Payment Card Industry and QSA Services

Kroll offers a wide range of services for both merchants and payment processors, from audits to incident management services, to pragmatic approaches for strengthening your cyber defenses.

Kroll’s Cyber Security experts understand your challenges as an organization processing payment card transactions. First and foremost, you need to protect your customers’ payment data as prescribed by the Payment Card Industry Security Standards Council (PCI SSC), in particular its Data Security Standard (DSS). At the same time, you must protect the integrity of your own data networks. All the while, you are trying to deliver a positive customer experience  that combines strict security protocols with payment convenience.

Kroll has the proven strategies to help. We offer a wide range of services for both merchants and payment processors that provide end-to-end solutions, from audits to incident management services, to pragmatic approaches for strengthening your cyber defenses:

QSA Standard Services

  • QSA Annual Audits
    Our Qualified Security Assessors are authorized to conduct your annual audit to comply with the Payment Card Industry Data Security Standards, as well as prepare you in advance of an audit.

  • Data Breach Investigations
    Our PCI Professional Forensic Investigators (PFI) can conduct PCI Security Standards Council-mandated investigations in the event of a data breach or in anticipation of litigation.

  • Training and Advisory Services
    Our top cyber security professionals, many with law enforcement and payment industry backgrounds, share how you can strengthen the security of your payment processing technology, systems, and practices.

PCI DSS Compliance Suite of Services

As a QSA, Kroll is authorized to conduct your annual PCI Audit to validate your company’s adherence to the PCI Data Security Standard. Our audit will also include the required Report of Compliance (ROC) to submit to the PCI SSC.

Additionally, Kroll offers a suite of services that facilitate the process of complying with PCI DSS requirements:

  • PCI Scope Discovery and Reduction Services. The scope discovery phase entails identifying all of your company’s technology assets that process, store, and transmit card data, as well as any systems which interact with that technology. During the reduction phase, we will identify improvements to your network architecture that would reduce the number of systems in scope for PCI DSS compliance.
  • PCI Gap Analysis. This mock audit helps to determine where your company’s systems meet or exceed data security standards, and where they fall short. A gap analysis enables your company to identify and resolve issues before an official PCI DSS compliance audit.
  • PCI Remediation Consulting. Our experts will provide pragmatic strategies to resolve issues identified during a gap analysis, whether it was performed internally, by Kroll, or by another provider.
  • Penetration Testing. As an annual PCI DSS requirement, this exercise tests the security of your company’s systems and identifies vulnerable areas that might enable a bad actor to gain access to your network.
  • CyberDetectER™ Network Monitoring Services. Kroll’s next-generation security solution integrates Kroll’s industry-leading cyber security expertise with powerful, 24/7 monitoring technology that is continuously on the hunt for network intrusions. Kroll’s CyberDetectER™ network monitoring solution addresses another PCI DSS requirement.
  • Full Lifecycle PCI DSS Gap Analysis, Readiness, and Audit Services. Encompassing all phases of PCI DSS preparedness, these services help your company achieve and maintain PCI DSS compliance.

Enhanced PCI Forensic Investigator Services

The PCI Security Services Council requires that any organization experiencing a data breach or the theft of cardholder data must engage a PCI Forensic Investigator (PFI) to determine the nature and scope of the breach. Kroll is among the very few select organizations worldwide certified to hold the PFI designation and the only one that is also a full-service investigative firm.

Kroll achieved PFI certification by demonstrating our adherence to the required  standards of excellence in cyber security. The PCI SSC scrutinized not only our investigators and our processes, but also the labs in which we conduct our investigations.  

Of vital importance in a data breach situation, Kroll’s PFI investigations can be protected by your assertion of attorney-client privilege and attorney work product privilege when the investigation is directed by your legal counsel. Many organizations are unaware that a PFI’s findings can be discoverable during litigation, and the report could be used against a company at trial. The PFI investigation findings are also provided to the card brands and sometimes law enforcement. Additionally, a PFI’s report may include findings outside the scope of what is required for a PFI-mandated investigation, such as details about the theft of business intelligence, intellectual property, or other types of non-payment-card data. Therefore, it is critical to engage a PFI such as Kroll who understands the potential issues arising from including details outside the scope of the PCI SSC-mandated information in the report.

Why Kroll

Kroll is first and foremost an investigations firm. As such, we are one of the only QSAs that approach these engagements with a global investigative cyber security background.

Our QSA services go beyond facilitating your organization’s compliance with the PCI DSS — we have the experience and knowledge to help you fortify your defenses to reduce the likelihood of a data breach across your data network.

Many of our professionals have previously served with law enforcement agencies, including the FBI and U.S. Secret Service, as well as with leading payment card organizations.

We have assisted numerous companies that have been the target of data breaches and helped them to understand the nature, scope, and ramifications of how their information systems were compromised.

Additionally, we follow established law enforcement methodologies — such as chain of custody protocols for evidence handling — to potential aid law enforcement and prosecutors in the event of criminal prosecutions.

Our approach benefits clients during post-breach investigations as well. Because we have experience conducting both PFI and privileged investigations, we are attuned to how our findings should be documented and what types of information should, and should not, be included in an investigative report..