What Is The PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB. The PCI DSS Standard is mandated by the card brands and administered by the Council. The Standard was created to increase controls around cardholder data to facilitate consistent, effective and reliable data security measures, as well as greater accountability across organisations, in order to reduce levels of fraud.
Which Organisations Does PCI DSS Apply To?
The PCI DSS applies to all organisations that process, store or transmit cardholder data or those that can affect the security of cardholder data as it is processed, stored or transmitted. The Standard also applies to organisations that have totally outsourced payment card handling, as they are still responsible for ensuring their third parties are PCI DSS compliant. Such organisations need to monitor third party compliance annually, as part of their supplier due diligence activities, in order to ensure cardholder data is fully protected.
Achieving Compliance With PCI DSS
Validation of compliance is performed annually, either by an external Qualified Security Assessor Company (QSAC), such as URM, which is able to complete a report on compliance (RoC) for organisations handling larger volumes of transactions, or by self-assessment questionnaire (SAQ) for organisations handling smaller volumes. Failure to comply to the Standard can lead to financial penalties, loss of reputation and customer confidence, and possible litigation. In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties.
The PCI DSS specifies 12 requirements for compliance which provide the framework for a secure payments environment. The requirements cover security management, policies, procedures, network architecture, software design and other critical protective measures. These are then broken down into detailed implementation controls. It is essential that organisations can collect and provide appropriate evidence of controls operating continuously, as the Standard expects continuous security as part of ‘business as usual’ and not just at the time of the audit. A common failing seen by URM is organisations not operating a robust information security management system (ISMS) to ensure that controls are maintained throughout the year with continuous monitoring and review.
How URM Can Help
1 - Scoping
As a PCI QSAC organisation, URM is ideally placed to offer advice and guidance on meeting the requirements of the Standard in the most cost-effective manner. Scoping is one area where URM can offer a range of services, including helping you define the most appropriate assessment scope and provide the basis to analyse the applicability and necessity of each PCI DSS control requirement.
2 - PCI DSS Gap Analysis
If you are looking to assess and measure your current cardholder processing activities and practices against the PCI DSS, URM can assist by delivering a PCI DSS gap analysis. A gap analysis is often the first step in any PCI DSS project and provides a roadmap for compliance. This service will typically involve one of URM’s PCI DSS specialist consultants spending time on site with the key individuals responsible for the PCI DSS programme, e.g. those involved in network administration and cardholder systems, as well as those involved in developing policies and processes/procedures.
3 - Determining Which SAQ is Applicable To You
Depending on the volumes of payment card data being transacted, validating compliance with PCI DSS can be achieved through completing a SAQ. The eligibility criteria for each SAQ is quite specific and incorrect submissions can invalidate your compliance and expose your organisation to greater risk of payment card data breaches. URM’s consultants can provide invaluable assistance in determining which SAQ is most applicable and reducing the scope of your cardholder data environment.
Naturally, the ideal scenario for any organisation in complying with the PCI DSS is to reduce the scope of the PCI DSS programme. By limiting the areas where card data is processed, stored or transmitted, you can reduce the likelihood of a breach occurring, as well as substantially easing the burden of compliance. URM’s consultants are adept at advising on assessment scope reduction, using a variety of techniques to suit your specific environment.
4 - Implementation & Remediation
Once you have determined the most applicable assessment scope, URM’s consultants can assist with any PCI implementation or remediation activities to ensure you achieve and maintain compliance in the most practical and effective manner. Our methodology is consistent with the PCI SSC prioritised approach, which is used by payment brands and acquiring banks when reporting the status of remediation activities.
URM’s individual QSAs are all vendor agnostic and come with a wide range of technical and information security (e.g. ISO 27001) skills and experience which have been gained in industry, not in the classroom, and are well placed to understand the impact that the implementation of PCI DSS is likely to have on your business. As with its other consultancy services, URM’s PCI services also come with a 100% compliance guarantee.
5 - Assessment - Auditing
And once you are ready for assessment, URM’s Team of PCI QSAs is able to offer you a range of PCI DSS assessment services, including support in completing a SAQ, a pre-audit gap analysis or a full QSA-led assessment. Our services include:
- QSA led audits
- Support of SAQs
- Pre-audit readiness assessment
What People Say About Us
“URM's advice around de-scoping elements of the cardholder data environment and the adoption of isolated, virtual terminals was invaluable.”
Clarifying Confusion Regarding PCI DSS
URM has found that there is significant confusion regarding PCI DSS, e.g. defining status (merchants or service providers), how to validate compliance (through QSAs or self-assessment questionnaires (SAQs)), how to reduce the burden of compliance and what exactly is expected in terms of implementation.
Want to Learn More?
If you are new to PCI DSS and are looking to gain more awareness of the requirements of the Standard, URM, under its PCI Security Insights initiative, delivers a range of webinars which provide real-world insights on pitfalls to avoid and top tips for ensuring success with PCI DSS. The content of the webinars is based on the cumulative, real-world experiences of URM QSAs and consultants who have worked in PCI compliant organisations and have helped a wide range of organisations achieve compliance with the Standard.
If, however, you are looking to gain more detailed knowledge, URM can provide a one day PCI DSS training and awareness course, both as an open public course or closed on-site course.
As an added-value service to our customers, URM issues regular PCI newsletters, again under our PCI Security Insights initiative, which provide updates on developments around the protection of cardholder data, along with changes to the PCI DSS and any reported breaches. Hints and tips are also provided to ensure your ongoing compliance journey is made as easy as possible.