We tailor every compliance review to our clients’ needs; however we have a four-phase key fundamental process that normally meets our clients’ needs and creates an efficient, unobtrusive review that ultimately meets your Payment Card Industry (PCI) Data Security Standards (DSS) needs with as little interruption as possible. Our approach allows you to focus on your business, while we focus on your compliance needs.
(Phase 1): Since the PCI Security Standards Council defines the requirements for compliance, defining the scope of a PCI engagement requires the ability to understand how your organization’s operations align with the DSS requirements. In order to successfully scope a PCI DSS compliance engagement, the following needs to be established:
- Understand your credit card data:
- Assess what kind of data you maintain, where it resides, and how it is transmitted within your organization and to third parties.
- Understand who has access to critical systems that handle credit card data.
- Evaluate vendors:
- Third-party organizations that may have access to your credit card data.
- Third-party organizations that are involved in your PCI compliance.
- Evaluate potential new outsourcing opportunities to assist in PCI compliance (e.g., log monitoring, penetration / vulnerability scanning, etc.)
- Network segmentation (having a properly segmented network can drastically reduce the necessary compliance initiatives and save your company large compliance fees on an annual basis):
- Evaluate current segmentation
- Identify opportunities to segment credit card data
- Develop a plan to implement segmentation
- Cardholder Data Environment (CDE)
- At the end of Phase 1, we will have a detailed CDE that is clearly defined.
(Phase 2): Planning for Fieldwork
- Perform walkthroughs of your organization policies and procedures and develop a gap listing of areas of non-compliance. We then work with management to develop new procedures, update current policies and assist in managing remediation efforts. Deliverables from this phase are:
- Gap analysis
- An assessment of the CDE, policies and procedures to determine the current state of compliance.
- Remediation plan
- Detailed remediation plans will be provided to you that will outline the identified deficiencies and the necessary task, timelines, and/or technology that is required.
- A Prioritized Approach Document will be completed at the end of Phase 2.
- Business as Usual – we will define and provide a Business as Usual program with management to help with sustaining compliance over time.
(Phase 3): Our auditors have a minimum of five years of experience with the Big 4, large firms and smaller boutique firms that specialize in information technology assessment. Owing to this, we are efficient and understand what is required for each audit. Don’t worry, you don’t have to train our auditors—we are qualified at what we sell. Once management has completed its remediation, we require final testing to ensure we have sufficient evidence for the Report on Compliance. This includes the following:
- Validation testing is performed for each PCI DSS requirement
- Results of testing are communicated to management
- Remediation log is delivered to management
- Remediation (if additional deficiencies are identified)
- Implement new procedures, controls or compensating controls to address areas of non-compliance
- Validation of remediation
- Retest areas that have been remediated
(Phase 4): Your audit report is essentially what you pay us for; therefore, we make sure that we have well-written, well-defined reports that are focused on providing your customers with everything they need from a third-party assurance perspective. We take pride in delivering quality and timely reports and stand behind everything we issue.
- Merchants and Service Providers
- Report of Compliance (ROC) issued by QSA
Attestation of Compliance (AOC) completed and issued by QSA
Questions? Contact Ben Osbrach and he’d be glad to help.