The Payment Card Industry Data Security Standard (PCI DSS) applies to all organisations that process, store or transmit cardholder data or those that can affect the security of cardholder data as it is processed, stored or transmitted.

Compliance with the PCI DSS must be assessed on an annual basis.  Organisations handling large volumes of transactions (over 6 million per card brand for merchants and 300,000 for service providers) must have their compliance assessed by an independent Qualified Security Assessor Company (QSAC), such as URM, which completes a report on compliance (ROC).  Organisations handling smaller volumes have the option of demonstrating compliance via a self-assessment questionnaire (SAQ)

URM can assist you by providing the following consultancy and assessment services:

Penetration Testing and Vulnerability Scanning

Key requirements of the PCI DSS include the need to undertake both vulnerability scanning and penetration testing in order to assess the network infrastructure and applications.  The PCI DSS requires organisations to conduct a vulnerability scan of all external IPs and domains in scope at least once every 90 days.  URM can conduct the required 2 vulnerability scans, one external to your network and one within your network, behind your various perimeter security devices.   As a CREST-accredited organisation, URM can also conduct penetration tests, where our Team of testers will not only analyse your network environment and identify potential vulnerabilities, but try to exploit those vulnerabilities.  Under PCI DSS Requirement 11.3, (applicable to ROCs, SAQ C and SAQ D), URM can conduct internal and external penetration testing of both the network and application layers of the CDE, as well as any required segmentation testing.  For more information on our penetration testing capabilities, follow the link below.

More Information on Penetration Testing

Scope Reduction

As a PCI QSAC organisation, URM is ideally placed to offer advice and guidance on meeting the requirements of the PCI DSS in the most cost-effective manner.  URM’s scoping service involves helping your organisation define the most appropriate assessment scope and provide the basis to analyse the applicability and necessity of each PCI DSS control requirement.  URM can help identify opportunities to reduce and streamline the scope of the assessment, which in turn reduces the time and cost of the audit.

PCI DSS Gap Analysis

If you are looking to assess and measure your current cardholder processing activities and practices against the Standard, URM can assist by delivering a PCI DSS gap analysis.  This is often the first step in any PCI DSS project and provides a roadmap for PCI compliance.  This PCI DSS service typically involves one of URM’s Qualified Security Assessors (QSAs) spending time on site with the key individuals responsible for the PCI DSS programme, e.g., those involved in network administration and cardholder systems, as well as those involved in developing policies and processes/procedures.

Implementation & Remediation

Having conducted a gap analysis and determined the most applicable assessment scope, URM’s QSA can assist with any PCI implementation or remediation activities to ensure you achieve and maintain compliance in the most practical and effective manner.  URM’s individual QSAs are all vendor agnostic and come with a wide range of technical and information security (e.g., ISO 27001) skills and experience which have been gained in industry, not in the classroom, and are well placed to understand the impact that the implementation of PCI DSS is likely to have on your organisation.

Assessment/Auditing Services

And once you are ready for assessment, URM’s Team of PCI QSAs is able to offer you a range of PCI DSS assessment services, including:

  • QSA-led PCI Report on Compliance (ROC). When all PCI DSS control gaps have been identified, and remediation activities have been completed, a QSA assessment is required in order to establish that a Level 1 merchant or service provider fully meets all of the control objectives of the PCI DSS.  URM is able to deliver a full PCI QSA-led audit.  After testing your controls and reviewing documentation of your findings, URM’s Team of QSAs will develop a summary of findings, culminating in a ROC which verifies your organisation’s compliance.  Our Team will also provide a completed Attestation of Compliance (AoC) form and allow for the required paperwork to be submitted to the party requesting compliance from your organisation.
  • QSA Supported SAQs. This service involves URM’s QSA working with your organisation to deliver a full QSA-led SAQ against any currently valid version of the Standard and provide a completed AOC form for you to submit.  It is widely acknowledged that an SAQ, countersigned by a QSA, greatly adds to the credibility of the self-assessment.
  • Supporting SAQs - Here, URM’s QSA can support your organisation conduct its own SAQ by offering advice and consultancy. This service differs from the ‘QSA supported SAQ’ service, described above, in that typically the QSA will not be involved in actively gathering and reviewing any evidence. The QSA will be simply advising you on the level of evidence you would need to obtain.  As a result, they would not be in a position to sign off the SAQ.
  • Pre-audit Readiness Assessment – URM’s QSAs are able to work with your organisation to conduct a readiness assessment of your in-scope environment against any currently valid version of the PCI DSS and identify any issues that would affect compliance being achieved.  This provides you with the opportunity to remediate any issues before the formal evidence stage and provides staff with the experience of undertaking a PCI DSS assessment.

Why URM?


Track record and experience

URM has a team of expert consultants across multiple security disciplines who are all highly experienced in assisting organisations in gaining PCI DSS compliance. Our consultants have worked with hundreds of different companies across a wide range of industries, including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes ranging from self-employed individuals to multi-national corporations.  So, whatever your PCI DSS needs are, URM will be able to provide a QSA who understands your organisation and can offer the best advice and guidance to help you achieve compliance.

Pragmatic approach

All of URMs QSAs pride themselves on their pragmatic approach to both compliance and assessments and will work with you to find the most appropriate and sensible way for you to meet the requirements of the PCI DSS.

PCI DSS FAQ

PCI DSS v4 – Changes at a Glance

Latest update:
2 Sep
2022

After several years wait, and to surprisingly little fanfare, the Payment Card Industry Security Standards Council (PCI SSC) released the new version of the PCI Data Security Standard (DSS) ...

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
24/8/2022
PCI SSC Remote Assessment Guidelines and Procedures

The PCI SCC has recently released a new remote assessment guidelines and procedures. Here we address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
9/8/2022
5 Ways to Reduce Your PCI DSS Scope

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability of the Standard. Even veterans of PCI DSS compliance...

Read more
Thumbnail of the Blog Illustration
Information Security
updateD:
9/8/2022
PCI DSS: Pros and Cons of Outsourcing

In this blog, we address one of the big questions facing organisations which accept payment cards and are looking to comply with the PCI DSS. Should we outsource the storing, processing and...

Read more
"
URM were super helpful and knowledgeable, talking and walking me through each one of the tests and providing some useful information on security and how to improve things in the future.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.