The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data. Therefore, if you accept or process payment cards, PCI DSS applies to you.
PCI DSS follows common-sense steps that mirror security best practices. The standard applies globally to all entities that store, process or transmit cardholder data. This includes sensitive authentication data also.
PCI DSS and related security standards are administered by the PCI Security Standards Council (SSC). The council was founded by American Express, Discover Financial Services, JCB International, Mastercard Worldwide and Visa Inc. Participating organisations include merchants, payment card issuing banks, processors, developers and other vendors.
The PCI Data Security Standard
PCI DSS specifies 12 requirements entailing many security technologies and business processes, and reflects most of the usual best practices for securing sensitive information; the resulting scope is comprehensive and may seem daunting.
Implementing and maintaining compliance with the latest PCI DSS is surrounded by many myths. Therefore, you can benefit from our many years of experience working with multiple level 1 UK merchants. We are expert at demystifying PCI DSS requirements and simplifying compliance.
If you accept or process payment cards then you are required by your acquiring bank to achieve and maintain PCI DSS compliance. This is regardless of size and volume of payment card transactions accepted. The scope is comprehensive and it shouldn’t be overly complex.
PCI DSS Security
PCI DSS mostly calls for good, basic security measures and the best practices for security contained in the standard are steps that every business should want to take anyway to protect sensitive data and continuity of operations.
We always strongly recommend that achieving and maintaining PCI DSS compliance should be part and parcel of any organisation’s ongoing data, information and cyber security programme.
Organisations will be implementing many data security measures to meet other regulatory, legislative and security control framework requirements. These include the UK Data Protection Act 2018 incorporating GDPR, ISO27001, NIST and Cyber Essentials will apply equally to PCI DSS.
Sounds complex doesn’t it? It needn’t be. With our approach to demystifying and simplifying clients’ PCI DSS, your journey always starts with a simple PCI Compliance Assessment. This has the fundamental objective of being able to determine how ‘PCI attestation of compliance ready’ an organisation is by payment channel.
Therefore, such a compliance assessment typically consists of a minimum two day ‘on-site’* discovery and gap analysis exercise.
During the discovery and gap analysis we will attend client locations. We will spend time in conversation with multiple key business and information technology stakeholders, and will observe and define:
- payment card channels and transaction volumes
- payment methods used for card payments
- associated systems interfaces
- PCI controls applicable by payment channel
- current demands and timescales from acquirers
- current high-level PCI compliance status estimate
- priorities and opportunities for scope reduction
- proposed outline roadmap to achieve compliance
Prioritisation and Descoping Opportunities
We offer a ‘demystify and simplify’ approach to achieving PCI DSS compliance. We work with you to agree the priorities. The payment channels that can be descoped are examined next. This in turn simplifies PCI compliance.
We document the outputs of our discovery and gap analysis compliance assessment exercise and present back the findings to clients in person. Next, we make high-level recommendations and options possible for clients to achieve PCI compliance. This is a sustainable way that will allow clients to maintain PCI compliance and achieve re-attestation in subsequent years.
Subsequently, we then work with clients to develop detailed strategies, plans and next steps, to achieve PCI compliance by individual payment channel. Then, we can assist clients with all aspects of achieving and maintaining PCI compliance.
Our key PCI compliance competencies include:
- PCI Program Management and Governance
- Card-Holder Data Risk Assessment
- Policy Procedure and Process Review and Writing
- Incident Response Planning
- Security Training and Awareness
- Third-Party Service Provider Validation
Therefore, if PCI-DSS is on your agenda, call us to book a consultation on 03333 22 1011 or please get in touch.