PCI-DSS Services

PCI-DSS or Payment Card Industry Data Security Standard is the de-facto standard that all merchants, payment providers and banks are required to comply to as a contractual obligation for the major card brands such as Visa, Mastercard and Amex. Since 2010 we have are the exclusive partner of leading Qualified Security Assessor, Control Case International for the region.

  

We are also certified PCI Professionals and have undertaken various successful PCI projects for banks, merchants and payment service providers. Contact us at avantedge@pkfmalaysia.com

Our journey started in 2010 when we were approached by a bank to advise on their PCI project. Back then we were very active in ISO27001 and we immediately latched on to this new standard, and coordinated with Control Case, quickly becoming their partner to serve our clients. Over the course of the years, and hundreds of hours of training and experience in gap assessment, certification audits and implementation, we have built a portfolio of products and services for PCI:

a) PCI Project Management – PMP certified consultants who are focused on compliance projects. Some of the biggest challenges in PCI Projects that it is often running into 9 – 15 months of implementation, and often longer for banks. This is due to the scope involved, which usually is expansive for any bank projects.The key consideration is for any project of this magnitude and involvement of resources, an experienced project team is a must.

b) Card Data Scanning – We use QSA developed and qualified product, the CDD Scanner for this requirement that requires a validated scanner to scan the entire scope for presence of card data. This is a very large scope to consider, if branches are involved and requires configuration of the scanners. Our team has been trained on a dedicated Control Case CDD scanner to efficiently run this for the bank and ensure that the report is submitted as per the standard required.

c) Risk Assessment – This is considered mandatory for PCI-DSS v3.0. For organisations that do not have a risk management team or enterprise risk group with technology capability, we are certified in ISO27001 and 27005 Risk Management practices, which is acceptable under PCI-DSS standards.We can conduct the entire RA in behalf of the bank, including documentation of methodology, training, facilitating the risk control assessment (RCA) workshops, reporting of risk and development of risk treatment plan.

d) PCI training – While training itself seems a mere formality, the new version of the standard requires more support documents to be done, as well as capability of trainers to be verified. PCI is a very large subject and requires trainers to be certified or trained in security subjects related to the compliance. We can provide any service on training, from materials to conducting the service itself. We also have train the trainer programs, for more cost effective coverage of this requirement. As we can also be claimed on HRDF, this represents a good cost savings for the bank as well as to comply to requirement 12. Depending on the number of people in scope for the training, the materials will be developed and distributed to the standards of PCI.

e) Vulnerability Scans and Penetration Testing –  Often considered the largest implementation activity in PCI. This is commonly done as a standalone project/program due to the sheer involvement of resources. ASV (Approved Scan Vendor) scans are mandatory every quarter, as well as internal vulnerability assessments. External and internal penetration testing is required every year and MUST comply to standard of testing. In V3 of PCI-DSS, a documented and accepted methodology needs to be verified and accepted, and the entire exercise of scanning and penetration testing to be tracked, including the qualifications and tools used in the process. We are qualified penetration testers, trained in PCI, and have invested in commercial pentest tools for this purpose. We have also experience, having been involved in projects with more than 2,000 assets in scope.

f) Other Products and Services for PCI-DSS

– 24×7 outsourced Logging and Monitoring to address requirement 10

Firewall ruleset analysis under QSA standard to address requirement 1

Policy & Procedures review – Addresses Requirement 12. Done annually  to maintain PCI Documentation Requirements

Asset Management  Services – We use a QSA approved software to map assets in the entire PCI Scope, to be done yearly for PCI Compliance
File Integrity Monitoring – The FIM project is also usually attached to the logging project. QSA will identify critical files to be monitored, as well as rules/behaviours to be configured in the software (sudden increase in log size etc). Each assets in scope must be studied and determined, as well as observe if the file integrity software is properly configured to comply to PCI’s exacting standards. QSA approved FIM services can be provided by us, as well as to be done yearly.
Call or email us to set a free appointment for us to understand your PCI needs!

Leave a Reply