Twitter

PCI Onsite Validation

Overview

As a Qualified Security Assessor (QSA), SAS 70 Solutions provides annual onsite validation of the Payment Card Industry (PCI) Data Security Standard (DSS). SAS 70 Solutions utilizes a refined assessment methodology that allows us to conduct a thorough assessment while minimizing the time and effort commitment required of client personnel. Our professionals utilize the current PCI DSS including the testing methodology, prioritized approach, quality assurance standards, and other reporting procedures set forth by the PCI Council.

Following successful completion of annual PCI DSS onsite validation, organizations are able to register their compliance status with the card brands. Upon review and acceptance of the registration, the organization is listed on the publicly available lists of compliant service providers, where applicable, distinguishing the organization from those that have not validated compliance with the PCI DSS.

Scoping

PCI onsite validation specifically targets the client’s network components, servers, or applications connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. This scope extends to third party business partners as well. Generally speaking, clients should work to segment networks sufficiently to limit the nature and extent of the cardholder data environment. Once the scope is defined, the cardholder environment is assessed in accordance with the PCI DSS.

Deliverables

The primary deliverables of our PCI Onsite Validations include:

  • Detailed project plan for the audit
  • Comprehensive information request list allowing the organization’s personnel to gather documentation in advance of fieldwork
  • The standardized PCI Report on Compliance (“ROC”). Note that a ROC is only issued to clients found to be in full compliance with the PCI DSS as of the date of the report
  • An internal-use-only report containing management recommendations for improvement and/or alternative controls
Who Should Consider a PCI Onsite Validation?

The following are characteristics of the ideal candidate for PCI Onsite Validation services:

  • Level 1 service providers and merchants (as defined by the card brands)
  • Any service provider or merchant that has been compromised and required to undergo the annual onsite validation
  • Service providers unsure of their transaction volume or what “level” they are but wish to be listed on the card brands’ approved service provider online listing

To learn about our complementary PCI advisory services click here.

For more information about PCI compliance please click here.

Back to Top