BCH Level 1 PCI Program Adjudged “Outstanding” by QSA
In this month’s blog, we thought we’d let you into some of the rigours we recently faced when we had our annual level 1 audit. You’ll be able to see the dividing line between level 1 status and levels 2,3 and 4 and understand why it’s important to outsource your PCI DSS compliance to a level 1 service provider. Ultimately, we hope you’ll appreciate the value of the QSA’s comments:
BCH is “… outstanding in its approach to PCI and how it runs its program…”
We’re pleased to report that our approach and how we run our program was judged to be “outstanding” and one which is untouched by “FTSE 100 companies through to smaller companies.”
We know our program inside out; after all, we’ve developed it from the ground up and, unlike many other service providers, we’ve never utilised any compensating controls. This effectively means that our program is future-proofed against subsequent changes in regulations.
Level 1 audit highlights the widening gap between level 1 and level 2 PCI approval
In our May blog, we chatted about the importance and advantages of outsourcing PCI DSS compliance to a Level 1 service provider. We also talked about the temptation for a company to settle for lower level PCI approval since securing this is a less arduous process. A company can, for example, complete a Self-Assessment Questionnaire (SAQ) rather than undergo the full rigours of a Qualified Security Assessor’s (QSA) visit. The quality and amount of any homework done to complete an SAQ is largely at a company’s discretion since this work is never going to be marked by the QSA. Of course, it’s not that simple to achieve Level 1 status. In fact, it’s a whole new ball game where every single element of your preparatory work is thoroughly QSA checked in minute detail. If this ticks all the right boxes then, and only only then will an Annual Report of Compliance be granted to confirm a company meets the rigours demanded for Level 1 PCI DSS approval.
A new culture of actively policing PCI DSS
The audit was certainly more rigorous than any other and reflected the new PCI Council’s culture of actively policing PCI DSS. Previous audits have been akin to prepping sufficiently so that we could be ready to answer a set of the most likely questions. However, in the 2019 audit, our live systems were consistently checked. In fact, the QSA arrived at 9am on Monday and finally left at 5pm the following Friday. This new culture of actively policing PCI DSS is due, almost certainly, to the changes necessitated by the forthcoming new and more stringent Version 4 PCI https://blog.pcisecuritystandards.org/pci-dss-looking-ahead-to-version-4.0
More than just prepping homework
Each and every staff member was interviewed. This included staff who were not responsible for PCI DSS and who had not even been privy to our homework!
We’d prepared well and had compiled screen shots of various systems to demonstrate that processes had been carried out according to protocol. However, the QSA wanted to actively monitor our systems. To this end, live network monitoring software was loaded to double check compliancy.
We were asked to download firewall logs, in real time and on-demand for random days. Most of the logs were barely two days old.
A live “break glass” emergency was conducted to replicate a scenario in which our system had failed and, in turn, to ensure we essentially did what we were meant to do.
Looking ahead - stringent audits are a fair price to pay to maintain quality and security
QSAs are now tasked by the PCI Council to not only mark a company’s homework but to actively police PCI DSS as well. The PCI Council is well aware that more stringent audits will undoubtedly hasten a fall in those companies achieving and maintaining favourable Level 1 status. Its view is that it’s a fair price to pay to enhance validation methods and procedures, and to protect the safety of payments by promoting security as a continuous process.
Going forward, compliance can only get harder as the QSAs gear up for Level 4 and a new raft of additional requirements. Compliance is something which not only has to be achieved now, but each and every year no matter what challenges regulatory changes bring. This simply reinforces what we’ve said before about the widening gap between Level 1 and Level 2. If businesses outsourcing compliance want to ensure a robust and resilient culture of secure payment practice, they should by definition outsource to an accredited level 1 service provider with an active PCI DSS development program which is already securing its systems to meet Level 4 accreditation.
Our PCI accreditation has led to a wide range of market leading solutions being developed. For more information about the options and how PCI compliance can benefit your business, see here.