Q: How much does it cost to utilise PCI CONSULTING AUSTRALIA?

A: Our business model is designed for low overheads with savings passed onto clients. We generally work off a daily rate for smaller jobs and can quote a fixed fee for larger scale assessments and ongoing assignments. Based on the industry in Australia we believe our prices are more than competitive with importantly a high level of customer service.

Q: Do rates differ per industry?

A: Generally not, but we do have significant experience in the charity and not-for-profit sector. As such, we do offer a discounted rate to these entities.

Q: I’m a Level 3 or 4 merchant. Should I use a QSA?

A: This really depends on your budget and also internal capabilities. We will always recommend some level of support but we try to be honest in our appraisal. For example, we have spent significant time with some of our Level 3 merchants whereas others literally only a day or two to get them going as we’re confident they have the resources to self certify.

Q: I haven’t heard anything from my bank. Should I still undertake the program?

A: Even without external pressure, there is still a risk to your business when non-compliant with the main one being the risk to your reputation should your data be breached. Even though it’s a compliance function, remember you have the ability to use PCI Compliance as a selling point. If you offer a service that is PCI Compliant v a competitor that cannot, you have an instant competitive advantage.

Q: How long does compliance last?

A: You need to re-certify annually. A large number of businesses spend so much effort gaining initial compliance they then relax and drop out of compliance in the second year. We work with you to setup ongoing controls to avoid this from happening.

Q: What insurances does PCI CONSULTING AUSTRALIA maintain?

A: To gain accreditation as a QSA, firms must have a high level of insurance including Professional Indemnity, Cyber Liability, and Management Liability. Of course we also maintain Public Liability insurance. Copies of these can be forwarded upon request.

Q: Does it make a difference to only achieve PCI Compliance in Australia?

A: The PCI DSS is a global standard. In Australia there may not be as many Level 1 entities compared to larger countries but the testing criteria based on your level does not change country to country.

Q: How do you store our sensitive client data and reports?

A: We take data integrity very seriously. All email functions are secured within HTTPS pages. All client data is stored in the cloud with strong encryption and access controls in place. In case of short term data storage on laptops, we employ AES 256-bit encryption on these files. Data is also backed up within this cloud service to minimise the likelihood of data loss.

Q: What about other PCI CONSULTING AUSTRALIA processes?

A: PCI CONSULTING AUSTRALIA has implemented formal policies and procedures including Data Retention, Code of Conduct, Background Check & Hiring, Corporate Induction, and a Quality Assurance Manual. The PCI Security Standards Council sets rigid Quality Assurance requirements on QSA firms and we adhere to them to the letter.

Q: What do you mean you’re ‘vendor independent’?

A: It means we have no vested interest in recommending third parties or do not receive commission. From time to time we may recommend a vendor product but that’s purely from a compliance perspective. We would recommend it because it can meet your compliance needs. But generally we aim to find a practical solution before suggesting an investment if possible.

Q: Why should we choose you over other QSAs?

A: Well that’s your choice of course! First, our low overheads means our pricing is more than competitive. We can’t guarantee we’re the cheapest but we’re certainly well placed within the industry. Second, our independence means solutions are 100% in your best interests. Third, our personnel are purposely not just IT gurus. We believe we have well rounded skills with the flexibility to meet many demands and have particularly strong Project Management skills. And finally, we recognise we’re in the service industry and client satisfaction is paramount. We can’t guarantee you’ll agree with our opinion all the time but are dedicated to working with you to find the best outcomes. We’re more than just assessors!

Q: Where can I find one-pager about what you do?

A: You can download a one page description (PDF) here.

Q: Can you provide examples of various payment channels and how to comply?

A: Particularly for small merchants, a user friendly guide is available here.

Q: What is the difference between penetration testing, ASV scanning and internal scans?

A: This is a very common question and it can be confusing! Details are explained here.