With all the buzz about the upcoming PCI DSS v4.0 release, it can be helpful to understand the nuts and bolts of how an organization becomes (and remains) compliant. For some merchants, one of the elements to annual compliance is the completion of a PCI DSS audit or gap analysis. These reviews can be conducted by a person who has been certified as a Qualified Security Assessor (QSA). In fact, if your organization is a Level 2 or Level 1 merchant with more than 1,000,000 credit card transactions per year, then you must have an independent review of your compliance.
As impartial third parties, QSAs are hired by merchants subject to the PCI Data Security Standard to conduct PCI assessments. During a PCI assessment, a QSA may complete a Report on Compliance (ROC) as they determine whether an organization has fulfilled the 12 PCI categories of compliance. Upon completion of the assessment, the ROC can be sent to the organization’s acquiring bank or used internally as part of an annual PCI compliance process.
With nearly 378 QSA companies that are certified by the PCI Council across the globe, it can be helpful to understand the difference between one of these companies and Arrow Payments. We operate as Payment Solutions Advisors or QIRs (Qualified Integrators & Resellers) that can assist with selecting, implementing and supporting payment systems. Both a QSA and Arrow Payments can be necessary to efficiently and cost-effectively help organizations meet the requirements of the PCI DSS and ensure that compliance remains streamlined while reducing the scope where possible. Let’s look at the main differences between a QSA and Arrow Payments.
Advising
Advising on PCI compliance and related issues is something that both QSAs and Arrow Payments may assist with. That said, QSA companies are certified to assess security and compliance based on the existing payment processes that are in place today. This is an important aspect of the PCI DSS. But how do you address the need to select and upgrade payment systems to create the desired future outcomes your organization may be looking for to reduce PCI compliance complexity, resources and costs?
QSAs can recommend using technology like P2PE (Point-To-Point Encryption), but Arrow Payments can review your existing payment processes and software to recommend and implement the specific P2PE solutions that will be best for your environment. We like to get our hands dirty and go into the weeds of what is working with your payment systems, what could be easier, what could be more cost-effective and what goals you want to achieve.
Instead of focusing solely on determining your current situation, working with both a QSA and Arrow Payments can be very complementary. Your QSA formally reviews the compliance aspects of your operations and points out gaps while Arrow Payments works to deploy solutions to improve the security, efficiency and cost-effectiveness of your payment processes.
Remediation
Since the main job of a QSA is assessing whether or not your organization meets compliance requirements, the actual remediation of any issues is left up to you. In fact, QSAs are supposed to remain unbiased without making recommendations on which technology vendors can fix problem areas. From the perspective of Arrow Payments, we do not offer any proprietary technologies to help clients upgrade their payment systems. Instead, we provide a full analysis of a client’s payment processes and advise on which vendors can best address each situation.
From there, we help with determining budgets, negotiating terms, developing remediation plans, managing project timelines, coordinating across multiple vendors, training users, overseeing technology integrations and supporting the ongoing usage of various payment technologies. Arrow Payments is a single point of contact providing expertise across all of your payment systems with a white-gloved approach to ensuring your success.
Working with both a QSA and Arrow Payments provides the best of both worlds: QSAs produce the raw report that identifies gaps and problems while we consult to create and execute a streamlined game plan to address issues and coordinate any necessary implementations.
Implementations
QSAs provide audits, but they do not implement solutions. Arrow Payments can take your QSA report, turn it into an actionable plan for improvement and navigate a roadmap of solutions you select. Whether it involves deploying campus-wide P2PE solutions or integrating ERP and payment systems, we provide the experience your organization can depend on to move faster towards upgrading payment systems and achieving your goals. Then a QSA partner can come in post-implementation to validate compliance and confirm that everything has been remediated.
Payments Yin & Yang
Arrow Payments has deep experience working alongside QSAs to help complex organizations meet compliance requirements, simplify scope and reduce costs. We specialize in conducting a full discovery of all payment systems, vendors and technologies to deliver thorough recommendations on the ideal solutions for your unique situations. We don’t charge hourly rates. Instead, we provide flexible guidance through project or goal specific budgets based around your desired business outcomes. We understand how complex PCI compliance and payment systems can be across multiple departments and locations. Not only can we help make compliance a seamless process, but we can facilitate payment initiatives beyond PCI. Contact us today and learn how we can help you lead an innovative payments strategy.
