Secure Vectors Accredited as a PCI DSS Approved Scanning Vendor (ASV)

/0 Comments/in , , ,

📢Secure Vectors Accredited as a PCI DSS Approved Scanning Vendor (ASV):

🌏Among the Few Compliance Firms in Asia-Pacific Holding Four PCI Certifications

Secure Vectors Technologies Inc. is now officially recognized by the PCI SSC as a PCI DSS Approved Scanning Vendor (ASV), offering trusted, industry-grade vulnerability scanning services.

Secure Vectors International now holds four globally recognized PCI certifications:

 

PCI DSS QSA(Qualified Security Assessor)

PCI 3DS Assessor

PCI PIN Security Assessor

PCI DSS ASV(Approved Scanning Vendor)

 

PCI DSS, 3DS, and PIN Security are three of the most critical standards in the payment card industry. With the addition of PCI ASV accreditation—representing advanced technical security expertise—Secure Vectors now offers comprehensive, end-to-end certification services for the financial and payment sectors. Our capabilities span governance, process management, and technical security, delivering a true one-stop PCI compliance solution for our clients.

🔍ASV: The Gold Standard in Vulnerability Scanning and Compliance

 

ASV is more than a standard vulnerability scan—it is a comprehensive assessment service validated by the PCI Security Standards Council (PCI SSC). Under PCI DSS requirements, all entities that store, process, or transmit cardholder data must submit quarterly vulnerability scan reports. PCI SSC mandates that all eligible financial and payment organizations use an Approved Scanning Vendor (ASV) to conduct these scans and provide official, validated reports.

 

Achieving ASV recognition involves three critical requirements:

 

1️⃣ Scanning Tools – The ASV service’s vulnerability detection methods (including manual procedures, workflows, and technical tools) must thoroughly identify all known vulnerabilities according to PCI SSC standards and complete the full Test Bed scan and analysis within 18 hours.

2️⃣ Execution Team – Engineers and service managers performing the scans must pass PCI SSC professional exams annually, ensuring their knowledge and service processes meet PCI SSC standards.

3️⃣ Reporting Process – Officially audited to ensure accurate interpretation of results, proper handling of false positives, and consistent, traceable reporting formats.

 

Only after final review and approval by PCI SSC can a company and its scanning solution obtain formal ASV status.

 

This process tests the ASV provider and solution in:

🔎 Detection Coverage – Ability to cover vulnerabilities across multiple protocol layers

🎯 Assessment Accuracy – Ability to distinguish false positives from real risks

📋 Reporting Rigor – Ability to provide audit-ready compliance evidence

 

ASV: Globally Trusted by the Payment Industry

 

📅 In October 2025, Secure Vectors Technologies Inc. officially passed the PCI SSC review and was listed as an Approved Scanning Vendor (ASV).

 

This recognition represents:

 

  • Industry Recognition – Only ASV scan reports are accepted as valid evidence for PCI DSS compliance audits in the financial payment sector.

  • Validated Technology, Team, and Processes – All aspects have been verified by PCI SSC.

  • Trusted Benchmark in Payments – As one of the few consulting firms in the Asia-Pacific region holding QSA × 3DS × PIN Security × ASV certifications, Secure Vectors International helps enterprises maintain ongoing compliance across multiple regulatory frameworks.

Looking ahead, we aim to use this achievement as a foundation to not only assist financial and payment organizations with ASV scans and compliance reporting but also to provide external domain vulnerability scanning, reporting, and related services across industries and regions — helping enterprises turn compliance into a business growth advantage.

 

Contact Us Today for Expert ASV Vulnerability Scan Support

👉 Contact Us

FAQ

Q1: What is PCI DSS ASV?

ASV (Approved Scanning Vendor) is an external vulnerability scanning service recognized by the PCI Security Standards Council (PCI SSC), whose scanning solution has been tested and approved. Under PCI DSS Requirement 11.3.2, organizations must have quarterly external scans performed by an ASV and receive passing reports to maintain nearly 12 months of compliance evidence.

Q2: How is ASV different from regular scanning tools?

ASV is more than just a scanning tool — it is a complete scanning solution validated by PCI SSC. Its tools, execution team, procedures, and reporting workflow must all pass official testing and audits. Only PCI-recognized ASV scan reports can serve as formal evidence for PCI DSS compliance audits and are widely trusted in the financial and payment industries.

🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

/in ,

🔒 Microsoft Releases July 2025 Patch Tuesday Update — Fixes 130 Security Vulnerabilities Including Critical SQL Server Flaw

On July 9, 2025, Microsoft released this month’s Patch Tuesday update, addressing a total of 130 security vulnerabilities, including 10 rated as “Critical.” The updates span multiple key Microsoft products such as SQL Server, Windows, and Office (Word, PowerPoint, Excel).

Among the vulnerabilities, one is particularly relevant to PCI DSS compliance: CVE-2025-49719 (CVSS score: 7.5), an information disclosure vulnerability in Microsoft SQL Server. The flaw could potentially allow unauthorized attackers to read uninitialized memory, exposing sensitive data such as passwords or encryption keys.

 

According to Adam Barnett, Principal Software Engineer at Rapid7, while attackers might not immediately retrieve meaningful data, with skilled manipulation, it may be possible to extract critical information such as encryption keys.

Mike Walters, President of Action1, noted that the vulnerability may stem from insufficient input validation in SQL Server’s memory management, which allows access to uninitialized memory. This could lead to leakage of credentials, connection strings, or other sensitive information. Affected components include the SQL Server engine and applications using OLE DB drivers.

⚠️ Security experts strongly urge:
System administrators and IT teams should immediately deploy this update, especially for organizations running Microsoft SQL Server, to prevent the risk of widespread exploitation.

Source:

https://thehackernews.com/2025/07/microsoft-patches-130-vulnerabilities.html

https://krebsonsecurity.com/2025/07/microsoft-patch-tuesday-july-2025-edition/

#Microsoft #CyberSecurity #PatchTuesday #InfoSec #VulnerabilityManagement #PCI #SQLServer #WindowsSecurity

 

【Secure Vectors's Security Classroom】

📌 What is CVSS?

CVSS stands for the Common Vulnerability Scoring System. It’s a way to evaluate and rank reported vulnerabilities in a standardized and repeatable way. This score helps organizations prioritize their response to different security risks.
CVSS generates a score from 0 to 10 based on the severity of the vulnerability.
With 10 being the most critical, based on factors like how easily the vulnerability can be exploited, its potential impact on confidentiality, integrity, and availability, and the complexity of the attack.
first time PCI DSS Compliance

PCI DSS Compliance for dummies

/0 Comments/in ,

【PCI DSS Compliance for dummies】

Even Cybersecurity Beginners Can Achieve Compliance

Top 5 questions asked (2W3H), when 1st time required by an acquirer or supervisor to obtain PCI DSS certification.

As the booming growth of e-commerce, remote work, and delivery platforms continues into 2024, the usage of cross-border transactions and online payments has accelerated, making payment card information security increasingly critical.

To protect cardholder personal information, the Payment Card Industry Security Standards Council (PCI SSC) mandates that all entities storing, processing, or transmitting cardholder data must comply with PCI DSS requirements.

The 12 core requirements and their sub-requirements within PCI DSS are designed to protect cardholder data.

When your acquiring bank, regulatory authority or boss requires you to obtain PCI DSS certification, and you’re unsure where to start, you might ask the following five key questions (2W3H):

Table of Contents

What is PCI DSS ?

PCI DSS stands for Payment Card Industry Data Security Standards, which is established and managed by the international organization, Payment Card Industry Security Standard Council (PCI SSC). These standards are specially designed to protect payment card data from unauthorized access and misuse.

PCI SSC comprises major global credit card organizations, including American Express, Discover Financial Services, JCB, MasterCard, Visa Inc., and China UnionPay.

PCI DSS standards are a set of industry-wide guidelines, focused on securing cardholder information across these brands. These standards apply to all entities, which store, process, or transmit cardholder data. Merchants or service providers handling payment cards from these brands, regardless of their size or transaction volume, are all required to follow and comply with PCI DSS to ensure the security of cardholder information.

Who needs PCI DSS Certification?

Any organization that stores, processes, or transmits cardholder data is required to comply with PCI DSS Standards. Depending on how an organization handles cardholder data, they are categorized into different types and levels.

Step 1: To determine whether the entity is a Merchant or Service Provider.

Merchants

Organizations that accept payment cards in exchange for goods or services. This category includes physical stores, online stores, and those offering downloadable virtual goods or services.

