Frequently Asked Questions

What is information security?
Information security is the protection of information to ensure:

• Confidentiality: ensuring that the information is accessible only to those authorized to access it.
• Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
• Availability: ensuring that the information is accessible to authorized users when required.

Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).

What is risk assessment?
Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence.

Why are risk assessment and risk management relevant to information security?
In the real world, the cost of protecting information must be balanced against the potential cost of security breaches. A company must fully understand the security risks it faces in order to determine the appropriate management action and to implement controls selected to protect against these risks.

What is PCI-DSS?

(PCI-DSS) is the Payment Card Industry Data Security Standard is a set of comprehensive requirements for enhancing payment account data security and was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. This comprehensive standard is intended to help organizations proactively protect customer account data.

What if I am not sure if I need to comply with the standard?
All merchants and service providers need to be in compliance with the standard. The precise rules and requirements for how they have to demonstrate this compliance to the payment brand vary by brand.

How do I decide whether I need an independent assessment or a self-assessment?
In general independent assessments are required for those who process large volumes of transactions, are at high risk, or who have already experienced breaches. The different payment brands have varying requirements regarding the assessments. For example, merchants are typically attributed to a certain "Level" based on their transaction volume, and for specific levels the individual brands may require a compliance assessment performed by a Qualified Security Assessor (QSA). Lexicon IT can help you understand what is needed for your case, alternatively you can contact your acquiring bank or the payment brand(s) directly to understand which kind of assessment is required of you.

What happens during an assessment?
In essence, assessments follow the PCI DSS Security Audit Procedures, which provide a sort of checklist and testing procedures. Typically, a Qualified Security Assessor (QSA) will want to see the documentation of your environment and procedures first. After reviewing this, an onsite-assessment will be performed to verify that your documentation is correct, and that sensitive data is processed and stored in a manner compliant with the standard. Eventually, the QSA will either provide you (and the brand, as appropriate) with a Report of Compliance (ROC) stating that you meet the standard's requirements, or provide you with a list of issues that need to be resolved before a ROC can be issued.

How long does an assessment take? How much does it cost?
This varies because the scope of the assessment is very variable. For some organizations this can be as small as a single PC. For others several data centers or large enterprise networks. In addition, producing a ROC (Report of Compliance) takes some additional time.