Achieving compliance with PCI’s standards requires organizations to dedicate significant resources to this effort. Whether compliance is with PCI DSS, PA-DSS, or the P2PE standard, many entities would probably agree that the ritual of compliance can be a costly one. Unfortunately, more resources must be spent to confirm compliance if there are any changes to the organization, software, or solution, or if there are modifications within the PCI requirements.
Many organizations achieve compliance and then reach out to their QSA to confirm compliance is maintained once a change occurs. This route could be costly as compared to having a Support and Maintenance service in place. Through this service, an organization essentially has a QSA on retainer for compliance consulting should changes occur within the organization or with the PCI standard.
Dara Security currently offers support services for PCI, PA-DSS, and P2PE:
PCI Monitoring and Updates
PCI Monitoring and Updates is designed to help determine how potential changes in the organization may impact PCI compliance and to stay informed of PCI DSS developments. This service provides our clients with expert advice from Dara’s QSAs for up to ten (10) hours per year in the following ways:
· Advisory Sessions: As an organization considers implementing changes that may impact PCI compliance, Dara’s experts will be available for consultation to ensure that these changes are implemented in a way that does not preclude compliance with the PCI DSS requirements.
· Updates: As the PCI Security Standards Council updates and modifies PCI DSS requirements; Dara will provide relevant information as appropriate and necessary for business and regulatory processes.
In addition, it provides ongoing operational support in the form of reminders and a portal to allow the organization to upload ongoing compliance evidence. This service will provide:
· Quarterly Reminder: Reminders to upload PCI DSS evidence to a provided portal for operational PCI DSS requirements such as wireless test results, vulnerability test results, and system/application change tracking evidence.
· Annual Reminder: Reminders to upload PCI DSS evidence to a provided portal for operational PCI DSS requirements such as penetration testing, application testing, and policy updates.
· Information Reviews: Reviews of provided evidence to confirm they meet PCI DSS requirements to allow one to make any needed changes in order to maintain PCI DSS compliance.
PA-DSS Support and Maintenance
The PCI PA-DSS program requires that software vendors update their software version and change status annually. This involves the filing of an annual Attestation document stating if changes have been made and if so, what changes. The PA-DSS program guide defined four (4) types of changes: Administrative, No-Impact, Low-Impact, and High-Impact.
Dara Security PA-DSS Support and Maintenance program is designed to assist an organization in maintaining compliance and filing of PCI SSC required documentation. This service will include:
· Quarterly notification to request if any changes have been made;
· Review of Changes to confirm change type;
· Creation of required Attestation of Validation indicating changes;
· Creation of PA QSA Change Impact document;
· Submission of all documentation to the PCI SSC; and
· Notification and filing of Annual PCI SSC Validation Documentation.
Changes deemed to be “Administrative” or “No-Impact” based upon the current PCI SSC PA-DSS Program Guide will be processed as a part of this support service. Required testing for “High-Impact” and “Low-Impact” changes will be addressed under a separate Scope of Work (SOW) under a discounted rate. Dara can be contracted for PA-DSS support and maintenance service up to the PCI SCC listed expiry date of the PA-DSS standard under which the application was validated. Support may be needed for up to 3 to 6 years, depending on the assessment year for the application.
P2PE Support and Maintenance
The PCI P2PE program requires that vendors update their solution status annually and upon any changes. This involves the performance of an “Interim Self-Assessment” and filing of an Annual assessment indicating if changes have been made to the solution and determining if such changes are considered Designated Changes, Administrative Changes, or Non-Designated Changes.
Administrative Changes are defined as changes to any of the following:
· solution name,
· company name,
· solution description
Designated Changes are defined as one of the following:
· Adding/Removing PTS POI Devices
· Adding/Removing P2PE Components
· Adding/Removing P2PE Application
Non-Designated changes are:
· all other changes and are addressed in the Annual “Interim Self-Assessment”.
Dara Security PCI P2PE Support and Maintenance program is designed to assist you in maintaining your compliance and filing of PCI SSC required documentation.
This service will include:
· Review of changes to confirm change type
· Creation of the required Annual Interim Self-Assessment Attestation Documentation
· Guidance on delivery of Attestation Documentation to the PCI SSC
For Administrative Changes, the service will include:
· Review of P2PE PIM to ensure it is properly updated
· Updating of P2PE Report of Validation to reflect the Administrative Change
· Creation of the P2PE Change Impact Documentation
· Creation of the P2PE Attestation of Validation for Administrative Change
· Submission of all documentation to the PCI SSC
For Designated Changes, the service will include:
· Review of P2PE PIM to ensure it is properly updated
· Updating of P2PE Report of Validation to reflect the Designated Change
· Creation of the P2PE Change Impact Documentation
· Creation of the P2PE Attestation of Validation for Designated Change
· Submission of all documentation to the PCI SSC
· For Designated Changes, service does not include testing required to validate designated change. Testing of changes will be afforded at a discounted rate.
Dara can be contracted for P2PE support and maintenance service up to the PCI SCC listed “Reassessment Date” for the P2PE standard under which your particular solution was validated.