Service Providers

Entities that transmit, process, or store payment cardholder data as part of services they offer, or that can control or influence the security of cardholder data, including third-party payment processors, payment gateway providers, wallet service providers, and online marketplaces. Data centers and cloud service providers offering virtual hosting services also belong to this category.

Step 2: Once determining whether your organization is a Merchant or a Service Provider, you can further identify the PCI DSS level.

Level 1 Merchants and Service Providers

require an on-site assessment by a Qualified Security Assessor (QSA), who will conduct the review and provide a report.

Level 2-4 Merchants and Level 2 Service Providers

can use the PCI DSS Self-Assessment Questionnaire (SAQ) to perform a self-assessment, or they can seek assistance from a QSA to ensure a faster and more accurate evaluation.

Service Provider & Merchant

Who can assist PCI DSS Certification?

For Level 1 Merchants or Service Providers undergoing their first PCI DSS assessment, it is advisable to seek professional guidance.

QSA (Qualified Security Assessor)

is a professional authorized by PCI SSC, trained and certified to conduct PCI DSS assessments and provide Reports on Compliance (ROC) and Attestations of Compliance (AOC). QSAs must regularly update their certification to stay current with the latest PCI DSS versions. If your organization is a Level 1 Merchant or Service Provider, an on-site assessment by a QSA is mandatory.

QSAC (Qualified Security Assessor Company)

employs QSAs and provides expert assessment and consulting services. QSAC can assist you in understanding the specific requirements of PCI DSS and guide you in establishing a secure Payment environment.

How to choose QSA and QSAC?

  1. Visit [PCI Security Standards Council] to verify the certified QSA and QSAC.

  2. Inquire peers or partners about their experience and recommendations that already completed PCI DSS Assessment.
  3. Review customer evaluations and case studies of potential QSAs and QSACs to ensure their experience and expertise.
  4. Consultation Services: Conduct initial consultations with multiple QSAs or QSACs to understand their service scope, fee, and work process.

By following these steps, you can find a suitable QSA or QSAC to assist your PCI DSS Assessment, ensuring the payment environment is secure and compliant.

How to do?

PCI DSS Compliance Assessment normally consists of 4 main stages:

1. Preparation Stage

Scope Confirmation and Consulting phase.

**Scope Confirmation**

  • Preliminary Assessment: Evaluate existing security measures to identify gaps and scope needing adjustment.
  • Define Assessment Scope: Determine systems, networks, and applications that need to comply with PCI DSS standards.

**Consultation Phase**

  • Engage Consultant or QSA: Select a Qualified Security Assessor (QSA) or Qualified Security Assessor Company (QSAC) to assist in verifying environment compliance, guiding remediation processes, and scheduling Assessment.
  • Security Training: Provide employees with relevant security training to enhance overall security awareness.

2. Data Preparation Phase

Preparation and Implementation of Necessary Controls

**Data Preparation**

● Policies and Procedures: Develop and update security policies and operational procedures to ensure PCI DSS compliance.
● Document Collection: Gather and organize all required documents and evidence to demonstrate compliance.

3. Assessment Phase

QSA Conducts On-Site Assessment.

**Audit Execution**

● Internal Assessment: Conduct internal reviews before formal Assessment to ensure all issues are addressed.

● On-Site Assessment: Conduct on-site Assessment led by QSA to verify consistency between actual operations and documented practices.

4. Report Phase

QSA Writes and Submits Compliance Reports and Certifications

● Report Writing: QSA writes Report on Compliance (ROC) and Attestations of Compliance (AOC).

● Report Submission: You can submit a report to the Payment Card Organization or Acquirer.

● Certification Issuance: You will receive compliance certifications indicating adherence to PCI DSS standards from QSAC.

How long does it take?

The overall timeline for achieving PCI DSS compliance certification, from initial environment verification to providing final reports, is about 3 to 5 months. Main stages of Compliance Certification Process are listed below:

  1. Preparation Stage(1-2 months):Environment Verification and Consultation Phase.

  2. Data Preparation Stage (1 month): Preparation and Implementation of necessary Control Measures.

  3. Assessment Stage (5-7 days): On-site Assessment conducted by QSA.

  4. Report Stage (0.5-1 month): QSA writes and submits Compliance Reports and Certifications.

PCI DSS Compliance Timeline

Actual timelines may vary due to the following factors:

  • Preparedness: The extent of preparation before certification can expedite the process.
  • Complexity of Systems and Operations: The complexity of IT environments, network architecture, and operational processes can affect certification timelines.
  • Resources invested by the company (including manpower, time, and budget) and efficiency in project management.


