PCI DSS Consultancy Services
What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB.
The PCI DSS Standard is mandated by the card brands and administered by the Council.
The Standard was created to increase controls around cardholder data to facilitate consistent, effective and reliable data security measures, as well as greater accountability across organisations, in order to reduce levels of fraud. The latest version of the Standard is v4.0 which was released on 31 March 2022.
Which Organisations Does PCI DSS Apply To?
The PCI DSS applies to all organisations that process, store or transmit cardholder data or those that can affect the security of cardholder data as it is processed, stored or transmitted.
The Standard also applies to organisations that have totally outsourced payment card handling, as they are still responsible for ensuring their third parties are PCI DSS compliant.
Such organisations need to monitor third-party compliance once every 12 months, as part of their supplier due diligence activities, in order to ensure cardholder data is fully protected.
Achieving Compliance PCI DSS
Validation of compliance is performed annually, either by an external Qualified Security Assessor Company (QSAC), such as URM, which (as part of its PCI consulting services) is able to complete a report on compliance (RoC) for organisations handling larger volumes of transactions, or by self-assessment questionnaire (PCI SAQ) for organisations handling smaller volumes. It is worth noting that as PCI DSS version 4 is being rolled out SAQs will be replaced with merchant assessment forms (MAF). According to the PCI SSC these forms will be released a few months following the initial release of version 4 (31 March 2022).
Failure to comply to the Standard can lead to financial penalties, loss of reputation and customer confidence, and possible litigation.
In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties.
The PCI DSS specifies 12 requirements for compliance which provide the framework for a secure payments environment.
The requirements cover security management, policies, procedures, network architecture, software design and other critical protective measures.
With the version 4 release on 31 March 2022, the PCI SSC introduced approximately 40 modifications across the main requirements including the need for greater multi-factor authentication, anti-phishing systems, risk assessment, and a web application firewall (WAF) for public-facing web applications. Probably the greatest change, however was the introduction of ‘Customised Validations’ where organisations can effectively meet the intent of any given requirement with a control that they design and implement. For more information see PCI DSS v4.0 changes at glance.
These are then broken down into detailed implementation controls.
It is essential that organisations can collect and provide appropriate evidence of controls operating continuously, as the Standard expects continuous security as part of ‘business as usual’ and not just at the time of the audit.
When delivering its PCI compliance services, a common failing seen by URM is organisations not continuously monitoring and reviewing their information security controls.
How URM Can Help
URM can assist you by providing the following PCI compliance services:
1 - Scope Reduction
As a PCI QSAC organisation, URM is ideally placed to offer advice and guidance on meeting the requirements of the PCI DSS in the most cost-effective manner.
Scoping is one of a number of URM’s PCI services, and involves helping you define the most appropriate assessment scope and provide the basis to analyse the applicability and necessity of each PCI DSS control requirement. URM can help identifying opportunities to reduce and streamline the scope of the assessment which in turn reduces the time and cost of the audit.
A gap analysis is often the first step in any PCI DSS project and provides a roadmap for PCI compliance.
This PCI DSS service will typically involve one of URM’s PCI DSS consultants spending time on site with the key individuals responsible for the PCI DSS programme, e.g., those involved in network administration and cardholder systems, as well as those involved in developing policies and processes/procedures.
Naturally, the ideal scenario for any organisation in ensuring its PCI DSS compliance is to reduce the scope of the PCI DSS programme.
By limiting the areas where card data is processed, stored or transmitted, you can reduce the likelihood of a breach occurring, as well as substantially easing the burden of compliance.
URM’s PCI consultants are adept at advising on assessment scope reduction, using a variety of techniques to suit your specific environment.
4 - Implementation & Remediation
Once you have determined the most applicable assessment scope, URM’s PCI consultants can assist with:
URM’s individual QSAs are all vendor agnostic and come with a wide range of technical and information security (e.g., ISO 27001) skills and experience which have been gained in industry, not in the classroom, and are well placed to understand the impact that the implementation of PCI DSS is likely to have on your business.
URM’s PCI DSS consultants can provide invaluable assistance in determining which SAQ or MAF is most applicable and reducing the scope of your cardholder data environment.
5 - Assessment - Auditing
And once you are ready for assessment, URM’s Team of PCI QSAs is able to offer you a range of PCI DSS assessment services, including support in completing a SAQ, a pre-audit gap analysis or a full QSA-led PCI ROC assessment.
Our PCI DSS Services Include:
- QSA led audits (PCI ROC)
- Support of SAQs/MAFs
- Pre-audit readiness assessment
What People Say About Us
“URM's advice around de-scoping elements of the cardholder data environment and the adoption of isolated, virtual terminals was invaluable.”
URM’s PCI DSS Compliance Services Help Reduce Confusion
URM has found that there is significant confusion regarding PCI DSS, e.g., defining status (merchants or service providers), how to validate compliance (through QSA-led PCI ROCs or SAQs/MAFs), how to reduce the burden of compliance and what exactly is expected in terms of implementation.
Want to Learn More?
If you are new to PCI DSS and are looking to gain more awareness of the requirements of the Standard, URM delivers a range of webinars which provide real-world insights on pitfalls to avoid and top tips for ensuring PCI DSS compliance.
The content of the webinars is based on the cumulative, real-world experiences of URM QSAs and consultants who have worked in PCI compliant organisations and now form a key part of our PCI DSS services. If you are interested in how the PCI DSS evolved to version 4 and the key changes the came with the new version please visit PCI DSS v4.0 changes at glance.