Qualified Security Assessors (QSA) and Payment Card Industry Data Security Standard (PCI DSS) Services

Will your customers become victims? Keep your customers’ credit card data safe and secure.

Current challenges and landscape

Let’s face it, the seedy, yet lucrative business of selling stolen credit card information isn’t going away. In fact, the number of credit card data breaches has actually been on the rise for the past several years. Criminals employ a variety of methods to steal cardholder data from merchants, service providers and consumers, including hacking into systems containing cardholder data, and attaching skimming devices to point-of-sale card readers. Any business can be affected by this scheme; the top cardholder data breaches of all time1 include very well-known retail brands and chains:

  1. eBay – In 2014, 145 million customer accounts were compromised
  2. Heartland Payment Systems – In 2008 and 2009, this payment processor had more than 130 million credit card numbers stolen
  3. TJX – In 2007, 94 million accounts were compromised
  4. Home Depot – In 2014, 56 million credit card numbers were stolen from point-of-sale systems
  5. Target – In 2013, 40 million credit card numbers were stolen from its point-of-sale systems

In order to combat credit card fraud, the five major credit card brands – Visa, MasterCard, American Express, Discover and JCB – formed the Payment Card Industry Security Standards Council (PCI SSC), and from this, the Payment Card Industry Data Security Standard (PCI DSS) was developed. The PCI DSS is a set of security requirements that merchants and service providers who store, process or transmit credit card data must comply with, or risk incurring penalties.

The consequences of not protecting customer cardholder data can be severe, including (but not limited to): 

  • Loss of productivity – in the aftermath of a data breach, organizations may experience a loss of productivity as they take systems offline, perform forensic investigations, or re-build systems. Additionally, service desks or call centres may be inundated with calls from concerned consumers.
  • Reputational damage – lower customer confidence in the merchant’s ability to keep their credit card data safe may prompt them to shop elsewhere.
  • Fines and damages – following a cardholder data breach, the card brands require that a forensic investigation be performed by a PCI Forensic Investigator (PFI), which can cost $30,000 to $50,000 USD for small businesses, and more for larger environments. If a forensic investigation reveals that the entity was not PCI compliant at the time of the breach, compromised merchants or service providers may have fines levied against them, especially if the cards were actually used for fraudulent purchases. These fines can range from $50 to $90 USD per compromised credit card. Merchants are usually also required to pay reparations to the cardholders and issuers, which could include the cost of issuing new credit cards, credit monitoring, and even damages from civil lawsuits.
  • Loss of credit card acceptance privileges – Acquirers may refuse to do further business with a breached merchant, for fear of another breach occurring. Additionally, transaction fees may be increased by the merchant’s acquirer in response to the higher perceived risk.
  • Increased cost of PCI compliance – Merchants who have experienced a cardholder data breach are usually required to subsequently undergo a more intensive onsite assessment by a Qualified Security Assessor (QSA), which is usually only required for the merchants within the highest tier of credit card transaction volumes. This type of assessment is more expensive and resource-intensive than the typical self-assessment.

How Richter can help
As a Qualified Security Assessor Company, Richter is authorized by the PCI SSC to perform PCI validation assessments and issue Reports on Compliance (ROCs). In addition to performing PCI assessments, our experienced QSAs and information security professionals are uniquely qualified to assist with PCI readiness activities prior to the PCI assessment.

Service catalog – In order to ensure you are successfully PCI compliant, our seasoned PCI and information security practitioners can assist your organization with every step, including:

PCI Assessment by QSA (Report on Compliance)

PCI Self-Assessment Questionnaire (SAQ) assistance

PCI Gap Analysis (a.k.a. “pre-audit”)

PCI program/governance services

PCI Remediation services

PCI compliance sustainment (a.k.a. “ongoing compliance”) assistance

PCI risk assessments

Security awareness training assistance

PCI-related policy development

Security architecture and design services

Vendor Lifecycle Management services

Merger & Acquisition Due Diligence services

At Richter, we not only focus on ensuring your compliance needs are met, we evaluate your entire security strategy to ensure your processes are running optimally.
  • On-site presence – we focus on in-person interviews rather than conducting
    assessments over the phone
  •  A holistic approach – our experienced team looks at your whole business, and how each area can affect another; we can pinpoint specific areas in need of optimization that may impact, or be impacted by your security strategy
  • With you all the way, along the way – our team is there for you throughout your compliance journey, and can help with full system implementation (internal controls, fraud detection, etc.)
  • Seasoned, well-rounded practitioners – our security practitioners have years of experience and possess industry-accepted certifications such as CISSP, CISA, CISM, CRISC, SCF, among many more.

About Richter

Founded in 1926, Richter is one of the largest independent accounting and consulting firms in Canada, with 55 partners and over 500 employees. Richter serves clients from its offices in Toronto, Montreal, and Chicago and offers services in the areas of audit, tax, consulting, and wealth management.

Our Risk, Performance, and Technology Advisory Services group is composed of over 30 professionals in Montreal and Toronto that offer expertise in areas such as cybersecurity and information security, governance, internal control, IT and performance improvement advisory, fraud risk management, and finance.

Our multi-disciplinary, highly-skilled team offers skills and expertise that consistently exceeds our clients’ expectations. Our professionals have both IT and business capabilities, which means that we have the capacity to:

  • Understand information systems and business processes
  • Identify critical business and IT risks using a risk-based approach
  • Make practical recommendations about controls and risk mitigation strategies
  • Provide insights with industry good practices in mind

1“The Top 5 Retail Breaches.” Security Intelligence. 7 October 2014.

Click here to read more on our PCI asessment services performed by our experienced QSAs.

Expert Showcase