To ensure an efficient process, it is recommended to:

  • Begin preparation: As early as possible, especially organizing documents and policies.
  • Effective Communication: Maintain close communication with QSA throughout the certification process to promptly address any issues that arises.
  • Continuous monitoring: After certification, it is necessary to continue maintaining and improving security measures to ensure long-term compliance with PCI DSS requirements.

How much does it cost?

Estimated Additional Costs for 1st-time PCI DSS Compliance

A. System

Due to the high-security requirements of PCI DSS, certain systems may need to be separated to comply with requirements such as having only one primary function per system component (Req. 2.2.3). Previously, functions like Web Server, Application Server, and DB Server might have been on one machine but now need to be split, potentially requiring additional server equipment (virtual servers can be used).Additionally, security components like NTP Servers, FIM Servers (File Integrity Management), and Log Servers may be needed to meet compliance, potentially increasing the number of required machines compared to before.

B. Security Equipment

Meeting PCI DSS security requirements may necessitate purchasing additional security equipment such as Network Security Control devices (NSCs) like firewalls, Intrusion Prevention Systems (IPS), Intrusion Detection Systems (IDS), and Web Application Firewalls (WAF).

C. Data Encryption Equipment

Organizations with high security and performance demands may opt for Hardware Security Modules (HSMs) to encrypt card data securely as required by PCI DSS.

D. Personnel Training

PPCI DSS mandates training for personnel including awareness training, secure coding training, and conducting drills for Incident Response Plans (IRP). If staff perform Vulnerability Scans or Penetration Tests, they will also require adequate security training, potentially increasing training costs.

E. Technical Test

PCI DSS requires various periodic technical tests including Internal Vulnerability Scans, External Vulnerability Scans (ASV), Internal and External Penetration Tests, Wireless Scans, Card Number Scans, and Code Reviews. This section typically incurs additional expenses.

F. Other

If you are a service provider, acquiring institutions or card organizations may require registration in their service provider registries like VISA Registry or MasterCard SDP (Service Provider Registration).

For a small to medium-sized Service Provider without prior PCI DSS compliance experience, the estimated additional expenses might include as listed below:

PCI DSS extra cost for first time

PCI DSS Certification Costs

In addition to the potential additional costs mentioned above, the cost of PCI DSS Assessment can be varied with the time required by PCI DSS QSAs to complete the Assessment and Report.

The estimated assessment time depends on the following factors:

  1. System Complexity: The number of hosts, types of operating systems used, components installed on systems, multiple OS configurations, and security configurations all affect the sampling required during audits and increase audit time.

  2. Security Equipment and Networks: The number of security devices within the assessment scope such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP, etc., requires configuration, updates, access control checks, logging, and more, thereby increasing assessment time with more devices and complex network planning.

  3. Connections to Acquiring Institutions and Service Providers: More connections to acquiring institutions and service providers form more complex data flows (Dataflows), necessitating additional time for inspection.

  4. Database and Card Data Storage and Encryption Methods: Diverse card data flows and storage methods require more encryption or security measures, resulting in additional inspection items.

  5. Number of Operational Units: The number of stores, data centers, and operational offices increases the days required for Assessment, e.g., banks, telecom companies, and businesses with numerous stores and offices with extensive sampling. Moreover, backup data centers storing card data are also included in the scope.

Generally speaking, PCI DSS Assessment costs vary by region due to different annual fees set by the PCI SSC and varying salaries for QSAs in different regions. In Southeast Asia, e.g., a small to medium-sized service provider requires 3-5 days for on-site Assessment and around a week for report compilation. Excluding travel costs, PCI DSS certification costs typically range between NT$400,000 to NT$600,000.

However, an actual quotation depends on the complexity factors mentioned above.

Who needs PCI DSS Compliance?
Which SAQ Type?

Whether you are a cross-border e-commerce business, a third-party payment platform, or a service provider, adhering to PCI DSS compliance requirements is crucial. Implementing these compliance measures not only provides your acquiring bank and regulatory authorities with a certificate of compliance but also directly helps your business reduce the risk of data breaches and theft while enhancing consumer confidence in the security of their transactions.

