PCI Audit

Issues

When customers offer a payment card at the point of sale, over the Internet, on the phone, etc, they naturally want a high level of confidence that their account information is safe. In addition, the impact to a business from a breach in payment card data security can be considerable through negative publicity and the loss of goodwill and revenue that can result from it.

To address this, the major payment card issuing organisations founded the Payment Card Industry (PCI) Security Standards Council. This organisation is tasked with managing the evolution of the PCI Data Security Standard (DSS), the application of which is enforced by the individual payment card issuing organisations.

PCI DSS is a multifaceted security standard, requiring organisations to address topics such as security management, policies, procedures, network architecture, software design and other critical protective measures. Non compliance with this standard can attract heavy fines from the card issuing organisations or even withdrawal of the payment card facility altogether.

For many organisations this means re-focusing their information security processes, not only in the IT area but also general business area. The main issue here for many organisations is sensible, pragmatic interpretation and application of the standard. This requires expertise and additional experienced resource in the early, critical stages of planning and preparing for compliance.

Approach
commissum will work collaboratively with you to provide a complete and proven project management, testing and validation service to help you position yourself to achieve PCI DSS compliance. The complete service combines on-site support and reviews with a remote PCI DSS compliance validation service which includes PCI self-assessment questionnaires and regular network scans. commissum will ensure that PCI QSA (PCI Qualified Security Assessor) input is applied at optimum points while still maintaining appropriate separation and independence between your QSA auditor and the advisory and implementation consultants.

Our typical five-step approach, tailored to each client’s specific requirements is as follows:-

• Initiation – a customer awareness workshop, high-level review against the PCI DSS and action plan
• Preparation – review of remediation actions, self assessment questionnaire and monthly vulnerability scanning
• Gap analysis – PCI DSS gap analysis and roadmap for compliance with appropriate QSA input
• Remediation – remedial actions, penetration testing, evidence for compliance readiness, documentary evidence collation
• Audit – report on compliance, identified corrective actions, report submission to card issuing organisation

Following achievement of compliance, support can continue; ensuring that adherence to the best practice of the standard is maintained. This support service is tailored for each client, from a turnkey security management function to on-call advisory and review support.

Customer Benefits

Clients benefit from a proven turnkey service that leverages our experience and proven track record in Information Security and intimate knowledge of the PCI DSS combined with appropriately independent QSA input. Our structured and controlled approach to PCI DSS compliance incorporates appropriate liaison and feedback with independent assessors. This relationship provides you with a high level of confidence in eventual successful independent validation; the ideal “one-stop” collaborative partnership with the focused aim of our client becoming PCI DSS compliant.

The benefits to you from our approach include:-

• Experienced Project management support with regular reporting
• Awareness workshops for senior stakeholders to facilitate buy-in
• Specific guidance from PCI approved QSA consultants on readiness for audit
• Readiness assessment, planning & remediation support
• Detailed Penetration Testing as part of the PCI audit
• PCI DSS compliance audit with remediation plan
• PCI DSS process workshops to locate vulnerabilities in business processes
• Ongoing support, to maintain compliance level achieved

• Cyber Security Strategy
• ISO 27001/2 Gap Analysis
• CLAS
• Security Health Check
• Security Audit
• ISO 27001 transition
• PCI DSS
• Secure Software Development
• Business Continuity Consulting
• Education