Secured integration to the future

Secured integration to the future

Illustration

Compliance audit

IT Specialist is an accredited company with QSA (Qualified Security Assessor), QPA (Qualified PIN Assessor), 3DS Security and ASV (Approve Scanning Vendor) status, which provides audit services for compliance with PCI DSS, PIN Security, 3DS Security, SWIFT and obtaining a certificate of compliance.

Our team of information security experts has more than 10 years of experience in compliance

Our compliance services

What is PCI DSS

Payment Card Industry Data Security Standard is a set of requirements for ensuring the security of data on payment card holders that are stored, transmitted and processed in the information systems of organizations. The standard is developed by the Payment Card Industry Security Standards Council (PCI SSC), based on international payment systems such as Visa, MasterCard, American Express, JCB and Discover.

Who needs PCI DSS audit

PCI DSS applies to all organizations involved in the processing of payment cards, including merchants, processors, acquirers, issuers and service providers. PCI DSS also applies to all other organizations that store, process or transmit Cardholder Data (CHD) and/or Sensitive Authentication Data (SAD).

How often you need to suspend PCI DSS certification

PCI DSS certification must be updated annually.

Results of PCI DSS compliance certification

    Reports on the results of external ASV and internal network scans (after each scan)

    Reports on the results of internal and external penetration testing

    Reports on WiFi scan results

    A finalized package of normative documentation in IT security the field

    Completed and validated Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AoC)

    Certificate of compliance with the requirements of PCI DSS standard

Stages of service

  • 1

    Preparation for certification audit


    1. Preliminary audit
    2. External network vulnerability scanning (ASV)
    3. Internal scanning of network vulnerabilities
    4. Assessment of client's network security by performing external and internal testing
    5. Search for unauthorized Wi-Fi access points
    6. Penetration testing of network segmentation control tools

  • 2

    PCI DSS certification audit


    1. Collection and analysis of organizational and regulatory documentation and information on system components Cardholder Data Environment (CDE) of the client2. Processes analysis related to protection and maintenance of system components in CDE3. Compliance audit of client's CDE system components with the requirements of the PCI DSS standard:● Interviewing the client's staff (third party if necessary) in accordance with the audit procedure developed by the PCI SSC consortium and adapted by the QSA consultant● Analysis of client CDE system component settings and configurations● Development of compliance evidence base of client's CDE system components to PCI DSS standard requirements4. Analysis of reports on the assessment of the outer and inner perimeter security of the client's CDE network5. Development of reporting documents for acquiring banks and international payment systems Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ), as well as Attestation of Compliance (AoC)6. Sending the AOC by the Consultant to the VISA international payment system to confirm the successful completion of the PCI DSS audit.

What is PCI PIN Security

PCI PIN Security Standard is a document of additional VISA requirements, which defines technical and procedural means of control that help in secure management, processing and transmission of PIN data of the cardholder's PIN when processing online and offline card transactions payment at ATMs and POS- terminals.

Who needs to be audited by PCI PIN Security

The PCI PIN Security standard applies to all organizations and acquiring agents (for example, organizations that perform key input operations and certificate processors) that are responsible for processing PIN transactions.

How often you need to suspend PCI PIN Security certification

PCI PIN Security certification must be renewed every two years.

Results of PCI PIN Security compliance certification

    A finalized package of normative documentation in IT security the field
    Completed and validated Report on Compliance (RoC) and Attestation of Compliance (AoC)
    Certificate of compliance with the requirements of the PCI PIN Security standard

Stages of service

  • 1

    Preparation


    Preparation for the certification audit includes a preliminary audit

  • 2

    Certification


    1. Collection and analysis of organizational and regulatory documentation
    2. Analysis of processes related to the life cycle of PIN codes and key management processes
    3. Audit of compliance of the Client's system components with the requirements of the PCI PIN Security standard:
    ● Interviewing the Client's employees (Third Company if necessary) in accordance with the audit procedure
    ● Analysis of settings and configurations of the client's PCI PIN Security system components
    ● Formation of evidence base of the Client's compliance with the requirements of the PCI PIN Security standard
    4. Development of reporting documents for acquiring banks and international payment systems Report on Compliance (RoC), as well as Attestation of Compliance (AoC)
    5. Sending the AOC by the consultant to the international payment system VISA to confirm the successful completion of the PIN Security audit by the client
    6. Issuance of a certificate of compliance with PCI PIN Security standards (in case of full compliance with PCI PIN Security requirements)

What is PCI 3DS

The PCI 3DS security standard defines the physical and logical security requirements for environments protection, where ACS, DS, and/or 3DSS functions are performed.

