procheckup logo
sidebar_boxes_image

Contact Us

Find out more information about ProCheckUp click here.


Overview

Royal Sun Alliance and ProCheckUp have forged a partnership in order to assist you with your PCI DSS status and gain your organisation compliance in a fast and efficient manner.


ProCheckUp Ltd (ProCheckUp) is a leading independent security company that was formed in early 2001 as a highly technical organisation dedicated to resolving the business and technical security issues associated with carrying out business over the Internet.

Focused purely on providing penetration testing services, ProCheckUp has quickly grown to being the market leader in providing security assessment services to high street banks, global financials, FTSE 500’s, government and retailers that understand that protecting their assets is of paramount importance.

To find out more about ProCheckUp go to www.procheckup.com


This website has been established in order for ProCheckUp to better understand your specific requirements against the statement and hopefully answer any questions that you may have going into such a project.

As a level 2 merchant you may be aware of your requirements to gain PCI compliance already, but to clarify you are expected to perform the following:

Requeriment Frecuency
SAQ Annually
ASV Scanning Quarterly
Internal Scanning Quarterly
Penetration Test Annually


As the preferred provider of QSA services to RSA customers, ProCheckUp are extremely well equipped to assist you with your PCI project. In order for you to gain compliance as quickly as possible we would require information on the following company detail:

Not all of these will apply to this specific project but should be used as an indication:

  • 1. A transaction flow diagram from start to end (i.e. processing of cardholder data, including authorization, capture, settlement, chargeback and other flows as applicable)
  • 2. Confirm entity type: Merchant or Service Provider
  • 3. Confirm Level i.e. 1 - 4 (contact and confirm with acquirer(s))
  • 4. How many physical sites - i.e. data centres, call centres and etc - deal with credit card data?
  • 5. How many internet-facing web sites are there? And how many are available only for internal access (i.e. intranet sites)?
  • 6. How many sites have data repository (i.e. databases, excel sheets, and etc)?
  • 7. How many devices - i.e. web servers, IDS/IPS, POS, firewalls, routers, and user-input terminals - are on each site that deals with credit card data?
  • 8. How many online and/ or offline backup sites that stores credit card data?


The following documents are also required for PCI DSS compliance purposes at the Gap analysis stage:

  • 1. Network infrastructure diagram
    • a. A detailed Internal/ External network diagram
  • 2. Transaction flow procedures
    • a. A Transaction flow procedures with diagrams (i.e. processing of cardholder data, including authorization, capture, settlement, chargeback and other flows as applicable)
  • 3. Security management procedures
    • a. Account/ access management procedures/policy (req.9, 8, 7, 2) i.e. user controls to routers, servers, firewalls, IDS/IPS etc
    • b. Remote access & monitoring policy (req.8)
    • c. Security policy (req.12)
    • d. Incident (breach) response procedures/ policy (reg.12)
    • e. Internal & external Penetration test report(s) (req.11)
    • f. Roles and responsibilities policy (req.12, 7)
    • g. Card holder system encryption & protection policy (req.4, 3)
    • h. Backup & Disaster recover procedures (req.3)
    • i. Physical security procedures/ policy (reg.3)
  • 4. Maintenance management procedures
    • a. Firewalls/routers policy/ procedures (req.1) i.e. control/deny traffic to internal networks
    • b. System management policy (req.12, 6, 1) i.e. configurations, firmware, OS, application updates, patches, roll outs etc
    • c. End user system management policy (reg.5) i.e. anti-virus, application, OS updates, patches, roll outs etc
    • d. Secure system/ application management procedures (reg. 6)
    • e. System/ application security stress management procedures (reg. 11) i.e. quarterly/ annually security testing plans
  • 5. Logging & Monitoring management procedures
    • a. Building & resources monitoring policy (req.10) i.e. access/control the logs of routers, servers, firewalls, IDS/IPS etc
    • b. Building & resources access policy (req.9)


This is the basis of how the process will work, however to get you started on this please answer.

What merchant level are you?



Please complete the following form