by Charles J. Denyer
NDB Accountants and Consultants, LLP
www.ndbcpa.com
NDB, LLP

Brief Introduction
SAS 70 Audits
Payment Card Industry (PCI) Compliance
For both SAS 70 and PCI: Mixture of
Content to give you a true understanding
of each.
Question and Answer Session
Let’s Get Started!
NDB, Accountants and Consultants

Involved in Regulatory Compliance and Corporate
Governance for 15 years.
Extensive Background in SAS 70 Audits.
Extensive Background in Payment Card Industry (PCI)
Compliance.
Frequent Author and Lecturer on Compliance.
For more Information: http://www.sas70.us.com
http://www.pciassessment.org
NDB, Accountants and Consultants

Auditing standard put forth in 1992 by the AICPA.
Not well-known for many years (1992 – 2002).
The Sarbanes-Oxley Act of 2002 revived the SAS 70
Auditing Standard.
Since 2002, without question the most widely
recognized and utilized auditing standard throughout
the country (and globe) relating to internal controls.
NDB, Accountants and Consultants

So what really is a SAS 70 Audit?
• An audit?
• A process?
• A certification?
• A Test?
It is an Audit conducted in accordance with the Statement on
Auditing Standards No. 70 (SAS 70)
• Over 110 SAS’s currently in use
• Formal guidance on how to conduct the audit put forth by AICPA
publications and www.sas70.us.com
NDB, Accountants and Consultants

SAS 70 Type I Audit
• Called “Report on Controls Placed In Operation”
• Controls are for a point in time (e.g., 8/27/2009)
• Examples of “point in time”
• Limited value and “street cred”
SAS 70 Type II Audit
• “Report on……..and tests of operating effectiveness”
• Controls are tested over an agreed period (6 months)
• This is the report everyone wants from your organization
NDB, Accountants and Consultants

It’s a Technology Audit, pure and simple-Not True.
I have to do a Type I before I do a Type II-Not True.
It’s an audit with a Pass/Fail status-Not True.
I only need to do a SAS 70 Audit once-Not True.
• Once you have completed your first audit, welcome to compliance.
SAS 70 Audits are limited to certain industries-Not True.
NDB, Accountants and Consultants

It’s a process oriented audit revolving around your
organization’s “control structure”
Technology plays an important role, but it is much more than
technology
• Executive Tone (Senior Management)
• Human Resources
• Many other areas examined outside of I.T.
Highly adaptive auditing standard used by almost any
conceivable industry
• Examples of industries
NDB, Accountants and Consultants

An audit done on almost any conceivable
organization
Any entity that “processes, procures, resides,
handles, transmits, or works with any type of
data/activity/action deemed critical by an
external party” is a SAS 70 candidate-Pure and
Simple.
• Pricing
A final note on two important SAS 70 elements • A general control/standard report vs.
customized/business process report.
NDB, Accountants and Consultants

•Payment Card Industry (PCI) Compliance
What exactly •Many entities “involved” in the birth and continuation
of the PCI compliance initiatives
is PCI? •A rather new compliance initiative, with roots tracing
back to the VISA CISP framework
Presentation •Discuss the critical “participants” of PCI from all
sides.
Agenda on •Discuss all the components for PCI compliance
•Fact from Fiction, examples, and F.A.Q.’s
PCI
NDB, Accountants and Consultants

PCI stands for
Payment Card • The PCI DSS is a “multifaceted security standard
that includes requirements for security
Industry, more management, policies, procedures, network
architecture, software design and other critical
technically protective measures”
known as PCI • The current PCI DSS standard is known as
“Payment Card Industry (PCI) Data Security
DSS (Payment Standard, Version 1.2”
Card Industry • Lengthy document that lists requirements, tests
to be completed, along with numerous other
Data Security information
Standards)
NDB, Accountants and Consultants

Participants involved in the formation of the PCI DSS
Major Payment Brands
•VISA
•MasterCard
•American Express
•Discover
•JCB
Payment Card Industry Security Standards Council (PCI SSC)
•Publishing, oversight, guidance, training, etc.
•Headquartered in Wakefield, MA
NDB, Accountants and Consultants

Entities that have to undergo Payment Card Industry (PCI)
Compliance:
• Merchants
• Service Providers
Entities that are responsible for conducting Payment Card
Industry (PCI) Assessments in accordance with “PCI DSS Version
1.2”
• Qualified Security Assessor Companies (QSAC)
• Must have on staff a Qualified Security Assessor (QSA).
• Approved Scanning Vendor (ASV)
NDB, Accountants and Consultants

