Compliance with PCI DSS must be assessed on an annual basis. Organisations handling large volumes of transactions (over 6 million per card brand for merchants and 300,000 for service providers) must have their compliance assessed by an independent Qualified Security Assessor (QSA) which completes a report on compliance (ROC).
Organisations handling smaller volumes have the option of demonstrating compliance via a self-assessment questionnaire (SAQ).
The six principles of the Payment Card Industry Data Security Standard (PCI DSS) are:
- Build and maintain a secure network and systems
- Protect account data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
How can we help?
Based on your requirements we can provide the right support to help you achieve PCI DSS compliance, including:
PCI DSS Gap Analysis
If you are looking to assess and measure your current cardholder processing activities and practices against the Standard, we can assist by delivering a PCI DSS gap analysis.
This is often the first step in any PCI DSS project and provides a roadmap for PCI DSS certification. This PCI DSS service typically involves one of our Security Consultants spending time on site with the key individuals responsible for the PCI DSS programme, e.g. those involved in network administration and cardholder systems, as well as those involved in developing policies and processes/procedures.
Implementation Support
Having conducted a gap analysis and identified any areas where improvements are required, we can assist with any implementation or remediation activities to ensure you achieve and maintain compliance in the most practical and effective manner.
Penetration Testing and Vulnerability Scanning
Key requirements of the PCI DSS include the need to undertake both vulnerability scanning and penetration testing in order to assess the network infrastructure and applications.
PCI DSS requires organisations to conduct a vulnerability scan of all external IPs and domains in scope at least once every 90 days. Cyber Security Specialists can conduct the required vulnerability scans, both external to your network and within your network, behind your various perimeter security devices.
PCI DSS requires organisations to run internal and external network vulnerability scans at least quarterly. Cyber Security Specialists can assist your organisation by conducting the required internal vulnerability scans, as well as the external vulnerability scans required to address any significant changes to your network.
As a CREST-accredited organisation, Cyber Security Specialists can also conduct penetration tests, where our Team of testers will not only analyse your network environment and identify potential vulnerabilities but try to exploit those vulnerabilities. Under PCI DSS Requirement 11.3, (applicable to ROCs, SAQ C and SAQ D), we can conduct internal and external penetration testing of both the network and application layers of the CDE, as well as any required segmentation testing.
Our Security Consultants are all vendor agnostic and come with a wide range of technical and information security (e.g. ISO 27001) skills and experience and are well placed to understand the impact that the implementation of PCI DSS is likely to have on your organisation.
Get in touch
Start your PCI DSS Compliance Journey
Speak with one of our team to see how we can help you become PCI DSS Compliant.