Безпечна інтеграція в майбутнє
Secured integration to the future
Compliance audit
IT Specialist is an accredited company with QSA (Qualified Security Assessor), QPA (Qualified PIN Assessor), 3DS Security and ASV (Approve Scanning Vendor) status, which provides audit services for compliance with PCI DSS, PIN Security, 3DS Security, SWIFT and obtaining a certificate of compliance.
Our team of information security experts has more than 10 years of experience in compliance
Our compliance services
What is PCI DSS
Payment Card Industry Data Security Standard is a set of requirements for ensuring the security of data on payment card holders that are stored, transmitted and processed in the information systems of organizations. The standard is developed by the Payment Card Industry Security Standards Council (PCI SSC), based on international payment systems such as Visa, MasterCard, American Express, JCB and Discover.
Who needs PCI DSS audit
PCI DSS applies to all organizations involved in the processing of payment cards, including merchants, processors, acquirers, issuers and service providers. PCI DSS also applies to all other organizations that store, process or transmit Cardholder Data (CHD) and/or Sensitive Authentication Data (SAD).
How often you need to suspend PCI DSS certification
PCI DSS certification must be updated annually.
Results of PCI DSS compliance certification
Stages of service
Preparation for certification audit
1. Preliminary audit
2. External network vulnerability scanning (ASV)
3. Internal scanning of network vulnerabilities
4. Assessment of client's network security by performing external and internal testing
5. Search for unauthorized Wi-Fi access points
6. Penetration testing of network segmentation control toolsPCI DSS certification audit
1. Collection and analysis of organizational and regulatory documentation and information on system components Cardholder Data Environment (CDE) of the client2. Processes analysis related to protection and maintenance of system components in CDE3. Compliance audit of client's CDE system components with the requirements of the PCI DSS standard:● Interviewing the client's staff (third party if necessary) in accordance with the audit procedure developed by the PCI SSC consortium and adapted by the QSA consultant● Analysis of client CDE system component settings and configurations● Development of compliance evidence base of client's CDE system components to PCI DSS standard requirements4. Analysis of reports on the assessment of the outer and inner perimeter security of the client's CDE network5. Development of reporting documents for acquiring banks and international payment systems Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ), as well as Attestation of Compliance (AoC)6. Sending the AOC by the Consultant to the VISA international payment system to confirm the successful completion of the PCI DSS audit.
What is PCI PIN Security
PCI PIN Security Standard is a document of additional VISA requirements, which defines technical and procedural means of control that help in secure management, processing and transmission of PIN data of the cardholder's PIN when processing online and offline card transactions payment at ATMs and POS- terminals.
Who needs to be audited by PCI PIN Security
The PCI PIN Security standard applies to all organizations and acquiring agents (for example, organizations that perform key input operations and certificate processors) that are responsible for processing PIN transactions.
How often you need to suspend PCI PIN Security certification
PCI PIN Security certification must be renewed every two years.
Results of PCI PIN Security compliance certification
Stages of service
Preparation
Preparation for the certification audit includes a preliminary auditCertification
1. Collection and analysis of organizational and regulatory documentation
2. Analysis of processes related to the life cycle of PIN codes and key management processes
3. Audit of compliance of the Client's system components with the requirements of the PCI PIN Security standard:● Interviewing the Client's employees (Third Company if necessary) in accordance with the audit procedure
● Analysis of settings and configurations of the client's PCI PIN Security system components
● Formation of evidence base of the Client's compliance with the requirements of the PCI PIN Security standard
4. Development of reporting documents for acquiring banks and international payment systems Report on Compliance (RoC), as well as Attestation of Compliance (AoC)
5. Sending the AOC by the consultant to the international payment system VISA to confirm the successful completion of the PIN Security audit by the client
6. Issuance of a certificate of compliance with PCI PIN Security standards (in case of full compliance with PCI PIN Security requirements)
What is PCI 3DS
The PCI 3DS security standard defines the physical and logical security requirements for environments protection, where ACS, DS, and/or 3DSS functions are performed.
Who needs to be audited by PCI 3DS Security
The PCI 3DS security standard applies to environments where ACS, DS, and/or 3DSS functions are performed. These can be both issuers and service providers that offer ACS, DS and/or 3DSS services.
How often you need to suspend PCI 3DS certification
PCI 3DS certification must be updated annually
PCI 3DS certification must be updated annually
Stages of service
Preparation
1. Preliminary audit
2. External Network Vulnerability Scan (ASV)
3. Internal scanning of network vulnerabilities
4. Client's company network security assessment by performing external and internal testingCertification
1. Collection and analysis of organizational and regulatory documentation, information about 3DS system components of the client environment
2. Analysis of processes related to the protection and maintenance of system components in the 3DS environment
3. Audit of compliance of 3DS system components of the client environment with the requirements of the PCI 3DS standard:● Interviewing the client's staff (third party if necessary) in accordance with the audit procedure developed by the PCI SSC consortium and adapted by the PCI 3DS Assessor consultant● Analysis of settings and configurations of 3DS system components● Formation of evidence base of 3DS system compliance components components of the client's environment with the requirements of the PCI 3DS standard4. Reports analysis on the assessment of the outer and inner perimeter security of the 3DS network among the client
5. Development of reporting documents for acquiring banks and international payment systems Report on Compliance (RoC), as well as Attestation of Compliance (AoC)
6. Sending an AOC by a consultant to the VISA international payment system to confirm the successful completion of the PCI 3DS audit
What is SWIFT
The SWIFT Customer Security Program (CSP) is designed to work with SWIFT and its users to increase the overall security of the financial ecosystem. The CSP defines a set of common security controls called the SWIFT Customer Security Controls Framework (CSCF), which helps customers protect their local environments and create a more secure financial ecosystem. The SWIFT User Security Concept (CSCF) includes mandatory and recommended controls for SWIFT users.
