Governance, Risk Management and Compliance
|
Information Security
|
PCI DSS 
BLOGS

PCI DSS Reduction and Assessment

|
|
PUBLISHED on
05
August
2022
Table of contents

Scope and Applicability Definition

The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to accurately determine the scope of assessment.”

It is essential that your organisation is able to conduct this process as accurately as possible and an incorrect assessment can lead to security controls being applied above and beyond what is necessary or security controls not being applied to systems that should be in scope of the standard.

URM’s consultants are able to work with you and help determine the correct assessment scope from which you can proceed to analyse the applicability and necessity of each PCI DSS control requirement.

SAQ Selection

In order to assist merchants and service providers validate compliance with the PCI DSS, the PCI SSC has developed and made available a number of self-assessment questionnaires (SAQs), each of which are applicable to a specific payment scenario.

The 9 SAQs are aimed at those qualifying merchants and service providers that are not required to undergo an on-site data security assessment nor submit a report on compliance (ROC).

Choosing the right SAQ is critical, as incorrect submissions can invalidate your compliance and expose your organisation to greater risk of payment card data breaches. The time and effort involved in completing the different SAQs can also vary considerably.

URM’s consultants can assist in advising which SAQ is most applicable to your organisation

They can also provide invaluable assistance in assessing whether there may be opportunity to reduce the scope of your cardholder data environment, resulting in you having to complete a less onerous SAQ.

Scope Reduction

The best and most cost-effective approach to achieving compliance with the PCI DSS is to reduce the scope of your cardholder data environment.

By limiting where card information is held and processed within your organisation, it is possible to both reduce the likelihood of a payment card breach occurring, and also to significantly reduce the costs and efforts of maintaining and validating your compliance programme.

URM’s consultants can advise you on how your PCI DSS scope can be reduced using a variety of techniques and will explain the benefits and drawbacks of the different options available to your unique environment and situation.

All of URM’s proposed scope reductions are totally vendor agnostic and do not involve any specific vendor solutions or technologies.

For organisations that require additional guidance, URM can provide unbiased remediation and solutions advice that leverage existing technology investments.

Read more
Read more

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Recent blogs
ISO 27001:2022 Annex A Physical Controls
Sharing Personal Data With the Police
PCI SSC Announces Changes to the SAQ A
Are you Processing Special Category Personal Data Without Knowing It?
Apple Removes Advanced Data Protection Tool from UK
How URM can help?
Consultancy
All you need to meet SOC 2 requirements

If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.

Read more
Consultancy
Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification

Read more
Consultancy
ISO 27002:2022 Support

URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.

Read more
URM’s consultants have assisted over 400 organisations achieve and maintain certification to ISO 27001.
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
What Are the Service Provider Levels

In this blog, we turn our attention to service providers. The PCI Security Standards Council defines a service provider....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
11/4/2024
PCI DSS v4.0: Network Security Controls

URM’s blog explains the wording changes in Requirement of the PCI DSS v4.0, offering advice on how organisations can select and use the most appropriate NSCs.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
How can URM help you to achieve PCI compliance and what is our approach?

In our previous blog, we looked at where your PCI compliance journey starts. The first step is understanding the flow of your payment card data....

Read more
"
Leanr more about
URM Services
We are delighted to partner with URM Consulting on a wide range of information and cyber security projects and service solutions. Working with URM Consulting has proved to be extremely successful, with them consulting / advising clients and then utilising our SMART Services. These are specifically aimed at supporting organisations to achieve Detection, Compliance & Response (DCR) to support Digital Transformation outcomes. In addition, we have achieved Cyber Essentials certification with URM and are now partnering on ISO 27001 and Cyber Essentials Plus projects. We have been impressed by the breadth of URM’s governance, risk, compliance and technical expertise along with their holistic, pragmatic and tailored advice.
C-STEM
Specialised Managed Service Partner
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.