So let’s review the key players and participants
•Major Payment Brands
•Payment Card Industry Security Standards Council (PCI SSC)
•Merchants and Services Providers who have to undergo compliance
•Qualified Security Assessor Companies (QSAC)
•Qualified Security Assessor (QSA)
•Approved Scanning Vendor (ASV) Companies
NDB, Accountants and Consultants

There are • The different compliance initiatives and
numerous assessment procedures that companies may
have to comply with. (PCI DSS, PCI DSS SAQ,
components of PA-DSS, PED)
PCI that merit • Within these initiatives and assessment
procedures, various documents to utilize for
discussion for compliance.
truly • A discussion on the key players (QSA, ASV,
understanding PA-QSA)
PCI compliance
NDB, Accountants and Consultants

Hallmark and cornerstone of PCI compliance
When you hear the term “PCI” and “PCI Compliant”, this is often what
many are referring to
Geared towards Merchants and Service Providers
Various levels and Requirements for PCI DSS
•A QSA on site assessment
•Self-Assessment Questionnaires (PCI DSS SAQ)
•It’s about Transaction Volume
NDB, Accountants and Consultants

PCI DSS is a multifaceted security standard that includes requirements for
security management, policies, procedures, network architecture, software
design and other critical protective measures. This comprehensive standard is
intended to help organizations proactively protect customer account data.
A 73 page document that covers 12 essential requirements for PCI DSS
compliance
• This document is called “Payment Card Industry (PCI) Data Security Standard-Requirements and Security
Assessment Procedures, Version 1.2”
• https://pcisecuritystandards.org/security_standards/pci_dss.shtml
• Geared toward Level 1 and Level 2 Merchants/S.P.
NDB, Accountants and Consultants

PCI DSS SAQ is a validation tool intended to assist merchants and service providers in self-
evaluating their compliance with the Payment Card Industry Data Security Standard (PCI
DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios.
There are FIVE (5) different PCI DSS SAQ’s. You need to pick the one that is right for you.
•AOC SAQ A v1.2
•AOC SAQ B v1.2
•AOC SAQ C v1.2
•AOC SAQ D - Merchants v1.2
•AOC SAQ D - Service Providers v1.2
•https://pcisecuritystandards.org/saq/index.shtml
NDB, Accountants and Consultants

PA DSS compliance is geared to help software vendors and others develop secure payment
applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN
data, and ensure their payment applications support compliance with the PCI DSS.
A 43 page document, detailing 14 critical areas to be covered in a PA DSS Assessment.
•https://pcisecuritystandards.org/security_standards/pci_pa_dss.shtml
So, if PCI DSS and PCI DSS SAQ is about what level a Merchant or SP falls into, who has to
comply with PA DSS?
For an ounce of clarity-PCI DSS covers Merchants/S.P., while PA DSS is concerned with
application security
NDB, Accountants and Consultants

Let’s take a look at software examples:
• Computer-based payment software system for processing payments.
• Middleware payment processing that offers multiple forms of inputs for
processing (virtual terminal, API, COM, batch, POS Terminal, and ASP
input forms).
• Provides a single platform to support multiple payment technologies
utilizing SSL, traditionally utilized by merchant acquirers and large e-
commerce retailers.
It’s not a black and white rule, thus, one must truly
examine the software platform and its use
NDB, Accountants and Consultants

 Pin Entry Device (PED) another compliance initiative pushed by the PCI SSC. Thus
to gain approval by PCI Security Standards Council, PIN
entry devices must comply with the requirements and
guidelines specified below:
 Testing and Approval Program Guide
 Security Requirements
Encrypting PIN Pad Devices
 Encrypting PIN Pad Devices 2.1
 Point of Sale Devices
 Point of Sale Devices 2.1
 Evaluation Vendor Questionnaires
Encrypting PIN Pad Devices
 Encrypting PIN Pad Devices 2.1
 Point of Sale Devices
 Point of Sale Devices 2.1
 https://pcisecuritystandards.org/security_standards/ped/index.shtml
NDB, Accountants and Consultants

Frequently • How do I determine my “transaction volume”
for purposes of identifying what level I fall
Asked under?
Questions
• My data center is PCI compliant, so I’m PCI
compliant also, right?
from
• My payment processor I use is PCI
compliant, so I’m also PCI compliant, right?
potential • Is PCI all about technology or are there other
areas to be concerned with?
clients:
NDB, Accountants and Consultants

• They are here to stay and will only grow in
size, scope and requirements for
organizations
Both SAS 70 and PCI
Assessments will continue to • We live in a world of transparency,
form a cornerstone of heightened security, and reliance on
security/compliance/corporate
technology
governance
• In summary, security systems and
supporting controls around technology
will also have to be audited in some form.
NDB, Accountants and Consultants

www.sas70.us.com
www.pciassessment.org
www.pcisecuritystandards.org
NDB, Accountants and Consultants