Who needs to undergo an external independent SWIFT assessment
From 2021, all users of the SWIFT community must undergo an external independent evaluation. The type of SWIFT connection architecture defines the control elements specified in the SWIFT CSP that will be applied to the organization.
How often an external independent SWIFT evaluation is required
An external independent evaluation of the SWIFT CSP should take place every two years or every year after significant changes to the SWIFT IT architecture.
Results of SWIFT compliance assessment
Stages of service
External independent evaluation of SWIFT and consulting support
1. Analysis, systematization and refinement of initial data on the components of the SWIFT hardware and software complex 2. Definition and approval of the audit area3. Identification of all third parties involved in protection or affecting the security of the SWIFT hardware and software complex4. Analysis of compliance of the existing regulatory and administrative documentation on information security (policies, regulations and instructions) required by the Customer Security Controls Framework document and consulting support in the creation of missing documents5. Interviewing company’s staff (by the Third Company if necessary) in accordance with the audit procedure6. Analysis of the settings of the SWIFT hardware and software complex, analysis of the composition and characteristics of hardware and software means of information transmission and information protection7. Providing oral and written consultations by phone and e-mail8. Formation of evidence base of SWIFT system components compliance with the requirements specified in the Customer Security Controls Framework document
What is ISO/IEC 27001:2013
ISO 27001 is a standard, developed by the International Organization for Standardization (ISO), which details how to manage information security in the company.
Who needs to be audited for ISO/IEC 27001: 2013
ISO/IEC 27001: 2013 is optional. But if a company wants to demonstrate its commitment to information security to its customers and partners, the ISO/IEC 27001: 2013 certificate will be a proof that information security is organized at a high level and is constantly improving in the company.
How often you need to be audited for ISO/IEC 27001: 2013
Annual external audit and supervisory after external audit every year.
Results of certification for compliance with the requirements of ISO/IEC 27001: 2013
Stages of service
Preparation for audit
1. Definition and approval of the audit area2. Conducting an audit of the current state of ISMS● Analysis of compliance of the existing regulatory and administrative documentation on information security (policies, regulations and instructions) of the company required by the standard ISO / IEC 27001: 2013● Interviewing company’s employees (Third Company if necessary) in accordance with the audit procedure● Analysis of settings, composition and characteristics of hardware and software for information transfer and information protection3. Analysis of information risks4. Development of ISMS regulatory documentationConsulting support for the implementation of ISMS
1. Development of a package of internal regulations to support ISMS
2. Development of project plans packages for the implementation of ISMS based on existing information systems and business processes
3. Consulting support in the implementation of planned ISMS projects
4. Development of a report on the results of ISMS implementation analysisCertification audit ISO/IEC 27001: 2013
1. Conducting an internal audit of ISMS
● Development of ISMS Internal Audit Methodology
● Development of the ISMS Internal Audit Plan
● Creation of the Report on the results of the ISMS internal audit
● Management's ISMS Analysis
● Development of Regulations on application
2. Choose of Certification Authority
3. Consulting support of the ISMS certification procedure
What is NIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) is a framework standard of the US National Institute of Standards (NIST). This standard forms an approach to understanding, evaluating, planning and implementing cybersecurity functions for enterprises that are objects of critical infrastructure.
Who needs to be audited for compliance with the NIST CSF
The NIST CSF standard is optional for implementation. But if a company wants to demonstrate its commitment to information security or improve the actual state of cybersecurity, then a compliance audit will help to clearly understand, plan and prioritize the necessary steps to achieve a reliable level of cyber protection. This standard is the basis for assessing the state of cybersecurity in projects implemented within the framework of USAID projects in Ukraine.
Results of the project on audit, diagnostics of the cybersecurity system for compliance with the requirements of NIST CSF
Stages of service
Diagnostic audit and assessment of the current state of cybersecurity for each NIST CSF control
Determination and justification of the target level of cyber security
Development and discussion of recommendations for improving cybersecurity
Development of a road map of projects to achieve the target level of cybersecurity
Additional benefits
For CEO/CFO
● Risks reduction of confidential information loss and/or leakage, transparent processes to ensure the security of business information● Easier access to foreign markets, IPO, M&A● Increase trust when working with foreign contractors
For CIO/CSO/CISO
● Improving the overall level of information security in the company● Developed processes of management and information security of the company● Processes are controlled and managed● Fast response to most types of both old and new threats
For company employees
Clear and understandable mechanisms of action in various situations related to information security issues
Why choose us?
Assistance in meeting regulatory requirements
Short time certification
Free consultation on any questions concerning SWIFT, PCI DSS, PCI PIN Security, PCI 3DS, ISO 27001, NIST CSF
We will help you to communicate with your banks or payment gateways on SWIFT, PCI DSS, PCI PIN Security, PCI 3DS, ISO 27001, NIST CSF
Qualified specialists in the field of IS with certificates: QSA, ASV, QPA, 3DS Assessor, CISSP, CISA, ISO 27001, OSCP, CEH, NIST CSF
English and Ukrainian speaking auditors and consultants
Huge worldwide experience