Wednesday, August 29, 2007

PCI Compliance as a Service

I recently came back to work at one of my former stomping grounds to develop and implement a PCI Compliance as a service to support our existing E Commerce customers and to assemble the components to offer PCI Compliance as a service to new customers, focusing on Level 2, Level 3, and Level 4 organizations.

The offering is two phases:

PCI Readiness audit

Because I am not a QSA, I will come in and perform a 5 day audit of your existing systems and report the results back to you. Only you. From this activity will come a full tactical remediation plan that can be implemented in your data centers or mine (I have 16 around the world). In many cases in 30 days or less, before you incur another monthly fine.


The Tactical Remediation Plan (TRP) outlines a project plan, based on current state and identified gaps, that gets implemented in one of two ways – on your premises or mine.

The execution on your premises is the same as what I have done in ours – which is to deploy a set of technologies to support a fully audited and proactively enforced process and enviroment. I have a relationship with QSAs who know what I can deliver and will certify the solution and the environment at the end of the deployment.

The components of the solution will require an investment of hardware, software, and services to provide knowledge transfer at the low end to full remote management, Executive dashboards for real time reporting, and other complimentary services you can choose based on resource expertise and availability.

The second option is to spin up an environment in one of my SAS-70 Type II data centers and provision the technologies to cover the requirements of PCI that are not covered by the SAS-70 audits. I will give you the SAS-70 audit results to hand off to your auditors as part of the package whether the systems are affected by PCI or not. Same technologies and processes, and I bring the networking, application, and compliance expertise to the table on an ongoing basis. There are also SLA’s, and additional services that I will bring to bear if the need is there. I will do as much or as little as you need.

This second option has been the most popular for two key reasons – it is paid for as an operating expense, so there is no capital expense investment and it stays off balance sheet. The second is that the expertise acquisition required to deliver a solution is cost prohibitive for most Level 3 and 4 organizations, so this is a financially viable option for leaner shops being able to tap into a broad knowledge and resource base. It is a single monthly number for infrastructure, services, and auditing, including the on-site QSA certification in my data centers. Fixed costs.

A third reason people want to talk to me is that although they may be a Level 2, 3 or 4, they want to play at a Level 1 operation to strengthen their relationships with customers, and be proactive about mitigating risks, and being a Level 1 because of a breach.

The costs vary based on how non-compliant you are and what your infrastructure looks like. If I can help, and save you money in fines or operations I will spell out how much. If I can’t I’ll let you know sooner rather than later so we can both pursue other avenues.

Send an email to to learn more or to discuss your situation.

Labels: , ,


Anonymous Anonymous said...

Hi, this is not so related to your page, but it is the site you asked me 1 month ago about the abs diet. I tried it, worked well. Well here is the site

5:35 PM  
Blogger mish said...

As the PCI Compliance dead line is coming soon on June 30th, We searched for the best solution in order to be

ready and withstand with the PCI 6.6 segment requirements.
There are 2 options as you:
Ensure that all web-facing applications are protected against known attacks by applying either of the following

1. Having all custom application code reviewed for common vulnerabilities by an organization that specializes in

application security.
2. Installing an application layer firewall in front of web-facing applications.

We were examined the dotDefender web application firewall and found it to be very dynamic application to protect

our servers.
In the same time we realized that the dotDefender withstand with the PCI 6.6 segment compliant.
The price is also an important issue comparing the maintenance needed in other solutions.


2:08 AM  

Post a Comment

<< Home