Our approach to the Payment Card Industry Data Security Standard (PCI DSS) is based on a number of principles which differentiate us from our competitors:
As the only Qualified Security Assessor (QSA) in the UK that is part of a large professional services and accountancy practice, we operate to the highest professional standards and have access to significant resources that ensure we bring the best technical skills to each engagement. KSC is also an accredited QSA Company for the Barclaycard Risk Reduction Programme (BRRP).
Our staffing model ensures high levels of experience. KSC’s QSA practice does not employ any individual unless they have at least ten years of relevant experience in information security and audit disciplines. The current average experience of our QSA team is 18 years. This gives our consultants a breadth and depth of technical knowledge which ensures we deliver rapidly and with insight. It also means we are able to provide practical advice, drawn from our experience, on how you can address issues that might otherwise impact your ability to comply.
Critically, the experience we require of our staff must include time in a management role within a corporate IT function as well as time spent in an audit or assurance role. This gives our QSAs an unparalleled understanding of the realities of managing information security in a commercial environment, and we are committed to identifying controls within your environment which meet, or can be redesigned to meet, the requirements of the DSS in a manner that is as cost effective as possible.
We are committed to sharing knowledge and building capability, and have developed techniques to ensure the client staff we work with develop from our involvement. In addition, all technical methodologies that we employ are made available to clients at no extra cost.
Continuity of staff
Where possible, we ensure that the same consultants are engaged on all phases of PCI work for a client, to facilitate a more thorough understanding of the cardholder data environment and eliminate the need to re-learn the client’s infrastructure and controls. This extends to subsequent annual reassessments where relevant.