An interview with Cognosec's Osaze Aigbe, Senior PCI Security Consultant
As part of our Expert Insights Series, we speak to Osaze Aigbe, Cognosec’s Senior PCI Security Consultant to find out why an organization should invest in PCI services.
Could you tell me a little about your role at Cognosec?
I work as a Senior security consultant working within the global Risk and Compliance function, specialising in all things compliance related from PCI DSS, ISO to EU GDPR. I am also a Qualified Security Assessor (QSA) as well as a Lead Auditor. My main role is to carry out security assessment under PCI DSS standard for clients across the globe. The role consists of carry out onsite assessment, gap analysis and overall security review our client’s cyber security posture. I also actively provide our clients with the expert advisory service in the implementation of other compliance framework like ISO.
How long have you been working in the information security and compliance field? What experience do you have?
I have worked within the information security and compliance field for about 7 years. Prior to Cognosec, I was responsible for managing the PCI compliance of the UK’s biggest Water Company ensuring that they met compliance as a level 2 merchant. Preceding that role, I was also responsible for the management and implementation of GRC solution in Europe’s biggest telecommunication company. My expertise in regulatory compliance reviews, cyber security audits, information security management systems (ISMS), data security classification and cryptographic key management. I am certified in the following areas of cyber security: CISSP (Certified Information Systems Security Professional), International Organisation for Standardisation (ISO) 27001:13 Lead Auditor.
Why does an organization need PCI services?
The PCI DSS mandates all organization that process, transmit or store cardholder data to adhere to its 12 requirements or face fines resulting from a breach from acquiring banks. All organizations irrespective of size that accept, transmit or store cardholder data need PCI services. All organizations have the duty to have robust security controls in place with regards to the cardholder data of their clients and as such, they require companies like Cognosec to help them define a good security framework so they can comply with the PCI DSS 12 requirements. Organizations must comply with this regulation in order to remain in the business of taking card payments.
What PCI services does Cognosec provide?
Cognosec provide the following PCI service based on assessment of the client’s compliance level. The services include:
- PCI Gap Analysis
- PCI ASV Scanning
- PCI Onsite Assessment
- PCI Penetration Testing
- PCI DSS SAQ
- PCI Remediation
What is the most common question an organization asks during assessment?
One of the most common we get asked during assessment is “when do we get our certificate of compliance” We tend to find that clients are keen from the onset to get certified which is good news for us. However, as security auditors, we have to advised and guide the client towards meeting the 12 PCI DSS requirements by ensuring that their security posture with regards to their people, processes and technology demonstrates that they have the required evidence for PCI DSS compliance.
Could you briefly describe how you implement audits?
The audit first begins with a gap analysis which is performed by a different team. From that gap analysis, the client’s environment is taken through a scoping session to determine all the areas where the client has contact with cardholder data including all supporting people, processes and technology. These activities then pave the way for a formal onsite assessment from the PCI team. During this onsite assessment, we assess the security controls in place that support the 12 PCI DSS requirements and then provide a report. The onsite assessment normally takes 2-5 days depending on the size of the organization being assessed. If the client meets the requirement we issue a ROC (level 1) or an SAQ and then issue a formal signed certificate of compliance to the appropriate PCI DSS standard. In a case where the client fails to meet the 12 requirements, we issue a report and identify the gaps which should then be remediated by the client.
And finally, in your opinion, why should an organisation choose Cognosec?
Cognosec is a service provider company that focuses on providing a personalised service for our clients; one which might not be gotten if they went to a big service provider. We aim to peel out all the layers and go straight into what benefits the client in short and long term based on their business drivers and goals. We also believe that doing a good job for the client, allows them to recommend us to their business partners.
