PCI DSS Compliance

What Is PCI Compliance?
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry.

Our PCI QSA specialists provide clear guidance and advice on all aspects of the standard. We work with you to plan, implement and comply with each step of the process.

Get a project estimate

Understanding PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that store, process or transmit payment card data and was created in an effort to combat fraud. Compliance with the PCI DSS is mandated by Visa, Mastercard, American Express, Discover Card, and JCB. The PCI DSS is enforced by the card brands who directly manage the compliance of its Service Provider and Issuing community and via their Acquirers the compliance of all Merchants who wish to utilise branded payment cards in their daily business activities.

KEY TAKEAWAYS

  • Companies that follow and achieve the Payment Card Industry Data Security Standards (PCI DSS) are considered to be PCI compliant.
  • The PCI Security Standards Council is responsible for developing the PCI DSS.
  • PCI DSS has 12 key requirements, 78 base requirements, and 400 test procedures to ensure that organizations are PCI compliant.
  • Being PCI compliant reduces data breaches, protects the data of cardholders, avoids fines, and improves brand reputation.
  • PCI compliance is not required by law but is considered mandatory through court precedent.

Your organisation may be required to achieve and maintain PCI DSS compliance as a Merchant and/or as a Service Provider, if your business delivers services to or acts on behalf of other merchants and service providers.

Our Approach

At 1 Cyber Valley, we are a PCI Qualified Security Assessor Company (QSAC) with extensive experience in delivering pragmatic, business-focused PCI DSS consultancy across many merchant and service provider industries and sectors., We are able to work with organisations of all types and sizes to deliver a variety of services that will ensure your PCI DSS compliance is achieved and can be sustained.

Scoping and Gap Analysis

We take a deep dive into your organisation to help determine the most applicable requirements within your specific business context.

Remediation and Implementation Services

We work with you to provide guidance and support to address the improvements required to achieve compliance.

Policies and Procedures

We provide a thorough review of each one of your policies and procedures to validate your compliance requirements.

Auditing and Reporting

We validate your organisation’s compliance status and deliver an attestation of compliance.

PCI DSS Audits Simplified

PCI DSS Audits can be broken down into 5 steps:

Before you work with a QSA or even sign a contract, our QSA team will be engaged to figure out what it is that you need and make sure that services are quoted appropriately.

Next, you’re going to get an initial gap assessment. That’s where we make sure that you’re ready for an assessment. This piece is done personally by a QSA–who serves as a gatekeeper to make sure that a business is ready to start an audit. Especially in cases where a business has been previously ticking off the Self-Assessment Questionnaire (SAQ) boxes, it’s important to make sure the client fully understands what is required to be ready.

Pre-engagement and pre-onsite were in preparation for the actual on-site, which is where we validate and document what we gathered during the pre-onsite. We will verify that you’re doing what you need to do to be compliant. If there are things that need to be addressed, we give remediation steps so that you can get your Report on Compliance (ROC). Your QSA will work with you every step of the way to make sure you understand what’s required to become compliant.

During the post on-site phase, we work with you to figure out what remediation has to be done, if any, and get the ROC ready to be signed.

The final step of the PCI Audit process is continued support. This is an important step, and one in which multi-year customers are able to reach out to their QSA when they have concerns about their environment or if their environment changes. We help them figure out what they need to do to maintain compliance and avoid getting into situations that would cause a much higher compliance burden.

PCI DSS self-assessment services assisted SAQ

PCI DSS Self-Assessment Services Assisted SAQ

The current PCI DSS standard includes more than 300 control requirements over 12 higher level requirement sections. Depending on the number of annual transactions a merchant or service provider processes in a given year, the merchant or service provider is assigned to a Tier level. For the highest volume tier (Tier 1), those companies are required to perform a full Report on Compliance assessment.

The other tiers are required to conduct a self-assessment questionnaire (SAQ). For the clients that can perform a self-assessment questionnaire, the process should be the same as a report on compliance in terms of control evaluation and documentation, except that the SAQ clients are allowed to self- evaluate and write their own required questionnaire.

1 Cyber Valley has QSA’s who have been performing PCI Assessments for many years across multiple industries. Once our 1 Cyber Valley QSA is brought in, the QSA will start the assessment by working with your team to gather evidence before the onsite days. The QSA will spend time reviewing this evidence pre-onsite to ensure the QSA has a strong understanding of your environment, business processes and in-place controls.

PCI DSS Formal Assessment of Compliance

The Formal Assessment of Compliance is the final stage of verifying an organisation’s compliance with the PCI DSS and (if successfully completed to evidence full compliance) produces the documentation required for the organisation to validate compliance with their acquirer(s) and/or the card schemes.

This is primarily an on-site activity completed by a Qualified Security Assessor (QSA) against the requirements of PCI DSS v3.2.1 and to the testing procedures specified in the ROC Reporting Instructions for PCI DSS v3.2.1.

On completion of a successful assessment, 1 Cyber Valley will provide full documentation of the assessment in the Report on Compliance (ROC). The Lead Assessor will ensure the correct completion of the Attestation of Compliance (AOC) asserting PCI DSS compliance.

PCI DSS formal assessment of compliance

The Lead Assessor will ensure the correct completion of the Attestation of Compliance (AOC) asserting PCI DSS compliance. As a confirmation of PCI DSS compliance, 1 Cyber Valley will award your organisation with an official 1 Cyber Valley Attestation of Compliance.