What is PCI DSS? A Guide on How to Comply

In order to protect against increasingly sophisticated cyber threats, it is essential that organisations implement measures to help secure the information they process, including customers’ and other stakeholders’ payment card information.  The Payment Card Industry Data Security Standard (PCI DSS) is a set of controls that must be applied to security policies, technologies, and ongoing processes to protect payment systems from breaches and cardholder data from being compromised or stolen.

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard designed to ensure that all organisations that process, store or transmit cardholder data maintain a secure environment.  It aims to protect cardholder data from fraud and security breaches as it is processed, stored and transmitted.

How do I know if I need to comply with PCI DSS and how do I comply?

If you are an organisation which handles large volumes of transactions, your compliance must be assessed by an independent Qualified Security Assessor Company (QSAC).  PCI DSS compliance must be assessed on an annual basis. Organisations handling smaller volumes can demonstrate compliance via a self-assessment questionnaire (SAQ).

Ensure your organisation is PCI DSS compliant with URM’s consultancy and assessment services

Penetration Testing & Vulnerability Scanning

Penetration testing is the authorised simulation of a cyber attack on an organisation to establish the effectiveness of its defences, and how much damage a malicious actor could inflict. Vulnerability scanning is a (usually automated) assessment of a system or network, also conducted to identify vulnerabilities in an organisation’s environment.

Regular pen testing and vulnerability scanning are both requirements for PCI DSS compliance. They allow you to proactively identify weaknesses in your card data environment (CDE) and its defences before they are maliciously exploited.  As an Approved Scanning Vendor (ASV) by the Payment Card Industry Security Standards Council (PCI SSC) and a CREST-accredited organisation, URM is ideally placed to help you meet the PCI DSS scanning and pen testing requirements.

Scope Reduction

The PCI SSC defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to accurately determine the scope of assessment.”

URM’s consultants are able to work with you and help determine the correct assessment scope from which you can proceed to analyse the applicability and necessity of each PCI DSS control requirement.

Gap Analysis

A PCI DSS gap analysis is an assessment of your current cardholder processing activities against the requirements of the Standard, in order to establish where there are ‘gaps’ in your compliance.

Often the first step in any PCI DSS compliance project, the outputs of URM’s gap analysis will inform any remedial work required, and provide a clear roadmap to compliance with and certification against the Standard.

PCI DSS Implementation and Remediation

Once the most appropriate assessment scope has been identified and a gap analysis conducted, URM’s Qualified Security Assessor (QSA) can guide and support any implementation and remediation activities necessary to enable you to achieve and maintain compliance. Our PCI DSS consultants will help you meet the requirements of the Standard effectively and pragmatically, always remaining aware of your organisation’s unique needs.

Assessment and Auditing

URM’s PCI DSS audit services include:

• QSA-led PCI Report on Compliance (ROC)
• QSA Supported SAQs
• Supporting SAQs
• Pre-audit Readiness Assessment