PCI DSS compliance consists of over 400 requirements, covering everything from understanding and interpreting the standards, providing evidence, and obtaining certification, to maintaining compliance in the future. How do you ensure ongoing compliance?

It is recommended to consider hiring a QSAC (Qualified Security Assessor Company) to help you quickly and effectively achieve compliance in a short time.

After certification, you can utilize a compliance management system offering features such as automated monitoring, alerts, regular data submission, and real-time visual status updates. This ensures that your business remains compliant and secure at all times.

*For more information about PCI Compliance Services, please feel free to contact us.

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

/0 Comments/in ,
Read more
Are you ready for PCI DSS v4.0

Are you ready for PCI DSS v4.0

/0 Comments/in ,
Read more

Sequoia Vulnerability (CVE-2021-33909), PCI DSS Experts advise

/0 Comments/in ,

An out-of-bounds write flaw was found in the Linux kernel’s seq_file in the Filesystem layer. This flaw allows a local attacker with a user privilege to gain access to out-of-bound memory, leading to a system crash or a leak of internal kernel information. The issue results from not validating the size_t-to-int conversion prior to performing operations.

From PCI DSS point of views, primary concerns are operating system user account security.  Verification on the necessities of allowing access given to System, restrict only the mandatory rights to login with logging, ePBF etc. Patch management, especially critical, should be complete in 30 days.


  • PCI DSS Requirements 2.1 : Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.  Verify /etc/password have proper settings, delete or set to “nologin”, preventing non mandatory users can login using vulnerability to compromise the system.
  • PCI DSS Requirements 6.2 : Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.

Verify Operating System vendors have releasing relate patch and complete patch update within 1 month.  If there are no updates from the vendors, necessary mitigation process should be in place.


Patch updates resolving this vulnerability (CVE-2021-33909) noted by Qualys Security Research Team, see following form for Patch listing:


SourceRisk level
NESSUS
https://www.tenable.com/cve/CVE-2021-33909		CVSS (v2) 7.2
NIST NVD
https://nvd.nist.gov/vuln/detail/CVE-2021-33909		CVSS (v3) 7.8
Redhat
https://access.redhat.com/security/cve/cve-2021-33909		CVSS (v3) 7.0
CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909		Source: MITRE

Update on 2021/09/10

Qualys Security Research Team has proven vulnerability by accessing root rights in vulnerable OS of : Ubuntu 20.04、Ubuntu 20.10、Ubuntu 21.04、Debian 11 and Fedora 34 Workstation.  Other Linux OS may result in I.O.C. generate from this vulnerability.  Linux Servers patch fix as follow:


Operating SystemSecurity patch link
Redhathttps://access.redhat.com/security/cve/cve-2021-33909
CentOShttps://centosfaq.org/centos/its-been-six-days-since-cvd-2021-33909-was-patched-in-rhel-whats-the-holdup-for-stream-8/

https://centos.pkgs.org/8-stream/centos-baseos-x86_64/kernel-4.18.0-326.el8.x86_64.rpm.html

SUSEhttps://www.suse.com/security/cve/CVE-2021-33909.html
ubuntuhttps://ubuntu.com/security/CVE-2021-33909

Update on 2021/09/10

If there are no updates from the vendors, necessary mitigation process should be in place.

sysctl kernel.unprivileged_userns_clone=1   # unprivileged_userns_clone set as 0

sysctl kernel.unprivileged_bpf_disabled=1   # unprivileged_bpf_disabled set as 1

For technical details, please refer to below link:

https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt


Max Tsai

Secure Vectors Information Technologies, Inc. - PCI QSA and Senior Consultant

• Payment Card Industry Security, IT Security Management, Cloud Service Management
• Professional certification: PCI DSS QSA, CISSP, ISMS LA



Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.



You might also like


Secure Vectors Accredited as a PCI DSS Approved Scanning Vendor (ASV)

🔒 Microsoft Issues Major Security Update – 130 Vulnerabilities Patched!

PCI DSS v4.0

Who need PCI DSS Compliance?

first time PCI DSS Compliance

PCI DSS Compliance for dummies

What is your SAQ Type?

[GCP] Be careful using GCP’s CI/CD service Google Cloud Build!

【FortiOS】SSL-VPN Major Security Vulnerability (CVE-2023-27997) Have you fixed it?

Immediate Response Required: Windows 10/11 (CVE-2021-36934) Security Vulnerabilities

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.


