Frequently asked questions

Verify our accreditation

PCI Consulting Australia

Why should you choose us over other QSAs?

We are the experts within the Australasian market with extensive experience. Unlike many other QSAs, we are also specialists in the field rather than attempting to offer a whole range of services. We are not your one stop shop for everything security related; we are the go-to company for PCI DSS assessment and advisory services, and penetration testing.

What does being a Qualified Security Assessor (QSA) mean?

To get there takes a lot of hard work! All of our assessors require at least 3 separate certifications and a wealth of experience. It’s not an easy task to become a QSA and there’s a reason why there’s only a select few of us. As a firm, we require stringent processes on auditing, data protection and retention, quality assurance, code of conduct, and background checking. And we require significant levels of insurance coverage.

How do you maintain independence?

We keep our offerings to a minimum, instead focusing on being the best at what we do. Our QSA team focuses on the advisory and assessment services, and any other services are managed by the testing team where the QSA can only assist to confirm scope. The QSA does not influence any testing results.

How much does it cost to utilise PCI Consulting Australia?

This depends on the complexity of the task. But we believe in efficiency and fair value for fair service. We’re happy to be open on rough costs in initial discussions as we understand the cost factor is very important and if we’re miles apart then we shouldn’t waste each other’s time!

PCI compliance

Does it make a difference to only achieve PCI Compliance in one country?

The PCI DSS is a global standard. If your core business is certified compliant, you can take this certification globally. It’s only if the PCI DSS scope changes in line with any expansion efforts that you need to consider further assessments. An example is opening an office in another country that takes card payments.

How long does compliance last?

You need to re-certify annually. After your initial compliance, there are a number of controls you need to maintain annually to demonstrate. Any drop-off of these controls can cost your compliance renewal.

How long does it take to be PCI compliant?

Achieving compliance is a journey. Unless your scope fits SAQ-A, the reality is it’s going to take significant effort, resources, and a reasonable budget. For some entities, compliance takes years to achieve. But knowing you’ve taken all reasonable steps to secure your environment in the age of breaches and data theft will be worth the effort.

PCI obligations for your business

I haven’t heard anything from my bank. Should I still undertake the program?

If card data is stolen from your environment, you’re still likely to suffer reputational damage. We suggest you do your research into PCI DSS; assess the likely benefits v costs; and make a balanced business decision.

I’m a Level 3 or 4 merchant. Should I use a QSA?

We believe the best method is to utilise a QSA for your first-time compliance so your framework is established correctly. For subsequent years you have more flexibility to self-assess provided you are confident you can maintain ongoing controls internally without external guidance.

But we don’t store, nor ever see card data. Why would we need to be PCI compliant?

The key test here is remembering if you can impact the security of card data. Examples include: 1) Your web server handles the redirect to the payment gateway. If it gets compromised, an attacker could create a mirror site to a gateway looking payment page. 2) You manage an entity’s firewall. If you mismanage this configuration an attacker may enter the network. 3) You develop a payment page that is pushed to the customer’s browser and data transmitted to the gateway. In this scenario, you have numerous PCI obligations as the security of the payment page and underlying infrastructure is your responsibility.

Our payment gateway is compliant. Does this make us PCI DSS compliant?

No. Any serious payment gateway is always PCI compliant. The method of integration with the payment gateway is the defining factor in determining scope. Even if all payment data is entered directly into the gateway’s payment page you will still have a handful of PCI obligations.

We are a small service provider but all payments are outsourced in line with SAQ-A validation. Can we complete this questionnaire?

No. Merchants have multiple SAQ templates to choose from. Service providers must complete SAQ-D. It should be understood there is a difference between scope and template. Just because you have to fill in the SAQ-D template does not automatically mean all those requirements are in scope. There may be a significant number of ‘N/A’ answers completed.

We are both a merchant and a service provider. What does that mean?

You should be completing Attestations of Compliance for both. Being a service provider means there are a few additional requirements to consider which are deemed out of scope for merchants.

I’m looking at first time compliance, done it all myself and think I’m ready. Can we just go straight to a final assessment?

In our experience, this rarely works. The scope may be wrong or critical BAU tasks not being performed. If you have been on the journey for a while, we often suggest a readiness assessment rather than the full gap assessment. Less time and commitment and we believe a balanced solution rather than jumping into an assessment likely to end in failure.

Our bank/insurer/customer needs us to be compliant now. Can we just get it done?

We would stress a key point here: stakeholder management. Any third party asking you to be PCI compliant also recognises it doesn’t happen overnight. Often committing to the process, planning the journey, and presenting the plan itself can be enough in the short term, provided there’s a realistic commitment and timeframe for the end goal. Don’t panic when a request comes in. Do your research, make a plan and most importantly stay in communication.

Testing Services

Do you only perform PCI DSS testing?

No. Whilst the majority of our testing is PCI DSS related, we perform many non-PCI related tests, particularly application testing.

What accreditations do you hold?

Our team holds a range of accreditations including Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), Advanced Web Application Security Certification (OSWE), Advanced Penetration Testing (OSEP) and eLearnSecurity Web application Penetration Tester eXtreme (eWPTXv2) as well as several CVE credits assigned to our names.

Does the testing cause performance issues?

Our testing is designed to be low impact with approximately a 0.01% risk of issues occurring. However, testing can be coordinate after hours on an exception basis should this be a concern.

What level of access do you need to perform testing?

It depends on the scope of the test. We can conduct a full blackbox test where we only require the name of your organisation, or a whitebox test where we obtain logins to the web apps and your internal network. We will only request the least privilege to be able to perform the testing.

What about internal network testing?

In most cases, we request the creation of a VPN profile or we will share an SSH key, and then we ask for a jumpbox to be placed inside the network. If that is not possible, we can perform testing on-site depending on the environment.

PCI Payment Page Protection

Can you provide more information on the solution?

We have a paper available to download here which will hopefully answer most of your questions.