One interesting publication from VISA Europe is the Member Agent List. The companies listed in this document provide services to Visa Europe Members and have successfully completed an assessment based on the Payment Card Industry Data Security Standard (PCI DSS).The document presents a large table that shows hundreds of organisations (Member Agents) which have been validated by a QSA; one of the table's column shows the validation date which is when the Member Agent was last validated. Another column shows the name of the QSA that has validated each organisation.

It will take you a minute to re-organise the data in this document by QSA and notice that Advantio has assessed many Member Agents during last year. By looking at the data of the VISA Europe publication in this way, Advantio - on March 2017 - was the second most active QSA in Europe.

Staying compliant is a continuous task!

If your organisation is listed in this publication (and if you do not appear there but have recently received validation from a QSA) you can be proud of yourself, well done! This will show your customers that you care about data protection and that you want avoid their Payment Data to be accessed by malicious people.

Each Member Agent is an organisation that falls into one of the PCI DSS levels and has successfully completed a PCI DSS assessment following the requirements belonging to their level. To do that, these organisations must rely on the report produced by one of the Qualified Security Assessor (QSA) that can be found on the Payment Card Industry Security Standard Council (PCI SSC) website.

But if your organisation is PCI Compliant, it doesn't mean that you are done with your PCI DSS tasks; your assessment is valid only for one year and the validation date determines the next deadline - one year later.

But, is that enough?

As we can read in the VISA Europe publication:

"A PCI DSS assessment only represents a ‘snapshot’ of the security in place at the time of the review, and does not guarantee that those security controls remain in place after the review is complete."

And another important clarification:

"These reviews do not cover proprietary software solutions that may be used or sold by these service providers."

In few words, the danger is constantly out there. From time to time new vulnerabilities are discovered and new attacks are completed. Hackers never stop and compliance must not end with a QSA's validation for one year.

PCI DSS Compliance is a way of thinking, a continuous effort to keep each organisation protected.

Why should you find a QSA to support your organisation?

First of all because only a Qualified Security Assessor can validate organisations.

Let's read directly from the PCI Council website:

"Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements."

The list of QSA is kept up to date by the PCI Council and details for each QSA are available in their website, including contact person and language spoken by the team of QSAs that you choose to hire.

With the raise of Payment Cards' usage and the continuous improvement of the security standard, it is crucial for any entity to keep their customers' data protected and get support

A trusted team of QSAs will be not only able to assess your organisation and let your prove your compliance in a particular moment in time, they will also help you staying up to date with the news and the changes in the industry, explaining to your team the increasing risks related to the payment landscape.

VISA themselves are adapting to a changing environment. Take a look at the latest VISA Europe Mandate for instance; it brings new important rules that are going to become effective starting from the 1st of May 2016.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.