PCI-DSS

PCI DSS projects often begin in the middle, with a gap analysis or implementation of technical controls to meet the standard – this can be an expensive way to proceed as, often as not, it involves committing funds to assessing systems that are not even in the final scope, or implementing complicated solutions that never contribute to compliance. We initiate all PCI DSS projects with a strategy review, assessing which parts of the business are currently in scope for PCI DSS and deciding how to deal with these elements in a cost effective way that reduces risk as well as meeting the standard.

The ethos is to move as much out of scope as possible, and then simplify the remainder until a viable compliance project remains. This may mean changing business process rather than altering technical solutions.

PCI DSS Strategy

Strategies will include: business process alteration; outsourcing; tokenization; point-to-point encryption and technical change. The outcome of the strategy phase is a viable, cost-effective roadmap to compliance. Also in the strategy phase we will answer questions about merchant levels, reporting, compliance validation, potential costs and other areas that have a bearing on the success of the project.

PCI DSS Scope & Gap Analysis

Identifying an accurate scope of your environment is one of the most critical phases of the compliance program. During this phase a Qualified Security Assessor (QSA) will assist you in identifying the areas of the business that store, process and transmit cardholder data in the light of the strategy phase above, ensuring that scope reduction strategies are fully documented and agreed. At the end of this phase a fully defined, minimal scope for compliance should remain.

For any PCI DSS project to be effective, it is essential that every remediation decision made includes consideration of the current compliance status, as documented in an up-to-date gap analysis report. A full onsite review of the identified card data environment (CDE) is performed and documented against the applicable requirements identified from the scoping phase; all areas of non-compliance are documented and recorded in a security improvement plan and clear advice is given on turning the reds to green.

PCI DSS Remediation & Pre-audit Assessment

This remediation phase will address the gaps identified in the PCI DSS Gap Analysis above, and will involve technical change, business process change, training, awareness and all the other steps identified in the previous phases as being necessary to achieve compliance. We can play a number of roles in the remediation phase as desired by the client – we can act as a simple sounding board for proposed changes, or we can fully engage in aiding the often complex organizational changes required by the compliance project.

The pre-audit validation is a documentation and interview-based review of the readiness of the environment for a compliance audit. At this stage, we will run through the expectations of the final audit in terms of evidence and documentation, and ensure that we are as prepared as we can be for a successful final audit.

PCI Compliance Remediation Service & PCI-DSS Training

When a pre-assessment or onsite audit identifies a compliance gap, quick remediation is vital. Our PCI compliance team includes technology and GRC experts from a range of functional practice areas. This expertise assures you that any identified gap will be remediated by highly qualified experts.

Provides everything you need to know for PCI DSS compliance. An ideal starting point for anyone new to this standard and wishes to gain a comprehensive and practical knowledge of the ins and outs of all aspects of the standard. This course will allow you to develop a cost effective plan to meet all the appropriate requirements for your organization.

PCI DSS Audit

PCI DSS compliance validation is an annual requirement for any organization that is required to comply with the PCI data security standard.

The assessment includes:

  • Certification Assessment Preparation
  • Onsite Validation Assessment
  • Compliance Reporting

The onsite assessment is conducted in accordance with the validation requirements of the PCI Security Standards Council. This can result in a full Report on Compliance, or assistance with a Self Assessment Questionnaire as required.