AT&T Consulting is a Payment Card Industry (PCI) Qualified Security Assessor (QSA), a Payment Application Qualified Security Assessor (PA-QSA) and a Qualified Incident Response Assessor (QIRA). We work closely with you to gain a strong understanding of your business model and the critical supporting components and systems. This allows us to not only perform your assessment, but also to provide strong strategic and tactical advice in the event that a PCI objective or control is not met or you experience a data breach. This offer includes program management, PCI health checks, readiness assessment, incident response and forensics, trusted advisor subject matter expert guidance and annual PCI compliance assessments.
- Annual PCI Compliance Assessment
- Trusted Advisor
- Readiness Assessment
- PCI Program Management and Health Check
- PCI Qualified Incident Response Assessors
- Payment Application Data Security Standard Assessment
- Product Briefs
- Service White Papers
Annual PCI Compliance Assessment
This assessment delivers the annual review of your PCI environment, established processes and personnel according to PCI specifications for networks, servers and databases involved in the transmission, storage and processing of credit card data. The key activities include:
- Conduct interviews
- Examine policies, procedures, and other key documentation
- Review key device configuration
- Deliver results in "Report of Compliance" and "Attestation of Compliance"
AT&T Consulting will take a collaborative Trusted Advisor approach with you. AT&T Consulting works closely with your organization to gain a strong understanding of your business model, cardholder data flows, cardholder data repositories, network architecture and systems that support the business. This allows us to perform a thorough assessment while we are on site, and more importantly, puts us in a position to provide strategic and tactical advice in the event that a PCI objective/control is not met. We provide tactical advice making recommendations to address gaps, and we provide strategic advice in performing root cause analyses of the cause of any PCI-related gaps as well as areas of security Best Practices. The key activities of this service are:
- Provide PCI Subject Matter Expert strategic guidance
- Create, implement, and manage policies, procedures, and on-going user education
- Develop and manage maintenance schedules
Readiness Assessment is a proactive method for assisting organizations which need to become compliant with the PCI-DSS. AT&T Consulting provides objective advice on the current state of your security management practices, prior to embarking on gaining PCI compliance. AT&T Consulting will perform an on site PCI assessment to create a draft Report of Compliance and to create a Remediation Roadmap to provide a strategic plan for you to address any gaps that would prevent you from becoming PCI compliant. The key activities include:
- Conduct interviews
- Examine policy, procedures, and other key documentation
- Review key device configuration review
- Provide results in PCI Remediation Roadmap
PCI Program Management and Health Check
PCI Program Management: The AT&T Consulting PCI Program Management service provides a comprehensive approach to PCI compliance as a program - thinking beyond the project - Our Program Management Framework (PMF) was developed to enable the world's largest companies, and those with the most complex PCI compliance challenges, to cost-effectively build and sustain compliance. The key activities of this service include:
- Ongoing management of compliance/governance program
- Managing policies, procedures and on-going user education
- Developing and managing maintenance schedules
PCI Health Check Service: Achieving PCI compliance is no small undertaking. Since PCI compliance is a "snapshot in time", AT&T Consulting offers the PCI Health Check service to review the PCI Data Security Standards (PCI DSS) controls that historically present the greatest challenges to maintain. The overall goal of the Health Check is to provide consulting surrounding the PCI DSS, act as an advisor in creating unique solutions that meet PCI requirements, and to assess the effectiveness of your company in its effort to maintain PCI compliance. While this effort will not necessarily validate full compliance, it will help determine the overall effectiveness of your PCI program and bring to light areas where the company has slipped out of compliance.
PCI Qualified Incident Response Assessors
AT&T Consulting is among the select group of authorized incident response assessors permitted by cardholder companies to perform incident response in the event of a security breach where cardholder data may be at risk. We are qualified in performing QIRA assessments leveraging our depth of experience in both PCI and forensics. AT&T Consulting is one of the few companies qualified to perform PCI investigations, PCI DSS and PA-DSS. All QIRA investigations are performed in accordance with the standards set forth by the card companies and accepted by acquirers and processors worldwide. We are among the few certified Qualified Incident Response Assessors authorized to conduct PCI investigations worldwide. Our consultants speak many languages.
Payment Application Data Security Standard Assessment
As part of this service, we work closely with you to gain a clear understanding of payment applications and business needs, while assisting in meeting all of the rigors of the PA-DSS Standard.
PA-DSS Assessment for Certification
AT&T Consulting methodology for conducting PA-DSS assessments is comprised of four (4) phases:
- Testing Phase- AT&T Consulting combines both automated and manual testing in order to assess payment applications against the PA-DSS standard. The technical resource on-site installs the application, tests it for the PA-DSS requirements and performs all aspects of processing transactions (enter credit card for payment, authorization and settlement).
- Documentation Review Phase- AT&T Consulting collects and reviews the documentation required by the PA-DSS standard to ensure it provides the level of detail needed to meet compliance. This is completed by the project lead.
- Collection Phase - AT&T Consulting obtains evidence during the testing phase and during the shoulder surf activities.
- Forensic Phase- Our consultants analyze the imaged hard drives to ensure payment application does not inadvertently store prohibited cardholder data.
Trusted Advisor Consulting
As a strategic partner, AT&T Consulting will work closely with you to gain a clear understanding of your business model. This helps position AT&T Consulting to make effective recommendations that align with your business needs. The following are key components of the Trusted Advisor methodology:
- Advocate security in the environment
- Offer expertise and support for the overall application security mission
- Assist you with building a security program where compliance is a natural process
- Provide a PA-QSA to project management services over the course of the project
- Assist with prioritizing security tasks for compliance by risk, etc.
- Offer subject matter expert(s) to provide advice on penetration tests and vulnerability assessments
Security Penetration Testing of Payment Applications
AT&T Consulting focuses its security testing on security best practices, requirements within the Payment Application Data Security Standard (PA-DSS) and Open Web Application Security Project (OWASP) vulnerabilities.
Documentation Review / Management
AT&T Consulting helps you include the appropriate level of detail to meet the documentation requirements in the PA-DSS Standard
- PCI Program Management Product Brief
- PCI Remediation Product Brief
- PCI Enterprise Compliance Solutions Product Brief
- SureScan Payment Card Industry Approved Scanning Vendor Solutions
Service White Papers
- Mobile Payment Applications: Can They Be PCI Compliant?
- Not all QSAs are created equal
- Hidden Pitfalls in the Pursuit of a Payment Application Certification
- Hitchhiker's Guide to Payment Card Industry Data Security Standard (PCI DSS) 2.0
- PCI State of the Industry for Contact Centers/BPOs
- For more information, please refer to our PCI Blogs.