Simple, Successful, & Accurate Compliance Results
The IT Security professionals at Cadence have years of experience helping businesses manage their Payment Card Industry (PCI) compliance. Our advisory and audit services can assist organizations of any size or industry who accept or process credit card payments. Our PCI services include:
Pre-Assessment & Compliance Preparation
Understanding and interpreting the PCI Data Security Standard (DSS) can be a daunting task, especially for organizations new to compliance. For organizations struggling to understand what they need to do to comply with the PCI DSS, we can assist with the following:
• Discovering the scope of the PCI environment
• Understanding where and why PCI requirements are applicable
As part of discovering PCI scope and understanding the applicable requirements, clients can expect a clear picture of their current status against the PCI DSS standard. Note that we have significant experience in assessing a wide variety of organizations – we can leverage this experience gained from across the industry in formulating recommendations to close PCI gaps.
Many businesses lack the need to fully staff project management personnel who assist gathering evidence and facilitating interaction between auditors and auditees. As such, Cadence personnel can step in to assist in any stage of the PCI lifecycle to help move PCI tasks forward – whether it is during gap analysis, pre-assessment, assessment, or helping the business stay on target for maintaining PCI compliance throughout the course of the year.
All entities who are required to be PCI compliant must have vulnerability scans performed by an Approved Scanning Vendor (ASV) at a minimum once a quarter (11.2.2/11.2.3). Cadence has partnered with a reputable ASV and can facilitate the successful quarterly ASV scans.
To help companies comply with the penetration testing PCI requirements (11.3.X), Cadence provides a full-service penetration testing team with deep expertise in vulnerability analysis, ethical hacking, and web application security. Cadence’s PCI-specific penetration testing service includes internal and external testing approaches, and covers both the application and network layers of the target environment. In addition, Cadence can facilitate the segmentation testing requirements.
PCI Compliance Reporting
Cadence is a Qualified Security Assessor Company (QSAC). This means that the PCI Council has certified Cadence to issue a formal opinion on the PCI compliance status of organizations we assess. The types of PCI reports Cadence issues or helps with are as follows:
1. Self-Assessment Questionnaires (SAQ) – If an entity needs assistance understanding the requirements/content of an SAQ, we can assist with interpreting the intent of the requirement.
2. QSA Attested Self-Assessment Questionnaires (SAQ) – In some cases, an entity will be required to have a QSA firm assist with and attest to the completed SAQ and accompanying Attestation of Compliance (AOC), of which Cadence is qualified to assist with.
3. Report on Compliance (ROC) – Otherwise known as a “Level 1” assessment. All “Level 1” assessments are required to be performed by a QSA. An accompanying Attestation of Compliance (AOC) is included with the issuance of the ROC. Cadence QSAs are involved in assessing environments for “Level 1” assessments on a daily basis.
Our goal is not to simply be a check-box audit firm; rather, our goal is to make our clients successful!
CISSP, CISA, A+Director of PCI Consultation/Assessments
Jonathan began working with Cadence in 2013, and is a technical lead for services related to information technology, with a specific emphasis in information security. As a technical lead & PCI Director, Jonathan focuses on PCI advisory and compliance. In addition, Jonathan supports the internal audit and IT risk management service lines. Prior to joining Cadence, Jonathan worked with various Fortune 500 companies where he specialized in the delivery of information technology risk advisory services including IT Security, PCI compliance and Data Loss Prevention.