|
|
These services are the assessment of an organization's compliance with a recognized set of regulatory or industry criteria. Often the compliance service includes the submittal of an independent report to the governing body.
| TG-3 | PCI | Red Flag | |
|---|---|---|---|
We offer numerous compliance related services. Note that assessments differ from evaluations in that assessment reports are submitted to an authorized organization and a copy is provided to the client; whereas evaluation reports are for the client's eyes only and is not submitted to any authorized organization. For more information or to acquire our services please contact us. |
|||
The Accredited Standards Committee (ASC) X9 Technical Guideline #3 (TG-3) Retail Financial Services Compliance Guideline for Online PIN Security and Key Management was adopted by the Electronic Funds Transfer (EFT) networks Pulse™, STAR™ and NYCE™ since 1994 to protect the security of:
TG-3 is based on the following American National Standards:
EFT Network Operating Rules mandate that Acquirers and Processors handling PIN-based transactions; and Merchants own and/or operate ATM or POS terminals are compliant to TG-3 and must complete an assessment every two (2) years.
Ralph Poore and Jeff Stapleton are Certified TG-3 Assessors (CTGA); Ralph and Jeff participated on the X9 working group that developed TG-3; Ralph chaired the X9 working group that realigned the TG-3 wording with language acceptable by the American Institute of Certified Public Accountants (AICPA); Ralph was instrumental in facilitating the adopt of TG-3 by the EFT networks; and has been performing TG-3 assessments since 1994.
The PCI Security Standards Council (SSC) was founded by the credit card brands American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International in 2006 to maintain and evolve the PCI Data Security Standard (DSS). The council is composed of over 400 additional participating organizations and is responsible for several certification programs including the Qualified Security Assessor (QSA). QSA perform annual assessments of merchants who must comply with the PCI DSS according to each brand's compliance program. The PCI DSS is organized into 6 domain areas with 12
broad requirements as follows:
Requirement 1: Firewall Configuration |
Build and Maintain a Secure Network |
Requirement 2: Vendor Defaults |
|
Requirement 3: Data at Rest |
Protect Cardholder Data |
Requirement 4: Data in Transit |
|
Requirement 5: Anti-Virus |
Maintain a Vulnerability Management Program |
Requirement 6: Software Assurance |
|
Requirement 7: Access Control |
Implement Strong Access Control Measures |
Requirement 8: Identify All Unique Users |
|
Requirement 9: Physical Security |
|
Requirement 10: Monitor Access |
Regularly Monitor and Test Networks |
Requirement 11: Test Controls |
|
Requirement 12: Information Security Policy |
Information Security Policy |
There are over 250 test procedures within the PCI requirements listed above that a QSA must assess with the merchant to determine PCI compliance.
Ralph Poore and Jeff Stapleton are both QSA; Jeff and Ralph are officers of the Information Assurance Consortium which is a participant of the PCI SCC; and both have performed PCI assessments since 2006.
Sections 315 and 114(B) of the Fair and Accurate Credit Transactions (FACTA) of 2003 specifies that any organization, including non-lenders (e.g., brokers and auto dealers), which use consumer credit data is required to comply with Red Flag regulations by Nov. 1, 2008. To satisfy Red Flag requirements an organization's program must demonstrate:
This means an organization must have appropriate documentation and auditable processes.
Ralph Poore is a Certified Fraud Examiner (CFE); Ralph has performed related assessments since 2001 and Red Flag assessments since 2007.
