the same level of protection and should provide you with a detailed roadmap in each case. The assessor's cire competency should extend beyond compliance services to addressing your overall security posture and providing recommendations for securing your infrastructure. The services provided should be clearly delineated, particularly if the contract spans multiple years.
As you proceed through the selection process, you should ask yourself these questions:
- What am I getting for my investment? Do I receive simply the output of a scan, or do I benefit from the vendor's security expertise?
- How customized is the assessment that this vendor offers me?
- Is my vendor fully certified to perform all phases of the PCI compliance validation?
- Has this vendor fully explained the timeline involved in the process? From pre-assessment through ROC submission, the process can take from 9 - 18 months; am I prepared for that?
In short, you want a trusted security adviser that can be your advocate to your acquirer bank and payment card companies.