Background to PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined and governed by the Payment Card Industry Security Standards Council (PCI SSC). The Standard was developed to assist organisations which process, store or transmit card payments to protect payment card data by providing an actionable framework for developing a robust payment card data security process. This process includes the prevention, detection and appropriate response to security incidents. Version 2.0 of the Standard was released on October 28 2010 providing greater clarity and flexibility to facilitate improved understanding, particularly for merchants. The PCI DSS applies to all organisations which hold, process, or exchange payment card information from any card branded with the logo of one of the card brands.
Role of QSAs
Validation of compliance is performed either internally or externally, depending on the volume of card transactions the organisation processes. Compliance must be assessed on an annual basis. Organisations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor(QSA). Companies handling smaller volumes have the option of demonstrating compliance via a Self-Assessment Questionnaire (SAQ). Many of these seek the support of a QSA in completing their SAQ. Organisations completing SAQs need to be aware that they must verify they have understood all requirements of the PCI-DSS not just those relating to the SAQ.
URM as a QSA
As a registered Qualified Security Assessor (QSA) Company, URM is qualified to assess and audit all Merchants and Service Providers. Through its team of QSAs, URM has a proven track record in conducting both technical and process auditing. URM's services include a pre-audit gap analysis, support in any identified remediation, audit scoping, as well as conducting the formal PCI-DSS audit. URM dedicates two entirely separate teams to the pre audit (gap and remediation activities) and audit services (scoping and assessment).
Following URM's PCI QSA audit, URM's assessors provide a comprehensive report that identifies the compliance status of the audited network, based on PCI compliance guidelines. URM can evaluate compensating controls and ensure they meet the intent of the PCI-DSS.