PCI 3DS 驗證 3 步驟_Max

PCI DSS Compliance Process and Requirements

/0 Comments/in ,
This article is an introduction to the latest PCI DSS compliance standards process in 2021, as well as an explanation of PCI DSS levels of compliance and their required costs.

Table of Contents

PCI DSS Standards

The Payment Card Industry Data Standards (referred to as PCI DSS), is a global industry standard set up by the major international credit card organisations pertaining to the security of cardholder information that flows through their networks. All organisations, whether Merchants or Service Providers, that accept payments or Store, Process and Transmit card data from the major international card organisations must adopt the PCI DSS and protect cardholder information in accordance with the Security Standards.

The PCI DSS is created and managed by the PCI SSC (Payment Industry Security Standards Council and her members consist of VISA Inc., MasterCard, JCB, American Express and Discover.

PCI DSS Compliance Levels

The way to obtain the PCI DSS compliance status is usually via a PCI DSS Assessment. Both Merchants and Service Providers have different levels, which can be seen below (using the regulations provided by VISA)

  • Merchant Levels

  • Service Provider Levels

When a Merchant or Service Provider is deemed as Level 1, they are required to obtain the services of a QSA (Qualified Security Assessor), which is an approved PCI DSS auditor. The QSA has to perform an on-site audit for the organization and provide a report after the review.

Merchants Level 2-4 or Service Providers Level 2 must fill up a PCI DSS SAQ (Self-Assessment Questionnaire), which can also be assisted by a QSA.

In order to determine the level and you are required to obtain, and the type of SAQ you are required to use, please contact your acquirer.

PCI DSS Audit Process

In general, the PCI DSS audit can be divided into the following phases below:

The initial preparation and consultation phase may take up to 3-5 months, depending on the readiness of the organization that is undergoing the review and the complexity of their systems and their processes.

PCI DSS related costs during and after the review

  1. Systems Related Costs

As PCI DSS will require strong security protection to be implemented such as “One Primary Function Per Server” (Req. 2.2.1), the Web Server, Application Server and DB Server will have to be isolated from each other, if they were put in the same location previously. Similarly, there may be greater hosting equipment requirements (Virtual Servers can be used)

Additionally, PCI DSS requires the establishment of security service components such as DNS Server, NTP Server, FIM Server (File Integrity Management), Log Server etc. therefore the organization may have to obtain more equipment than in the past in order to meet compliance requirements.

2. Security Equipment Costs

Additional security equipment may need to be purchased (i.e. Firewalls, IPS, IDS, WAF)

3.  Data Encryption Costs

PCI DSS requires card data encryption. Organisations will typically use HSM (Hardware Secure Module) hardware encryption to ensure the security of the cardholder data stored.

4. Training Costs

PCI DSS requires employees to undergo Awareness Training, Secure Coding Training, and IRP (Incident Response Plan) drills. In addition, to perform Vulnerability Scans and Penetration Tests, your staff may also have to undergo sufficient technical training to operate these tools.

5. Technical Audit Costs

PCI DSS mandates a number of technical audits, including:

  • Card Number Scanning
  • Code Review
  • Internal Vulnerability Scan
  • ASV, External Vulnerability Scan
  • Internal Penetration Test
  • External Penetration Test
  • Wireless Scan

There may be some additional costs here.

6. Other Costs

If your organization is designated as a Service Provider, you will be required to register yourself, such as at VISA’s VISA Registry or MasterCard’s Service Provider Registration

Let us provide an example of a small-to-medium sized Service Provider, who is undergoing the PCI DSS compliance process for the first time. These are the estimated additional expenses:

PCI DSS Compliance Fees

In addition to the possible costs above, the PCI DSS Compliance fees and the time required by a QSA to complete the audit depend on the following factors as well.

