PCI DSS Assessment
Background to PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a global information security Standard defined and governed by the Payment Card Industry Security Standards Council (PCI SSC). It was introduced to tackle the growing problem of card fraud.
The Standard assists organisations which process, store or transmit cardholder data to protect that data by providing an actionable framework for developing a robust payment card data security process. This process includes the prevention, detection and appropriate response to security incidents. The PCI DSS applies to all organisations which hold, process, or exchange payment card information from any card branded with the logo of one of the card brands, i.e. Visa, MasterCard, American Express, JCB and Discover.
Challenges Associated with Complying with PCI DSS
Compliance with PCI DSS must be assessed on an annual basis. Organisations handling large volumes of transactions (over 6 million per card brand for merchant and 300,000 for service providers) must have their compliance assessed by an independent Qualified Security Assessor (QSA), such as URM. Organisations handling smaller volumes than this have the option of demonstrating compliance via a self-assessment questionnaire (SAQ).
URM has noted that there is a lot of confusion surrounding which SAQ needs to be completed. The eligibility criteria for each SAQ is quite specific and incorrect submissions can invalidate your compliance and expose your organisation to greater risk of payment card data breaches. URM’s PCI DSS QSAs can provide invaluable assistance in determining which SAQ is most applicable and also in reducing the scope of your cardholder data environment.
URM’s QSA Services
As a registered Qualified Security Assessor Company (QSAC), URM is qualified to assess all merchants and service providers. Through our team of individual QSAs, we have a proven track record in conducting both technical and process based assessments. Our services include:
- QSA led audits
- Support of SAQs
- Pre-audit readiness assessment
QSA led assessments
When all PCI DSS control gaps have been identified, and remediation activities have been completed, a QSA assessment is required in order for a Level 1 merchant or service provider to establish that they fully meet all of the control objectives of the PCI DSS.
URM’s team of QSAs is able to deliver a full PCI DSS QSA led audit and produce the required Report on Compliance (RoC) against the current version of the Standard. Our team will also provide a completed Attestation of Compliance (AoC) form and allow for the required paperwork to be submitted to the party requesting compliance from your organisation. Where URM prides itself is in fully preparing organisations prepare for the assessment and making the process as pain-free as possible. See our Pre-audit Readiness Assessment below.
“I was very impressed by the responsiveness, expertise and pragmatic approach of URM.”
Phil Gebbett, Director, Century Mail
QSA Supported SAQs
This service involves URM’s QSAs working with your organisation to deliver a full QSA-led SAQ against the current version of the Standard and provide a completed Attestation of Compliance (AoC) form for you to submit to the appropriate. It is widely acknowledged that an SAQ counter-signed by a QSA greatly adds to the credibility of the self assessment.
Here, URM’s PCI DSS specialists can support your organisation conducting its own SAQ by offering advice and consultancy. This service differs from the ‘QSA supported SAQ’ service above in that typically our QSAs would not be involved in actively gathering and reviewing any evidence. They would be simply advising you on the level of evidence you would need to obtain. As a result, they would not be in a position to sign off the SAQ
Pre-audit Readiness Assessment
URM QSAs are able to work with your organisation to conduct a readiness assessment of your in-scope environment against the current version of the PCI DSS and identify any issues that would affect compliance being achieved. In order to conduct the readiness assessment, all policies, procedures and working practices will be assessed against the requirements of the Standard. Configurations will be reviewed, logs will be assessed and vulnerability information will be reviewed and considered. This whole process will be similar to a formal PCI DSS assessment, but with less focus on data collection or data validation
This provides you with the opportunity to remediate any issues before the formal evidence stage and provides staff with the experience of undertaking a PCI DSS assessment, in order to ensure the formal audit is completed successfully with the minimal disruption to the organisation.