August 9, 2008

SAS70 & PCI DSS Assessments

Filed under: News, Services — Tags: , , , , — Charles Denyer @ 11:13 pm

SAS70 audits & PCI DSS assessments are being quite common in today’s heightened era of regulatory compliance and corporate governance. What’s more, many perceive this as just the beginning of a long line of compliance mandates that have and will truly shape the way many aspects of business & commerce are conducted in this country.

As an auditor for many years, I’ve been approached by many clients desperately wanting to know if efficiencies can be obtained within the audit and assessment process for companies undergoing both a SAS70 audit and a PCI DSS assessment. There’s no simple yes or no, black or white answer to this, as many variables come into play when conducting a SAS70 audit or a PCI DSS assessment.

What I can tell you though is that there are common themes and drivers seen in both a SAS70 audit and a PCI DSS assessment. In short, both a SAS70 audit and a PCI DSS assessment rely heavily on the existence of documented policies & procedures. Furthermore, both of these examinations also examine various aspects of physical security, network security, logical security, change management, to name a few. Quickly, you can see some overlapping themes in both a SAS70 audit and a PCI DSS assessment. So, that’s the YES answer to “audit efficiencies can be obtained” when a company has to undertake a SAS70 audit and a PCI DSS assessment. So, what’s the NO or the gray erea? Keep in mind that the PCI DSS assessment is a very technical examination, much more so than a SAS70 audit. At the same time, a SAS70 audit also covers comprehensive business process controls applicable to that specific entity being examined for a SAS70. A PCI DSS assessment does generally not cover or assess these specific business processes that a SAS70 would. Thus, you can see the gaps between these two examinations.

In short, you can create synergies and efficiencies between SAS70 audits & PCI by focusing on the areas where overlapping exist, such as in the development of policies/procedures and other areas mentions.

To learn more about what SAS70 is, visit the official SAS70 Resource Guide

To learn about Payment Card Industry (PCI) DSS compliance, visit the official PCI Resource Guide.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment



Blog Navigation

Subscribe

Fill out the form below to become a subscriber to the SAS 70 Resource Guide Newsletter. Your information will never be shared with any third-party vendor or company.

For the latest information about SAS 70, subscribe to the SAS 70 Resource Guide News Feed by following the links below.

RSS | atom

about feeds

SAS 70 Google News Alert Widget provided by Grazr