In our previous blog, we looked at where your PCI compliance journey starts. The first step is understanding the flow of your payment card data – by that we mean where payment card information comes into your organisation, where it goes, who it is shared with, what systems and components it touches, where it is stored, what form it is stored as and who has access to it. We need to map out the data flow for every payment channel you use – by phone, online, face to face. URM can help map this out by speaking to the relevant personnel in your teams and looking at network diagrams to enable us to diagrammatically present your data flows. This will determine your scope.
Before we look at your scope in detail, we need to understand the annual volume (number) of transactions you take. This will determine which controls in the Payment Card Industry Data Security Standard (PCI DSS) you must comply with i.e. which controls you need to implement, and whether you can complete a self-assessment questionnaire (SAQ) or you need to undertake an external assessment.
Once we understand your data flow and your payment channels, we have an idea of the scope. Our aim now is to review your initial scope with the objective of keeping it as tight and contained as possible. We typically achieve this via segmentation, i.e. isolating, as far as possible, system components. When we talk about system components we are referring to any network elements (e.g. server or applications) that are included in or are connected to the cardholder data environment (CDE). URM will suggest various segmentation options for you to consider. Often, installing a firewall to isolate a part of your network can have a very significant impact on your scope. We will help you by identifying opportunities to reduce the scope, without impacting the service you deliver and consider the costs and benefits of doing so.
Armed with this information, the next step is to complete a gap analysis against the requirements of the Standard you need to comply with. This is achieved through a series of interviews with personnel (who are involved in handling payment card information and/or delivering services to clients) to understand how you operate on a day-to-day basis. We will also review all relevant documentation such as network diagrams, policies and processes. This will enable us to understand where you comply and where you need to take actions to address any gaps. Our goal is to help you achieve compliance in as pragmatic a way as possible.
Although there is one Standard, there are a number of different business models that PCI covers. Every business/organisation has its own mission statement and requires solutions that enable it to meet the needs of that business whilst achieving compliance to the Standard. The overriding concern behind the PCI is to protect cardholder data and, as discussed in many PCI European community meetings, by securing card data, organisations can meet the requirements of the Standard. However, if organisations adopt a checklist approach to meeting the Standard, this won’t necessarily secure card holder data. URM’s approach to assisting and assessing customers is driven by ensuring cardholder data is secured and our customers meet the requirements of the PCI.
Our fundamental approach is to be as pragmatic as possible. This is achieved by using consultants who have relevant industry experience and understand the way organisations work. Our consultants have both consultancy/advisory and operational experience, so they truly understand the challenges of the day-to-day implementation of the Standard. Compliance is about people, processes and technologies and our consultants understand all three and, where necessary, we will work with you on a compliance programme to ensure you are fully prepared and supported. It is vital for us to ensure that you understand your PCI obligations, your current compliance position and the options for review/change, and to provide support and expertise in a flexible manner as and when needed.
So why are we different. Our consultants are qualified as you would expect – qualified security assessors (QSAs) in PCI terminology but most importantly they are experienced, security professionals who understand how businesses work. They understand that whilst, yes, you have to meet PCI requirements, there are a number of ways of achieving this and it is a case of finding the most appropriate solution for your organisation. One size does not fit all.
Our consultants care about what is right for you. They pride themselves on delivering innovative solutions that enable you to continue to run your business/delivering your service whilst becoming compliant. They also want to make sure that you can maintain your compliance yourself – how do they achieve this, through knowledge transfer and taking the time to make sure you understand what the Standard requires, why and how to maintain compliance.
Our overriding goal is to develop long term and supportive partnerships, so whether you are starting on your PCI compliance journey or you are already compliant and are looking for a QSA organisation that takes a different approach, then talk to us.