Who needs to be audited by PCI 3DS Security

The PCI 3DS security standard applies to environments where ACS, DS, and/or 3DSS functions are performed. These can be both issuers and service providers that offer ACS, DS and/or 3DSS services.

How often you need to suspend PCI 3DS certification

PCI 3DS certification must be updated annually

PCI 3DS certification must be updated annually

    Reports on the results of external ASV and internal network scans (after each scan). If the 3DS environment was not included in the PCI DSS audit scope
    Reports on the results of internal and external penetration testing. If the 3DS environment was not included in the PCI DSS audit scope
    A finalized package of normative documentation in IT security the field
    Completed and validated Report on Compliance (RoC) and Attestation of Compliance (AoC)
    Certificate of compliance with the requirements of the PCI 3DS Security standard

Stages of service

  • 1

    Preparation


    1. Preliminary audit
    2. External Network Vulnerability Scan (ASV)
    3. Internal scanning of network vulnerabilities
    4. Client's company network security assessment by performing external and internal testing

  • 2

    Certification


    1. Collection and analysis of organizational and regulatory documentation, information about 3DS system components of the client environment
    2. Analysis of processes related to the protection and maintenance of system components in the 3DS environment
    3. Audit of compliance of 3DS system components of the client environment with the requirements of the PCI 3DS standard:
    ● Interviewing the client's staff (third party if necessary) in accordance with the audit procedure developed by the PCI SSC consortium and adapted by the PCI 3DS Assessor consultant● Analysis of settings and configurations of 3DS system components● Formation of evidence base of 3DS system compliance components components of the client's environment with the requirements of the PCI 3DS standard4. Reports analysis on the assessment of the outer and inner perimeter security of the 3DS network among the client
    5. Development of reporting documents for acquiring banks and international payment systems Report on Compliance (RoC), as well as Attestation of Compliance (AoC)
    6. Sending an AOC by a consultant to the VISA international payment system to confirm the successful completion of the PCI 3DS audit

What is SWIFT

The SWIFT Customer Security Program (CSP) is designed to work with SWIFT and its users to increase the overall security of the financial ecosystem. The CSP defines a set of common security controls called the SWIFT Customer Security Controls Framework (CSCF), which helps customers protect their local environments and create a more secure financial ecosystem. The SWIFT User Security Concept (CSCF) includes mandatory and recommended controls for SWIFT users.

Who needs to undergo an external independent SWIFT assessment

From 2021, all users of the SWIFT community must undergo an external independent evaluation. The type of SWIFT connection architecture defines the control elements specified in the SWIFT CSP that will be applied to the organization.

How often an external independent SWIFT evaluation is required

An external independent evaluation of the SWIFT CSP should take place every two years or every year after significant changes to the SWIFT IT architecture.

Results of SWIFT compliance assessment

    Report on non-compliance with the requirements specified in the Customer Security Controls Framework document and recommendations for their elimination
    SWIFT report on compliance with the requirements specified in the Customer Security Controls Framework document

Stages of service

  • External independent evaluation of SWIFT and consulting support


    1. Analysis, systematization and refinement of initial data on the components of the SWIFT hardware and software complex 2. Definition and approval of the audit area3. Identification of all third parties involved in protection or affecting the security of the SWIFT hardware and software complex4. Analysis of compliance of the existing regulatory and administrative documentation on information security (policies, regulations and instructions) required by the Customer Security Controls Framework document and consulting support in the creation of missing documents5. Interviewing company’s staff (by the Third Company if necessary) in accordance with the audit procedure6. Analysis of the settings of the SWIFT hardware and software complex, analysis of the composition and characteristics of hardware and software means of information transmission and information protection7. Providing oral and written consultations by phone and e-mail8. Formation of evidence base of SWIFT system components compliance with the requirements specified in the Customer Security Controls Framework document



What is ISO/IEC 27001:2013

ISO 27001 is a standard, developed by the International Organization for Standardization (ISO), which details how to manage information security in the company.

Who needs to be audited for ISO/IEC 27001: 2013

ISO/IEC 27001: 2013 is optional. But if a company wants to demonstrate its commitment to information security to its customers and partners, the ISO/IEC 27001: 2013 certificate will be a proof that information security is organized at a high level and is constantly improving in the company.   

How often you need to be audited for ISO/IEC 27001: 2013

Annual external audit and supervisory after external audit every year.

