We can help you with all aspects of your PCI project. Many of our partners have been Qualified Security Assessors (QSA’s) for over 10 years
We can also help you fulfil the quarterly scans required for PCI compliance through our Approved Scanning Vendors (ASV's)
Our ethos is to try and move as much as possible out of scope so you are left with a simplified and cost effective compliance project. We start all PCI engagements with a strategy review meeting to decide how to approach the project to make things as easy as possible.
Our approach can be broken down into the following stages:
This phase will include outsourcing, point-point encryption, business process change, tokenization and technical alteration. The purpose of this strategy stage will be a cost effective, viable compliance roadmap. This phase also gives the client the opportunity to ask questions about merchant levels, potential costs, reporting and anything else that has an impact on the successful outcome of the project.
As Senior Management buy-in can be crucial to the successful of a PCI compliance project, we can also help in management meetings if needed.
One of the most crucial stages of the compliance project is identifying an accurate scope of your environment. A QSA will work with you to identify the areas of the business that store, process and transmit cardholder data. During this phase, we will ensure all scope reduction strategies are documented and agreed with a view to having a fully defined minimal scope.
Once the cardholder data environment (CDE) has been identified, a full onsite review will be performed against the applicable requirements identified in the scoping phase. A full, detailed gap analysis report will be provided which will document all areas of non-compliance, with clear remediation advice on how to turn the reds to green.
This phase will focus on the gaps identified in the Gap Analysis and will include technical and business process change, awareness, training and any other areas identified in the previous phases as being imperative to achieve compliance. In this stage, we can be as involved as the clients wishes. We can simply act as a sounding board for proposed changes or we can be fully engaged in all aspects of remediation. It is completely up to the client.
The pre-audit assessment is a documentation and interview-based review to ensure the environment is ready for a compliance audit and we are as prepared as possible for a successful final audit.
The PCI DSS Audit is an annual requirement and the assessment includes:
The onsite assessment is conducted in accordance with the compliance requirements of the PCI Security Standards Council. This can include a full Report on Compliance (RoC), or assistance with a Self Assessment Questionnaire (SAQ) as required.