Level 2 Merchants Watch Out: You May Be Next on the List to Receive a Letter from Your Acquiring Bank

  • Team Omega
  • December 9, 2013

The acronym ‘QSA’ and the term ‘audit’ evoke images associated with fear, anxiety, anger, confusion, expense, exhaustion, and the list can go on.  How about ‘hacker’ and the term ‘breach’?  Do they conjure up images related to nightmare, exposure, penalty, loss, downfall…?  Clearly, we all know who the enemy is and retailers should truly panic only about the never-ending impact of a breach.

A QSA’s job and intentions are not to intimidate but to partner with the retailer by making sure that security is preserved in a business’s card data environment (CDE).  With this premise, let’s begin an organized exercise.

What should the retailer expect before bringing in a QSA?

The retailer should expect requests for:

  1. Policies – Written policies detailing how data is protected, log reports to support them, and evidence showing that what is written in the policy is indeed what’s followed in practice.
  2. Documentation – Step by step written documentation with proof they are followed.
  3. Network diagrams, infrastructure, connected devices, wireless connections.
  4. Review of technologies used such as – firewalls, routers, switches, web servers, application servers, anti-virus, anti-malware, secure remote control access solutions, file integrity monitoring, etc…
  5. Detailed logs from all store systems, devices and servers.

Read the entire article here.