  • System Complexity: The number of hosts, the type of OS used by the system, the number of components installed on the system, whether there are multiple OSs used at the same time, whether there are multiple security configurations.
  • Security Devices and Network Segments: How many security devices there are, such as Firewalls, IPS, IDS, WAF, Switches, Routers, SIEM, DRP etc. These security devices must be set up and updated with proper access controls and logs. We must also check and ensure that the records are kept, and the higher the number, the more complicated the network segment will be, which will increase the time required to audit.
  • The number of connected acquirers and service providers: The more acquirers there are, the more complicated the data-flows of the system.
  • Retention and encryption of database and card data: The more diverse the card data flows and the more diverse the types of card data storage, the more requirements there are for encryption and security protections, which leads to more items for auditing.
  • Number of operation units: The number of stores, number of server rooms used, and the number of offices will also increase the number of days required for review. Bank, telecommunications companies etc. will have a large number of storefronts and offices, which will lead to longer auditing periods required. Backup server rooms that store card data will also be included in the scope of review.The costs of a PCI DSS audit will also differ by geography, as the PCI SSC has different annual costs for each region. The costs of a QSA is also different in each region. For example, a small-to-medium sized Service Provider in Southeast Asia will require around 3-5 days of on-site assessment and require about a week for the preparation of the report. Excluding transportation costs, a first-time PCI DSS certification may cost between 15,000 USD to 25,000 USD. Of course, the actual price must be estimated based on the variables mentioned above to determine the amount of time required for the audit.

           

Vincent Huang

Secure Vectors Information Technologies, Inc. – PCI QSA and Senior Consultant 

– IT Security Management, Payment Card Industry Security, Data Center Security and Cloud Security
– Professional certification: DSS QSA, PCI 3DS Assessor, PIN Security QPA, CISSP, CEH, NSPA, ISMS LA, ITSM LA, Certified CSA STAR Auditor, Europrise Technical Expert

Secure Vectors Information Technologies Inc., is a consulting firm specialized in providing payment card related security consulting and assessment services. We provide comprehensive payment card related security consulting and certification services, including PCI DSS, PCI 3DS, PCI PIN Security Standards. Also providing personal data protection, GDPR compliance inspection and other consulting services. Headquartered in California, U.S., and with branch offices in Taiwan (Taipei), China (Beijing and Hunan), Vietnam (Hanoi), and Singapore. With over 70 percent market share in Taiwan and 8 years experiences in PCI compliance, we developed compliance management program and collaborating services to fit every business.

*For more information and inquiries please kindly email us at service@securevectors.com , our experts will answer all your questions as soon as possible.

Payment Security Market to Reach $24.6 Billion by 2022: Driven by the Need to Adhere to PCI DSS Guidelines & the Rise in Fraudulent Activities in Ecommerce

/in

The Payment Security Market by Solution, Service, Organization Size, Industry Vertical, and Region in 2022

The global payment security market size is expected to grow from USD 11.39 Billion in 2017 to USD 24.63 Billion by 2022, at a Compound Annual Growth Rate (CAGR) of 16.7%. The major growth drivers of the market include increased adoption of digital payment modes, need to adhere to PCI DSS guidelines, and rise in fraudulent activities in Ecommerce. The payment security market is segmented by component (solution and service), organization size, industry vertical, and region. The solutions segment in the market is expected to have a larger market size than the services segment during the forecast period. The reason behind the high growth rate is the increased need to secure online business sensitive transactions from advanced cyber-attacks.

The support services segment is expected to grow at a higher CAGR during the forecast period with the largest market size. The large enterprises segment is expected to account for a larger market size in 2017. However, the Small and Medium-Sized Enterprises (SMEs) segment is expected to grow at a higher CAGR during the forecast period, as SMEs are mainly adopting payment security solutions to protect the customer-sensitive bank account data from network vulnerabilities and attacks.

Payment security solutions and services are deployed across various industry verticals, including retail; travel and hospitality; IT and telecom; healthcare; education; media and entertainment; and others. The education vertical is expected to grow at the highest CAGR during the forecast period. However, the retail vertical is expected to have the largest market size in 2017, as retailers are using various interesting ways such as, offers and discounts to attract customers for online shopping. Therefore, the adoption of the payment security solutions is increasing in the retail sector.

On the basis of regions, the global payment security market has been segmented into North America, Europe, Asia Pacific (APAC), Middle East and Africa (MEA), and Latin America to provide a region-specific analysis. The North American region, followed by Europe, is expected to be the largest revenue-generating region for payment security service vendors in 2017. In the developed economies of the US and Canada, there is a high focus on innovations obtained from Research and Development (R&D) and payment security technologies. The APAC region is expected to be the fastest-growing region in the market. The growth in this region is primarily driven by the increasing adoption of advanced payment technologies within organizations to perform business transactions.

 

 

 

 

Research and Market, dated 1 August 1, 2017
http://www.researchandmarkets.com