MasterCard is now requiring both Level 1 and Level 2 Merchants to undertake an annual on-site assessment by a Qualified Security Assessor, known as a QSA. This is significant because there are a large number of Merchants that used to able to "self assess" with a self assessment questionnaire. This is no longer the case and merchants will have to become compliant with this new provision by December 31, 2010.
Thus, Mastercard strongly encourages all Level 1 and Level 2 Merchants to seek out a QSA in helping beging this process, which can be arduous and time-consuming, to say the least.
Some helpful hints are to conduct a PCI DSS Readiness Assessment and to also make sure your organization has PCI DSS policies and procedures in place for meeting the requirements as statated in the PCI guidelines.
For Merchants, there are essentially four (4) levels that any organization may fall into regarding compliance. If you fall into the Level 1 category, then be prepared to have an actual on-site Payment Card Industry Data Security Standards (PCI DSS) assessment conducted. The same can be said for Service Providers who have been identified as a Level 1.
Follow these helpful links for learning all you need to about about the varying levels of compliance and what their specific requirements are:
Obtaining a sample SAS 70 Type II Report is quite simply the best and most practical way to truly learn and understand what a SAS 70 audit encompasses. Many service organizations today are having to comply with the growing surge of regulatory compliance mandates, and SAS 70 Type II compliance is quickly becoming one of the most common and well-recognized compliance audits that must be undertaken.
A quality SAS 70 Type II audit that is conducted by a reputable CPA firm specializing in SAS 70 audits will contain a number of essential and core components within the audit report itself. Generally speaking, the following items will be found in a SAS 70 Type II audit report.
Cover Sheet
Table of Contents
Service Organization Overview (Products and Service, Management Bio, etc.)
Narrative Discussion on the Five Elements of Internal Control
Narrative Discussion on the Service Organization's General Controls
Narrative Discussion on the Service Organization's specific business process controls.
Test Matrix
Other additional supporting information
Additionally, if you want to learn more about SAS 70 Type I and SAS 70 Type II audits, then visit the Official SAS 70 Resource Guide.
Defining scope for a SAS 70 audit is fundamentally one of the most important
activities to be undertaken for the audit itself. What's more, it’s a
collaborative process that is driven by your organization and the external CPA
firm conducting the SAS 70 audit.
So, with that said, here are some of the finer points you need to identify
and discuss regarding SAS 70 audit scope:
1. If a SAS 70 Type II audit is to be performed, identify the test
period (e.g. 6 months, 10 months, 12 months)
2. Identify all physical locations that will have to be visited for
fieldwork for the SAS 70 audit.
3. Identify all outsourcing providers that YOUR organization uses, as they may
be impacted and brought into the scope of the actual audit. Discus these vendors
with the CPA firm conducting the audit. Note: Data centers and managed service
providers are common entities that often fall into the scope of a SAS 70 audit,
so if you are using this type of facility, inform the auditors.
4. Identify and discuss the auditor's testing methodology; that is, how is
population and sampling arrived at, what frameworks and benchmarks/standards
are the auditors employing and what constitutes and "exception" in
the eyes of the auditing firm for purposes of the SAS 70 audit.
5. Discuss billing and pricing for the SAS 70 audit. Are you getting a fixed fee for the audit or
is it hourly? If a fixed fee, are there any other expenses that may also be
incurred outside of the fixed fee?
SAS 70 certification (more technically known as SAS 70 "compliance") is gaining momentum and recognition in many industries today. The growth of regulatory compliance, security and governance has pushed SAS 70 audits to the forefront of business, and it's not going away. Rather, we will continue to see a upswing in SAS 70 audits performed on organizations along with growth in almost any type of audit or assessment revolving around internal controls.
Thus, there are some basic elements that you should be aware of regarding SAS 70 audits if your organization is to embark on SAS 70 Type I or Type II compliance.
First and foremost, find a CPA firm that provides a Fixed Fee for the audit; a fee which include all out of pocket and travel related expenses.
Second, properly identify the scope of the audit, which will entail the following:
1. Is our organization undertaking a Type I or a Type II audit?
2. If a SAS 70 Type II audit, what is the test period?
3. Is the audit simply a general controls SAS 70 audit or are their specific business process provisions that will be included in the scope of the audit?
4. What physical locations will be included in the audit (i.e., other offices around the country, data centers or any other third party providers our organization uses for services)?
5. How will our auditors conduct actual testing and what practices do they employ (audit sampling, what frameworks are utilized for the audit, what input if any will the auditors have in helping to develop our control objectives for the audit).
If you want to receive a sample SAS 70 audit or learn more about the auditing standard, visit the Official SAS 70 Resource Guide.
