What is the PCI DSS managed service?
Our PCI DSS (Payment Card Industry Data Security Standard) managed service, delivered by a team of qualified PCI DSS security consultants, provides an end-to-end service to meet all your PCI requirements under one contract.
We can provide advice, reduce the complexity of your project and lead your organisation’s journey to compliance. We can also help build measures into everyday business processes to ensure continual compliance with the Standard and ease the burden of annual QSA (Qualified Security Assessor) audits.
Under a single contract, IT Governance can:
- Provide a detailed review of your organisation’s cardholder data flows to reduce your scope and outline the most cost-effective approach to compliance;
- Manage or help your team’s PCI DSS remediation efforts, delivering a plan to reach full compliance;
- Assess your data security by applying real-world security testing of the controls you believe are in place and functioning effectively;
- Provide a thorough assessment of the controls you have implemented, establishing whether they meet the requirements of the Standard; and
- In the event of a data breach, provide guidance through investigation and remediation.
Is the PCI DSS managed service right for you?
- You require an annual QSA-driven pre-audit and/or audit to draw up a comprehensive RoC (Report on Compliance).
- You want an end-to-end PCI compliance service that offers a cost-effective route to compliance.
- You want practical advice on areas where payment card data can be removed from your payment and business processes.
- You need inexpensive and flexible compliance solutions that can help your organisation regardless of its size and budget.
- The implementation of your PCI project requires ongoing consultancy and support throughout the process.
- You want to create new services allowing you to offer payment processing and payment gateway services to a wider customer base.
Benefits of the PCI DSS managed service
Our multi-year contracts lock in prices, eliminating the uncertainty of price increases while helping you optimise your investment in PCI implementation.
- Return on investment: Save on your implementation costs by engaging in the full range of PCI consultancy services, from scope reduction to gap analysis and remediation to the final audit.
- Save time, effort and resources: Save time in negotiations and yearly preparation for the audit with a single contract.
- Safeguard against price volatility: Protect your annual PCI auditing and RoC service against any price fluctuations.
- Strategic partnerships: We can help you achieve an improved ongoing state of operations that will enable your organisation to better maintain compliance with the Standard.
- Continual improvement initiatives: Receive insight into changing environments and discover emerging threats and vulnerabilities.
Our engagement process
As part of the initial onboarding process, our consultants will conduct a review to establish priorities and requirements for discussion and agreement with you. On completion of the onboarding process, the scope and objectives of the PCI DSS managed service will be documented with an agreed effort. A typical engagement will involve:
- Scope reduction: Determine key areas where payment card data can be removed from your payment and business processes, and suggest appropriate solutions to help reduce the number of systems that are in scope.
- Gap analysis: Understand your compliance status, providing a detailed comparison of what your organisation is currently doing against what it should be doing to comply with the PCI DSS.
- Continual improvement: Develop a comprehensive plan for fixing vulnerabilities and eliminating the storage of cardholder data unless necessary to fully comply with the relevant PCI DSS requirements.
- Regular testing: Conduct penetration tests to help provide a crucial end-of-state check and that can be used in the early stages of developing new processing systems to identify risks to cardholder data.
- Training courses: To enable you to understand what a PCI DSS-compliant programme is and how to implement one in your organisation.
- Policy creation: Document the processes and procedures your organisation has put in place that support the security of cardholder data.
- Annual audit: One of our QSAs will conduct the external audit and submit a RoC to your acquiring bank to prove compliance each year.
Find out more about our PCI DSS managed service >>
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.