The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements developed to reduce credit card fraud and increase data security. This industry standard affects every company that deals with (stores, processes of transmits) card payment transactions. The PCI DSS requires companies to:

Objective, Vendor-neutral PCI consultancy

As we have engaged in PCI compliance projects over the years, it has become very apparent how some providers of PCI consultancy and audit use the PCI Security Standard to leverage third party product sales.

7Safe’s PCI DSS team have strategically set out to remain vendor neutral. Our team therefore only provides or recommends what is absolutely necessary to your core PCI compliance programme including;

Consultancy

Cardholder Data Search

PCI Penetration Testing

PCI ASV Scanning Service

PCI vs Pragmatic Business

7Safe is a PCI DSS QSA (Qualified Security Assessor) and undertakes PCI compliance audits in addition to assisting organisations become and maintain compliance with the standard. We have learned over the years however, that it is a consulting team’s wider skill set that is also important to set the standard in context of the wider organisation and work closely with our clients to ensure that we take a pragmatic view of how organisational change needs to be undertaken. There is a significant danger that a lack of consultancy experience in the field of PCI can result in ineffective spend and un-necessary risk being introduced from a wider perspective.

Our QSA team therefore draws upon the advice from other departments within 7Safe such as the PCI QFI team (who handle breaches of Payment Card data) and our Penetration Testing / Web Application Security department for advice and guidance where complex situations may arise. This team approach, coupled with strong project management experience adds tremendous value to each project and client alike.

PCI DSS – Staying Current

Critical to the success of any PCI compliance business is knowing the industry and staying close to changes. 7Safe is proud to work very closely with the PCI Security Standards Council, the Card Schemes and the UK Acquiring Banks through both our QSA work, partnerships and QFI (breach of credit card data) activity. We regularly attend PCI council community meetings and have regular updates / knowledge share with the Card Schemes and Acquirers.

Core Payment Card Industry DSS Principles and Requirements

Build and Maintain a Secure Network…View Requirements

Protect Cardholder Data…View Requirements

Maintain a Vulnerability Management Program…View Requirements

Implement Strong Access Control Measures…View Requirements

Regularly Monitor and Test Networks…View Requirements

Maintain an Information Security Policy…View Requirements

PCI Consultancy

Most organisations required to achieve and maintain PCI compliance can successfully follow a standard process, which is shown graphically below. The following sections explain this route towards PCI DSS audit and describe how 7Safe supports its clients through the PCI compliance initiative.

PCI Scope & PCI DSS Scoping Workshop

In order to determine which parts of your organisation are relevant to the PCI DSS, an initial scoping workshop is recommended. During this stage, our PCI DSS QSA consultants will work with your team to review the following items:

• Number of sites / offices storing, processing or transmitting payment card data
• Payment systems, card data flows and network diagrams
• The findings from any security reviews already performed

During the initial scoping workshop, a verbal summary of your PCI compliance scope will be prepared and presented / discussed on site at the end of the day. A written PCI DSS scope report will then be prepared and shared with you.

PCI DSS Gap Analysis

A Gap Analysis is an assessment process which enables an organisation to compare its current (actual) situation with its desired (target) situation. It enables 7Safe’s QSA team to measure to what extent the PCI Data Security Standard is currently implemented in your environment, compared to the extent required for compliance.

During this stage, the framework of the PCI DSS Security Audit Procedures v2.0 (which as of the 28^th October 2010 superseded v1.2) will be used.

 7Safe’s primary account number discovery tool, 7Seec will also be deployed during the Gap Analysis in order to verify that there are no unprotected PAN’s and that your PAN security is strong.

Following this stage, a report will be prepared and its accuracy and reasonableness agreed with you. The report will contain details of areas which are compliant and non-compliant, and will list policies, procedures and standards which are required to comply with Requirement 12 of the Standard. The report may also identify opportunities to reduce the impact of the PCI DSS on your business operations.