Listed below ar the PCI Merchant Levels for VISA. You can also find additional information on PCI Merchant Transaction Levels for Mastercard, American Express, Discover Card and JCB via pciassessment.org
Level 1: Any merchant-regardless of
acceptance channel-processing over 6,000,000 Visa transactions per year AND Any merchant that Visa, at its sole
discretion, determines should meet the Level 1 merchant requirements to
minimize risk to the Visa system.
Level 2: Any merchant-regardless of
acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per
year.
Level 3: Any merchant processing
20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing
fewer than 20,000 Visa e-commerce transactions per year, and all other
merchants-regardless of acceptance channel-processing up to 1,000,000 Visa
transactions per year.
These levels have been clearly defined by VISA, so in short, calculate or approximate your transactions to see which level your organization falls into. To learn more about PCI Merchant Levels for the other major payment brands (MasterCard, American Express, Discover Card, and JCB), visit pciassessment.org.
SAS 70 control objectives are essentially the statements and assertions that your organization is adhering to for purposes of a SAS 70 audit. In simpler terms, they are the cornerstone of the audit that help frame the overall auditing process that is undertaken. Thus, whatever your control objective states, your organization should be able to prove that very assertion.
A number of best of breed, predefined control objectives are currently utilized by CPA firms who conduct SAS 70 audits. Sure, they may differ in how they are actually stated, but in reality, they "should" be similar in application.
Most SAS 70 control objectives are developed in a collaborative manner between the CPA firm conducting the audit and the service organization (your company) that is undergoing an actual SAS 70 Type I or Type II audit. However, technically speaking, the auditing standard calls for the service organization to develop them, but this can sometimes pose a problem as many companies are unsure where to start or what even a SAS 70 control objective really is. Add to the fact that if your organization has a requirement to test specific "controls", then you will have to develop customized control objectives that are applicable to these very requirements.
SAS 70 control objectives are essentially the statements and assertion that your organization are adhering to for purposes of a SAS 70 audit. In simpler terms, they are the cornerstone of the audit that help frame the overall auditing process that is undertaken.
A number of best of breed, predefined control objectives are currently utilized by CPA firms who conduct SAS 70 audits. Sure, they may differ in how they are actually stated, but in reality, they "should" be similiar in application.
Most SAS 70 control objectives are developed in a collaborative manner between the CPA firm conducting the audit and the service organization (your company) that is undergoing an actual SAS 70 Type I or Type II audit. However, technically speaking, the auditing standard calls for the service organization to develop them, but this can sometimes pose a problem as many companies are unsure where to start or what even a SAS 70 control objective really is. Add to the fact that if your organization has a requirement to test specific "controls", then you will have to develop customized control objectives that are applicable to these very requirements.
As a SAS 70 auditor, i'm often asked about SAS 70 controls, that is, what are they, how do you develop them, are their industry benchmarks and best of breed controls currently in use, etc.? All good questions, no doubt. However, with that said, there are a number of key themes you need to be aware of regarding SAS 70 controls, and they are:
The number of control objectives used for a
SAS 70 audit is highly dependent on a number of parameters, primarily the scope
of the audit, the planning and overall audit process of the particular CPA firm
conducting it, along with the service organization’s ability to establish
control objectives which they feel are an acceptable and fair representation of
their organization.Though it is the
responsibility of the service organization to formally establish the control
objectives, service auditors, user auditors and user organization’s can all
play a role in helping to facilitate the development of control
objectives.In reality, it is looked
upon as a collaborative effort.
Listed below are a sample of control objective that could possibly be used for a company, sucha as a Third Party Administrator (TPA), undergoing a SAS 70 Type I or SAS 70 Type II audit:
Controls provide reasonable assurance
that new systems and applications being developed for self-funded claims
administration are authorized, tested, approved, properly implemented, and
documented.
Controls provide reasonable assurance
that changes to existing systems and applications are authorized, tested,
approved, properly implemented, and documented.
Controls provide reasonable assurance
that logical access to company wide systems is restricted to authorized
individuals only.
To learn more about SAS 70 controls, visit the official SAS 70 Resource Guide for Type I and Type II audits.
PCI DSS Compliance is fast becoming a mandate and requirement for almost any conceivable entity involved in the processing or transmission of card holder data. And remember folks, this includes all payment brand types of cards (i.e., debit, credit, gift). If it's got the little payment brand logo on it, then rest assured, your organization may need to be PCI DSS compliant. As a PCI QSA, the biggest criticism i hear about PCI DSS compliance is the who, what, where, when, and why. Many organizations still fail to understand the dynamics of PCI compliance and what they really need to do. and to be fair, the industry is young and will still need time to create a certain amount of clarity and transparency for the industry.
If you want to learn more about PCI DSS compliance, then visit pciassessment.org to learn about specific requirements for merchants and service providers for PCI DSS compliance.
