PCI DSS | Payment Card Industry Data Security Standard

PCI DSS Information

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit and credit cards. It was intended to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

PCI SAQ Service

The Payment Card Industry Data Security Standard Self-Assessment Questionnaire (PCI DSS SAQ) is a tool for merchants and service providers to self-evaluate their compliance with the PCI DSS Requirements. The PCI SAQ is required by the acquirer or payment brand for merchants that are not required to undergo an on-site data security assessment. There are multiple versions of the SAQ to fit different business categories. The SAQ is often much more than a simple “questionnaire,” as many organizations need to put in place the necessary policies, standards, and procedures to meet the requirements in advance of executing the questionnaire. PPS provides support to SAQ clients to:

✔ Validate that the current PCI data architecture is optimized in a manner that minimizes the SAQ burden

✔ Ensure that the optimal SAQ is selected

✔ Work collaboratively with your team to make sure that requisite controls are properly documented

✔ Confirm that your controls are operating as intended by conducting a gap/compliance assessment (with appropriate sampling)

✔ Ensure attestation responsibilities are understood by your Executive Officer

PCI Scope Assessment

The PCI Standard differentiates the scope of the PCI environment based on whether a component of the environment “stores, processes or transits” card holder data. In a large percentage of our engagements we find that the PCI DSS scope is unnecessarily large based on the current architecture. Relatively simple changes, such as changing where a web form posts to or where a desktop handing credit card transactions, can dramatically reduce an organization’s PCI DSS obligation. Our PCI Scoping Assessments:

✔ Leverage PPS’s Secure Data Flow Diagramming practice to trace the flow of PCI relevant data throughout its lifecycle (including third party ingress/egress)

✔Leverage our Credentialed Vulnerability Assessment practice to validate that in-scope systems are configured against the PCI standard

✔ Utilize Content Scanning to determine whether PAN’s (cardholder data) are residing in unanticipated places (e.g., spreadsheets in accounting)

✔ May result in a re-architecting and/or segregating your infrastructure in a manner that eliminates or reduces your PCI burden

PCI Gap Assessment, Gap Remediation, & QSA Audit

PCI requires Tier 1 merchants to have an approved assessor (QSA) perform an annual assessment to validate compliance using the PCI Security Audit Procedures Document. In many of these instances the organization uses the QSA who will be conducting the formal QSA Audit to conduct a PCI-DSS gap assessment. On first blush – -that sounds like a good idea from the client’s perspective– despite the fact that it violates basic principles of independence from the vendors’ perspective. In practice, this can be disastrous as an organization may pass an audit – but still have gaps that result in a notable compromise (see Heartland Payment Systems).

PPS has partnered with Brightline who recognizes the importance of segregating consulting and compliance auditing in its PCI practice. In this way PPS/Brightline can provide an integrated service offering – while still maintaining the appropriate level of independence and objectivity.

Phase 1: PCI DSS Gap Assessment (PPS) includes:

  • Review of PCI Relevant policies, standards, & procedures
  • Analysis of Payment Transaction Environment
  • Understanding of PCI Relevant Third Party Use (e.g. outsourcers, manages service providers, hosting providers)
  • Gap Assessment against the PCI-DSS Standard

Phase 2: PCI DSS Gap Remediation (PPS) includes:

  • Development of prioritized Gap Remediation Plan
  • Collaborative remediation of PCI-DSS non-conformities

Phase 3: PCI DSS Assessment and Reporting (Brightline) includes:

  • PCI DSS Compliance Audit
  • Issuance of formal Report on Compliance to relevant card brands/acquirers
  • Issuance of PCI DSS Compliance Certificate