PCI Compliance & Remediation

Remediation refers to the work required to ensure that your organisation reaches PCI DSS compliance; the actual implementation of protective measures to be undertaken (including Penetration Testing and regular Vulnerability Assessment (ASV), guided by our PCI compliance team and yout Gap Analysis Report. In support of this activity, 7Safe often is asked to provide ongoing Remediation Support consultancy to for example;

• construct procedures
• provide practical advice to resolve issues
• attend progress review meetings
• develop remediation plans
• ensure effect project management towards the end PCI DSS goal
• … and ultimately achieve PCI compliance

PCI Pre-Audit

7Safe strongly recommends a PCI DSS pre-audit (or “readiness”) phase ensure that your organisation is fully prepared for the full audit, with the intention of identifying un-met requirements which may result in loss of expenditure and ultimately audit failure.  This will also give you the opportunity to experience rigorous audit-style verification prior to an actual audit.

PCI DSS Audit & Report on Compliance

In its capacity as a Qualified Security Assessor (QSA) company, 7Safe will carry out an audit on your environment against the PCI DSS.  To validate compliance, all requirements must be met; steps taken in the previous stages will obviously have a major bearing on the audit result.  A Report on Compliance (ROC) will subsequently be produced after rigorous Quality Assurance processes have been adhered to.

PCI in the Retail Industry

Whatever your business, if you store, process or transmit credit card data, you need to meet the industry standards for data security namely PCI DSS and will be required to be compliant with the standard either by means of completion of an SAQ (Self Assessment Questionnaire) or through full PCI compliance validation using a QSA (Qualified Security Assessor) such as 7Safe.

With a proven track record in all aspects of network security, 7Safe is ideally positioned to assist retailers with all of their PCI DSS compliance requirements and has work with and guided numerous retail establishments (both very large level 1’s and level 2’s through to level 4 “e-commerce” merchants) through PCI compliance and audit (such references are available upon request).

Full PCI Audit

The PCI DSS requires that companies processing more than six million transactions a year undergo an annual onsite audit that must be performed by a QSA.  All companies, whatever their size, must undergo a quarterly network security audit and answer an annual self-assessment questionnaire relating to data security.

7Safe’s official Qualified Security Assessor (QSA) status and our expertise in security risk

assessmentensures we are able to assist online and high street retailers in complying with all areas of the PCI DSS standard.  We also provide expert training in PCI compliance for staff

Our People and Approach to PCI Compliance

Clearly, a successful PCI DSS compliance programme is not just about the PCI DSS Standard, but also about how projects of change and managed and communicated and how professional the PCI QSA Consultancy is.  Please read here about 7Safe’s programme of achieving PCI compliance and PCI people and philosophy.

PCI Self Assessment Questionnaire (SAQ) Assistance

Very often, 7Safe’s PCI Compliance team finds that whilst organisations do start to complete SAQs, it becomes complex when attesting that one is PCI compliant.  The SAQ is a relatively simple document however, actually self-certifying with confidence can be worrying and open to interpretation.  7Safe’s team therefore assists organisations providing pragmatic advice, consultancy and project checks to ensure that when certain aspects of the SAQ are completed, the information behind this is accurate, complete and safe to rely on.

Whether you trade online or in the high street, 7Safe can help with PCI compliance.

PCI DSS and Online Retailers

7Safe will assist with all areas of PCI compliance, including:

PCI Compliance for High Street Retailers

Even if your company does little or no trade online, your point of sale transactions still need to comply with PCI DSS requirements.  7Safe can help safeguard the security of your transactions through regular testing and audit.

Our service includes:

PCI DSS Compliance and Acquiring Institutions

7Safe’s PCI QSA team are leaders in helping acquiring institutions achieve PCI DSS compliance and have a great deal of experience in delivering complex, organisation change programmes within the acquiring community to achieve PCI compliance (coupled with our people having large organisation and banking / large-scale audit backgrounds).

7Safe has been awarded the status of Qualified Security Assessor (QSA) by the PCI Security Standards Council.  We are one of the leading experts in compliance management services in Europe and regularly provide banks and service providers with risk assessment, mitigation and gap analysis services (ISO 17799 / ISO 27001).  We also provide training courses in PCI DSS.

To satisfy existing banking regulations and avoid liability, acquiring institutions must ensure that their retailers are PCI compliant.  To find out more about PCI DSS compliance and retailers, please see 7Safe’s PCI DSS for retailers page

7Safe also provides 24/7 forensic incident response.  If you think your system has been compromised, you need to act quickly to safeguard data. 7Safe provide expert advice on setting up incident response procedures. Click here to find out more.