Achieving PCI Compliance
PCI Consultancy
Most organisations required to achieve and maintain PCI compliance can successfully follow a standard process, which is shown graphically below. The following sections explain this route towards PCI DSS audit and describe how 7Safe supports its clients through the PCI compliance initiative.
PCI Scope & PCI DSS Scoping Workshop
In order to determine which parts of your organisation are relevant to the PCI DSS, an initial scoping workshop is recommended. During this stage, our PCI DSS QSA consultants will work with your team to review the following items:
- Number of sites / offices storing, processing or transmitting payment card data
- Payment systems, card data flows and network diagrams
- The findings from any security reviews already performed
This workshop will aim to identify:
- all system components (people, processes and hardware) which form «comp_name»’s cardholder data environment
- opportunities to reduce the scope to which the PCI DSS applies
- deploy 7Safe’s primary account number discovery tool, 7Seec, in order to assist with the verification of the card holder data environment
During the initial scoping workshop, a verbal summary of your PCI compliance scope will be prepared and presented / discussed on site at the end of the day. A written PCI DSS scope report will then be prepared and shared with you.
PCI DSS Gap Analysis
A Gap Analysis is an assessment process which enables an organisation to compare its current (actual) situation with its desired (target) situation. It enables 7Safe’s QSA team to measure to what extent the PCI Data Security Standard is currently implemented in your environment, compared to the extent required for compliance.
During this stage, the framework of the PCI DSS Security Audit Procedures v2.0 (which as of the 28th October 2010 superseded v1.2) will be used.
7Safe’s primary account number discovery tool, 7Seec will also be deployed during the Gap Analysis in order to verify that there are no unprotected PAN’s and that your PAN security is strong.
Following this stage, a report will be prepared and its accuracy and reasonableness agreed with you. The report will contain details of areas which are compliant and non-compliant, and will list policies, procedures and standards which are required to comply with Requirement 12 of the Standard. The report may also identify opportunities to reduce the impact of the PCI DSS on your business operations.
PCI Compliance & Remediation
Remediation refers to the work required to ensure that your organisation reaches PCI DSS compliance; the actual implementation of protective measures to be undertaken (including Penetration Testing and regular Vulnerability Assessment (ASV), guided by our PCI compliance team and yout Gap Analysis Report. In support of this activity, 7Safe often is asked to provide ongoing Remediation Support consultancy to for example;
- construct procedures
- provide practical advice to resolve issues
- attend progress review meetings
- develop remediation plans
- ensure effect project management towards the end PCI DSS goal
- … and ultimately achieve PCI compliance
PCI Pre-Audit
7Safe strongly recommends a PCI DSS pre-audit (or “readiness”) phase ensure that your organisation is fully prepared for the full audit, with the intention of identifying un-met requirements which may result in loss of expenditure and ultimately audit failure. This will also give you the opportunity to experience rigorous audit-style verification prior to an actual audit.
PCI DSS Audit & Report on Compliance
In its capacity as a Qualified Security Assessor (QSA) company, 7Safe will carry out an audit on your environment against the PCI DSS. To validate compliance, all requirements must be met; steps taken in the previous stages will obviously have a major bearing on the audit result. A Report on Compliance (ROC) will subsequently be produced after rigorous Quality Assurance processes have been adhered to.
