PCI (PCI DSS) Consultancy Services
The Payment Card Industry Data Security Standard (PCI DSS) was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for those handling smaller volumes.
Whether your organisation is a merchant or a service provider, our QSA’s and PCI DSS experts can help you to improve your cyber security resilience and comply with the contractual requirements of the PCI DSS in the shortest time frame and for the minimum cost.
The PCI Security Standards Council (PCI SSC) has released version 3 of both the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Published on 7 November 2013 this marks the end of one lifecycle and the start of the next 3 year cycle for the standard. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. Find out more about PCI DSS v3.0 here >>>
Organisations are given 14 months grace period which means that they have 14 months to transition from version 2 to version 3 until PCI DSS v3.0 becomes mandatory in 2015. As an approved QSA company, IT Governance is ideally positioned to help organisations comply with both versions and help them transition to v3.0 in due course.
IT Governance provides PCI QSA audit services, PCI DSS ASV scanning service and various PCI DSS consultancy support services for both Merchants and Service Providers, defined under the Standard as:
Merchant: any entity that accepts payment cards (Visa, MasterCard, American Express, Discover or JCB) as payment for goods and/or services.
Service provider: a business entity (not a card brand or merchant) directly involved in the processing, storage, transmission, and switching of transaction or cardholder data (e.g. payment processor), or an entity which provides services to merchants (e.g. managed service providers, hosting providers.)
We can offer you a choice of either certified QSA auditing services or visits from our dedicated PCI DSS consultants, who have a wealth of project experience. So, for example, if your organisation’s security arrangements do not require assessment by a certified QSA, you can still benefit by taking advice on PCI DSS compliance from expert consultants without paying for the time of a qualified assessor. On the other hand, if you need a certified QSA to undertake PCI QSA Audits, we can supply you with these services, or a combination of the two approaches, at a price that suits your objectives.
For more information call us on +44 (0)845 070 1750
or email email@example.com
As a certified QSA company, we offer PCI compliance audits led by our QSA. We have a team of supporting consultants who are experts on PCI DSS issues including scoping and gap analysis. Merchants and Service Providers for whom the use of a certified QSA is mandatory can use the services of IT Governance. Find out more here >>>
IT Governance has experts in the PCI DSS field who can provide organisations with flexible and tailored PCI DSS consultancy services to meet the requirements of your compliance process.
The path to PCI DSS compliance can be somewhat daunting to those who have little or no knowledge of the PCI DSS. IT Governance consultants can produce a structured framework, agreed from the outset with your organisation, which ensures effective use of in house resources as well as expenditure control.
Drawing on our established PCI QSA expertise, IT Governance can provide PCI DSS specialist advice from the outset, ensuring that your organisation fully understands the business benefits of PCI DSS compliance and the possible ramifications of non-compliance. Through years of professional experience in best practice IT Management, IT Governance has the skills to effectively steer organisations towards successful compliance.
Due to an increasing number of payment card breaches within both the Merchant and Service Provider industries, organisations are now receiving increased pressure from acquirers and card brands to become PCI DSS compliant. IT Governance is ideally positioned to provide assistance in the compliance process, relieving pressure, whilst enabling organisations to continue sustained business operations effectively.
We offer specially developed PCI DSS consultancy support for Smaller Businesses.
Before commencing the PCI DSS process, it is worth noting that in addition to its PCI DSS expertise, IT Governance has an extensive history of ISO/IEC 27001 implementation. Mapping ISO27001 with PCI DSS should be given serious consideration at an early stage.
Stages of the PCI DSS Consultancy Project
IT Governance divides the PCI DSS compliance project into the following stages:
PCI DSS Scoping
We will identify where cardholder data is stored, processed or transmitted within your environment (mapping out your cardholder data flows). This process will identify your Cardholder Data Environment (CDE), your ‘scope’ for PCI DSS compliance. At this early stage we can work with you to reduce the scope, ultimately resulting in reduced resources and expenditure.
Evaluate your current business processes. IT Governance can evaluate and suggest alternative processes for your business to reduce resources and expenditure during the compliance process. For example, all too often organisations are storing cardholder data for convenience, not for business purposes. A consultant may, if business practices permit, advise against storing cardholder data, therefore immediately eliminating ‘Requirement 3 – Protect Stored Cardholder Data’ of the standard.
PCI DSS Gap Analysis
The Gap Analysis stage looks at where your organisation currently stands compared to where it needs to be in order to meet the full requirements of the Standard. The card brands (Visa, MasterCard etc.) state that Merchants and Service Providers must be compliant with the Standard as a whole.
An organisation may choose to undertake a Gap Analysis internally, or instruct an expert on the subject to work through the applicable requirements of the PCI DSS Standard. Gap Analysis will result in a list of recommendations to rectify non-compliant requirements which, once resolved, will enable an organisation to be confident that it is fully prepared for the validation stage.
Following the Gap Analysis stage, IT Governance can assist in the design and implementation of an internal PCI DSS project team within your organisation which will ultimately be responsible for undertaking the remediation work to achieve compliance. This will save the costs of instructing an outsourced remediation source. Of course, IT Governance can be on hand to attend regular checkpoint meetings to ensure that the project remains focused and on track. We can also provide support with the creation of the relevant documentation required for compliance (i.e. policies and procedures).
Service Level Agreements (SLAs) with Service Providers.
All Merchants must ensure that their Service Providers are PCI DSS compliant, or are at least working towards compliance. Merchants are frequently becoming subject to breach investigations due to the inadequacies of their Service Providers (e.g. web hosting companies), whose failure to comply with the PCI DSS requirements places the Merchant in a vulnerable position and open to fraudulent activity. IT Governance will ensure your organisation fully understands both your own and your Service Providers’ responsibilities, ensuring that risks are reduced and managed in order to decrease the possibility of a breach.
Validation: Self-Assessment Questionnaire
Merchants (Level 2, 3, and 4) and Service Providers (Level 3) must self-evaluate their compliance with the PCI DSS by completing a Self-Assessment Questionnaire. All too often Merchants and Service Providers do not fully understand the intent of the PCI DSS requirements, leading to an inaccurate SAQ result. IT Governance PCI DSS experts fully understand each requirement, enabling a comprehensive, yet swift, completion of the SAQ.
IT Governance’s experienced PCI DSS trainers can tailor courses for your specific requirements. We can deliver bespoke training for absolute beginners to the standard and more in-depth group involvement training, where we will evaluate all your individual requirements and ascertain how you can implement measures in your specific environment to become compliant.
IT Governance also offers public courses on PCI DSS compliance that examine the drivers and need for adoption of the standard, and how best to go about achieving compliance to serve both the requirements of the PCI DSS standard and your business objectives.
IT Governance is a specialist publisher, training provider and one-stop-shop for PCI compliance. We have a comprehensive range of unique products available to help organisations with their PCI Compliance programmes:
Whatever your PCI DSS Consultancy support requirements, we are just a phone call away.
Email us, asking for PCI QSA audit services, PCI DSS Training or PCI DSS Consultancy support, or telephone: +44 (0)845 070 1750.