PCI-DSS or Payment Card Industry Data Security Standard is the de-facto standard that all merchants, payment providers and banks are required to comply to as a contractual obligation for the major card brands such as Visa, Mastercard and Amex. Since 2010 we have are the exclusive partner of leading Qualified Security Assessor, Control Case International for the region.
We are also certified PCI Professionals and have undertaken various successful PCI projects for banks, merchants and payment service providers. Contact us at firstname.lastname@example.org
Our journey started in 2010 when we were approached by a bank to advise on their PCI project. Back then we were very active in ISO27001 and we immediately latched on to this new standard, and coordinated with Control Case, quickly becoming their partner to serve our clients. Over the course of the years, and hundreds of hours of training and experience in gap assessment, certification audits and implementation, we have built a portfolio of products and services for PCI:
a) PCI Project Management – PMP certified consultants who are focused on compliance projects. Some of the biggest challenges in PCI Projects that it is often running into 9 – 15 months of implementation, and often longer for banks. This is due to the scope involved, which usually is expansive for any bank projects.The key consideration is for any project of this magnitude and involvement of resources, an experienced project team is a must.
b) Card Data Scanning – We use QSA developed and qualified product, the CDD Scanner for this requirement that requires a validated scanner to scan the entire scope for presence of card data. This is a very large scope to consider, if branches are involved and requires configuration of the scanners. Our team has been trained on a dedicated Control Case CDD scanner to efficiently run this for the bank and ensure that the report is submitted as per the standard required.
c) Risk Assessment – This is considered mandatory for PCI-DSS v3.0. For organisations that do not have a risk management team or enterprise risk group with technology capability, we are certified in ISO27001 and 27005 Risk Management practices, which is acceptable under PCI-DSS standards.We can conduct the entire RA in behalf of the bank, including documentation of methodology, training, facilitating the risk control assessment (RCA) workshops, reporting of risk and development of risk treatment plan.
d) PCI training – While training itself seems a mere formality, the new version of the standard requires more support documents to be done, as well as capability of trainers to be verified. PCI is a very large subject and requires trainers to be certified or trained in security subjects related to the compliance. We can provide any service on training, from materials to conducting the service itself. We also have train the trainer programs, for more cost effective coverage of this requirement. As we can also be claimed on HRDF, this represents a good cost savings for the bank as well as to comply to requirement 12. Depending on the number of people in scope for the training, the materials will be developed and distributed to the standards of PCI.
e) Vulnerability Scans and Penetration Testing – Often considered the largest implementation activity in PCI. This is commonly done as a standalone project/program due to the sheer involvement of resources. ASV (Approved Scan Vendor) scans are mandatory every quarter, as well as internal vulnerability assessments. External and internal penetration testing is required every year and MUST comply to standard of testing. In V3 of PCI-DSS, a documented and accepted methodology needs to be verified and accepted, and the entire exercise of scanning and penetration testing to be tracked, including the qualifications and tools used in the process. We are qualified penetration testers, trained in PCI, and have invested in commercial pentest tools for this purpose. We have also experience, having been involved in projects with more than 2,000 assets in scope.
f) Other Products and Services for PCI-DSS
– 24×7 outsourced Logging and Monitoring to address requirement 10
– Firewall ruleset analysis under QSA standard to address requirement 1
– Policy & Procedures review – Addresses Requirement 12. Done annually to maintain PCI Documentation Requirements