Results of certification for compliance with the requirements of ISO/IEC 27001: 2013

    A document describing the client's information assets and business processes has been developed
    A report on the audit of the current state of ISMS with proposals to eliminate identified non-compliances with the requirements of the Standard
    The method of information risk management was selected and approved and a report on their assessment was developed
    The assessment of security of business processes and information systems of the client is received
    A risk treatment plan has been drawn up and approved
    A package of internal regulatory documentation in support of ISMS has been developed and approved
    Developed and approved package of project plans for the implementation of ISMS based on existing information systems and business processes
    The planned ISMS projects and all necessary controls have been implemented
    A report on the results of the analysis of ISMS implementation is provided
    A report on the results of the ISMS internal audit has been created
    The ISMS analysis was carried out by the management
    Regulations on application are developed
    The certificate of conformity of ISMS to the ISO/IEC 27001: 2013 standard is received

Stages of service

  • 1

    Preparation for audit


    1. Definition and approval of the audit area2. Conducting an audit of the current state of ISMS● Analysis of compliance of the existing regulatory and administrative documentation on information security (policies, regulations and instructions) of the company required by the standard ISO / IEC 27001: 2013● Interviewing company’s employees (Third Company if necessary) in accordance with the audit procedure● Analysis of settings, composition and characteristics of hardware and software for information transfer and information protection3. Analysis of information risks4. Development of ISMS regulatory documentation

  • 2

    Consulting support for the implementation of ISMS

    1. Development of a package of internal regulations to support ISMS
    2. Development of project plans packages for the implementation of ISMS based on existing information systems and business processes
    3. Consulting support in the implementation of planned ISMS projects
    4. Development of a report on the results of ISMS implementation analysis

  • 3

    Certification audit ISO/IEC 27001: 2013


    1. Conducting an internal audit of ISMS
    ● Development of ISMS Internal Audit Methodology
    ● Development of the ISMS Internal Audit Plan
    ● Creation of the Report on the results of the ISMS internal audit
    ● Management's ISMS Analysis
    ● Development of Regulations on application
    2. Choose of Certification Authority
    3. Consulting support of the ISMS certification procedure

What is NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is a framework standard of the US National Institute of Standards (NIST). This standard forms an approach to understanding, evaluating, planning and implementing cybersecurity functions for enterprises that are objects of critical infrastructure.

Who needs to be audited for compliance with the NIST CSF

The NIST CSF standard is optional for implementation. But if a company wants to demonstrate its commitment to information security or improve the actual state of cybersecurity, then a compliance audit will help to clearly understand, plan and prioritize the necessary steps to achieve a reliable level of cyber protection. This standard is the basis for assessing the state of cybersecurity in projects implemented within the framework of USAID projects in Ukraine.



Results of the project on audit, diagnostics of the cybersecurity system for compliance with the requirements of NIST CSF

    A report on the current state of cybersecurity was compiled, with an assessment of the degree of implementation of each standard control
    The target state of cybersecurity has been formed and the target profile of cyber protection has been compiled
    Recommendations for achieving the target state of cybersecurity have been developed
    A 1-3-year roadmap of cybersecurity projects aimed at achieving the target level has been created

Stages of service

  • 1

    Diagnostic audit and assessment of the current state of cybersecurity for each NIST CSF control


  • 2

    Determination and justification of the target level of cyber security


  • 3

    Development and discussion of recommendations for improving cybersecurity


  • 4

    Development of a road map of projects to achieve the target level of cybersecurity


Additional benefits 

  • For CEO/CFO

    ● Risks reduction of confidential information loss and/or leakage, transparent processes to ensure the security of business information● Easier access to foreign markets, IPO, M&A● Increase trust when working with foreign contractors

  • For CIO/CSO/CISO

    ● Improving the overall level of information security in the company● Developed processes of management and information security of the company● Processes are controlled and managed● Fast response to most types of both old and new threats

  • For company employees

    Clear and understandable mechanisms of action in various situations related to information security issues

Why choose us?

Assistance in meeting regulatory requirements

Short time certification

Free consultation on any questions concerning SWIFT, PCI DSS, PCI PIN Security, PCI 3DS, ISO 27001, NIST CSF

We will help you to communicate with your banks or payment gateways on SWIFT, PCI DSS, PCI PIN Security, PCI 3DS, ISO 27001, NIST CSF

Qualified specialists in the field of IS with certificates: QSA, ASV, QPA, 3DS Assessor, CISSP, CISA, ISO 27001, OSCP, CEH, NIST CSF

English and Ukrainian speaking auditors and consultants

Huge worldwide experience

Our competencies

Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration
Illustration