The Payment Card Industry Data Security Standard (PCI DSS) applies to all organisations that process, store or transmit cardholder data or those that can affect the security of cardholder data as it is processed, stored or transmitted.
Compliance with the PCI DSS must be assessed on an annual basis. Organisations handling large volumes of transactions (over 6 million per card brand for merchants and 300,000 for service providers) must have their compliance assessed by an independent Qualified Security Assessor Company (QSAC), such as URM, which completes a report on compliance (ROC). Organisations handling smaller volumes have the option of demonstrating compliance via a self-assessment questionnaire (SAQ)
URM can assist you by providing the following consultancy and assessment services:
Penetration Testing and Vulnerability Scanning
Key requirements of the PCI DSS include the need to undertake both vulnerability scanning and penetration testing in order to assess the network infrastructure and applications. The PCI DSS requires organisations to conduct a vulnerability scan of all external IPs and domains in scope at least once every 90 days. URM can conduct the required 2 vulnerability scans, one external to your network and one within your network, behind your various perimeter security devices. As a CREST-accredited organisation, URM can also conduct penetration tests, where our Team of testers will not only analyse your network environment and identify potential vulnerabilities, but try to exploit those vulnerabilities. Under PCI DSS Requirement 11.3, (applicable to ROCs, SAQ C and SAQ D), URM can conduct internal and external penetration testing of both the network and application layers of the CDE, as well as any required segmentation testing. For more information on our penetration testing capabilities, follow the link below.
As a PCI QSAC organisation, URM is ideally placed to offer advice and guidance on meeting the requirements of the PCI DSS in the most cost-effective manner. URM’s scoping service involves helping your organisation define the most appropriate assessment scope and provide the basis to analyse the applicability and necessity of each PCI DSS control requirement. URM can help identify opportunities to reduce and streamline the scope of the assessment, which in turn reduces the time and cost of the audit.
PCI DSS Gap Analysis
If you are looking to assess and measure your current cardholder processing activities and practices against the Standard, URM can assist by delivering a PCI DSS gap analysis. This is often the first step in any PCI DSS project and provides a roadmap for PCI compliance. This PCI DSS service typically involves one of URM’s Qualified Security Assessors (QSAs) spending time on site with the key individuals responsible for the PCI DSS programme, e.g., those involved in network administration and cardholder systems, as well as those involved in developing policies and processes/procedures.
Implementation & Remediation
Having conducted a gap analysis and determined the most applicable assessment scope, URM’s QSA can assist with any PCI implementation or remediation activities to ensure you achieve and maintain compliance in the most practical and effective manner. URM’s individual QSAs are all vendor agnostic and come with a wide range of technical and information security (e.g., ISO 27001) skills and experience which have been gained in industry, not in the classroom, and are well placed to understand the impact that the implementation of PCI DSS is likely to have on your organisation.
And once you are ready for assessment, URM’s Team of PCI QSAs is able to offer you a range of PCI DSS assessment services, including:
- QSA-led PCI Report on Compliance (ROC). When all PCI DSS control gaps have been identified, and remediation activities have been completed, a QSA assessment is required in order to establish that a Level 1 merchant or service provider fully meets all of the control objectives of the PCI DSS. URM is able to deliver a full PCI QSA-led audit. After testing your controls and reviewing documentation of your findings, URM’s Team of QSAs will develop a summary of findings, culminating in a ROC which verifies your organisation’s compliance. Our Team will also provide a completed Attestation of Compliance (AoC) form and allow for the required paperwork to be submitted to the party requesting compliance from your organisation.
- QSA Supported SAQs. This service involves URM’s QSA working with your organisation to deliver a full QSA-led SAQ against any currently valid version of the Standard and provide a completed AOC form for you to submit. It is widely acknowledged that an SAQ, countersigned by a QSA, greatly adds to the credibility of the self-assessment.
- Supporting SAQs - Here, URM’s QSA can support your organisation conduct its own SAQ by offering advice and consultancy. This service differs from the ‘QSA supported SAQ’ service, described above, in that typically the QSA will not be involved in actively gathering and reviewing any evidence. The QSA will be simply advising you on the level of evidence you would need to obtain. As a result, they would not be in a position to sign off the SAQ.
- Pre-audit Readiness Assessment – URM’s QSAs are able to work with your organisation to conduct a readiness assessment of your in-scope environment against any currently valid version of the PCI DSS and identify any issues that would affect compliance being achieved. This provides you with the opportunity to remediate any issues before the formal evidence stage and provides staff with the experience of undertaking a PCI DSS assessment.
Track record and experience
URM has a team of expert consultants across multiple security disciplines who are all highly experienced in assisting organisations in gaining PCI DSS compliance. Our consultants have worked with hundreds of different companies across a wide range of industries, including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes ranging from self-employed individuals to multi-national corporations. So, whatever your PCI DSS needs are, URM will be able to provide a QSA who understands your organisation and can offer the best advice and guidance to help you achieve compliance.
All of URMs QSAs pride themselves on their pragmatic approach to both compliance and assessments and will work with you to find the most appropriate and sensible way for you to meet the requirements of the PCI DSS.
Preparing For a PCI DSS v4.0 Assessment
URM is sharing its experiences on how the changes to the PCI DSS v4 affect the assessment process and how organisations can best prepare for the differences.
There’s no getting away from the fact that preparing for a PCI DSS ROC can be a bit of a trial....
We address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.
After several years wait, and to surprisingly little fanfare, the PCI SSC released the new version of the PCI Data Security Standard (DSS).