If your organisation stores, processes or transmits card holder data, then your organisation will need to undergo a PCI DSS assessment to ensure that you are compliant. The level of assessment performed will depend upon whether you’re a service provider or merchant and at which level. Based on this, you will need to either undergo a self-assessment questionnaire (SAQ) or a full Report on Compliance (ROC).
In order to help you achieve PCI Compliance, ProCheckUp will work with you to build an implementation plan. ProCheckUp can act as a resource to project management teams that are working on projects that impact on PCI DSS compliance. We view this as an embedded partnership where ProCheckUp act as a highly specialist resource of information where issues can be resolved quickly and efficiently in order to prevent projects from regressing.
ProCheckUp are qualified by the Security Standards Council as a European QSA company. Our employees can assess the compliance of organisations to the PCI DSS Standard. Read more...
ProCheckUp are qualified by the Security Standards Council as a global ASV company. Our employees are able to perform vulnerability scans of Internet facing environments of merchants and service providers. Read more...
Please go to PCI FAQ to find out more information about PCI.
Contact us to find out more about PCI ASV (Approved Scanning Vendor) and PCI QSA (Qualified Security Assessor) security testing.
ProCheckUp Engagement lifecycle
ProCheckUp utilises a standard engagement model for all engagements which is defined below: -
Offering - Activities that take place before the execution of a consultancy assignment:
- Pre-sales and identification of client needs;
- Creation of an agreement, typically covering: - Context of the work - Services and deliverables - Approach and work plan - Roles and responsibilities.
Execution - Delivery of the services agreed at the offering stage to satisfy the client:
- Refining the work plan;
- Implementing the agreed work plan;
- Assignment of staff, management and mentoring;
- Approval and acceptance.
Closure - Activities that take place at the end of a consultancy assignment:
- Final client evaluation and agreement that the service has been delivered;
- Conclusion of obligations;
- Finalising payment;
- Any subsequent improvements to the service.
In order for ProCheckUp to conduct a suitably detailed PCI DSS assessment on an organisation, and dedicate sufficient time to complete it, it is essential to understand the Card Holder Data environment to be assessed. This understanding is achieved through a scoping exercise conducted between the client (and any relevant third parties involved), and the PCI DSS consultant who will be conducting the assessment (or a suitably designated person), as well as the ProCheckUp Account Manager. The outcome of this meeting is a PCI DSS scoping document/statement, which lists the specific objective(s) of this assessment. During this phase, the scope of the CDE is validated.
ProCheckUp are proposing to engage with your organisation through a contract where a total number of consultancy days are purchased in advance. This approach delivers several inherent benefits.
After the scoping engagement, ProCheckUp will propose a high-level project plan which defines the number of consultancy days envisaged to meet with the requirement currently being driven by your organisation. It should be noted that the outlined project plan may be liable to changes as the initiation phase proceeds and through any requirements being driven by the acquiring bank once they have been fully understood.
PCI DSS Implementation
ProCheckUp will work with your organisation to build an implementation plan which will focus on the following phases.
Stage 1 – Pre-compliance Assessment
The pre-compliance assessment will involve understanding the size of the compliance risk to your business, to determine where you stand, and create a compliance programme tailored to your specific requirements. The pre-compliance assessment involves gathering data to identify gaps within your current security posture, PCI DSS and any other security standards where applicable.
The pre-compliance assessment will typically include:
- Conducting an on-site review of IT infrastructure, network design and architecture, application architecture, policies, procedures and processes to determine non-compliant areas.
- Identifying your card holder data environment and determining your card holder data flow, in order to confirm your PCI scope.
- A gap analysis between the pre-assessment of the policies, procedures and processes as well as scan results against both PCI DSS criteria and industry best practice.
- A recommendations report.
- Scoping and prioritising remediation activities.
Stage 2 – Remediation
Based upon the results of the pre-compliance assessment the remediation programme provides a controlled, focused and effective framework towards achieving compliance. Our remediation programme will help your organisation develop, implement and document the evidence required to prove compliance in accordance with PCI DSS Standards. We will look to form close working relationships with not only your organisation but also any additional third party vendors that are involved in delivering hardware, software and services if required. Policy Development
Our consultants can assist in developing information security policies, procedures, processes and practices that incorporate your organisation’s specific business requirements and IT environment. Although we recommend that this is developed within your organisation, we can offer assistance and consultancy in these areas. Our consultancy experience ranges from large multi-channel retailers and financial services organisations to small businesses.
IT Infrastructure Development
ProCheckUp has a wealth of experience in network infrastructure security testing and design, which subsequently means that your organisation will benefit from our technical consultants’ expertise. In addition, we will be able to advise your business on how to design its infrastructure to accommodate PCI DSS requirements, including the effective use of firewalls, intrusion detection and protection and network segmentation. This also extends to POS systems and payment processing environments.
As an independent security advisor, ProCheckUp will be on hand to assist all parties with any remediation that have been highlighted by our findings. Although we do not recommend any specific vendor’s solutions, we do provide advice on the technology that can be used to meet your requirements. We have found that previous customers have utilised our PCI DSS User Group to field any questions on specific solutions or providers. We are also happy to ask on your behalf for direction from the attendees.
Stage 3 – Audit and Report on Compliance
After the remediation phases, ProCheckUp will manage the audit process. This phase will include the production of the Report on Compliance (ROC). For a level 1 merchant, an on-site audit is compulsory and is advisable for level 2 merchants. The QSA will assign a consultant to validate compliance (typically by conducting interviews with key staff), and review the vulnerability scanning and other defined tests as required in the PCI standard.
Stage 4 – Certification
This phase is undertaken by the QSA and includes the submission of all relevant documentation, including the ROC, to the acquiring bank for level 1 merchants, and the certification of the audit report by the card schemes.
Stage 5 – Maintaining Compliance
Achieving compliance is not just a one-off exercise. PCI DSS certification is required annually and vulnerability assessment scanning (ASV) is mandated to be conducted quarterly. Full manual penetration testing must be conducted on an annual basis or after any significant changes. It is vital that any process or technology decisions are taken with PCI DSS compliance in mind. ProCheckUp can manage the overall PCI DSS compliance process, providing programme management from the initial pre-compliance assessment through to certification and ongoing compliance with annual penetration testing, ASV and consultancy.
Following a PCI DSS assessment, ProCheckUp will provide a detailed report via a secure transport mechanism to the agreed recipients.