PCI DSS Consultancy
PCI DSS projects often begin in the middle, with a gap analysis or implementation of technical controls to meet the standard – this can be an expensive way to proceed as, often as not, it involves committing funds to assessing systems that are not even in the final scope, or implementing complicated solutions that never contribute to compliance. CNS initiate all PCI DSS projects with a strategy review, assessing which parts of the business are currently in scope for PCI DSS and deciding how to deal with these elements in a cost effective way that reduces risk as well as meeting the standard.
The CNS ethos is to move as much out of scope as possible, and then simplify the remainder until a viable compliance project remains. This may mean changing business process rather than altering technical solutions. CNS will examine each acceptance channel in turn, and offer alternative strategies to compliance for each. Strategies will include: business process alteration; outsourcing; tokenization; point-to-point encryption and technical change. The outcome of the strategy phase is a viable, cost-effective roadmap to compliance. Also in the strategy phase we will answer questions about merchant levels, reporting, compliance validation, potential costs and other areas that have a bearing on the success of the project.
CNS can also help in senior stakeholder briefings at the strategy stage, as senior stakeholder buy-in across the business can be critical to the success of a PCI DSS compliance project.
PCI DSS Scope
Identifying an accurate scope of your environment is one of the most critical phases of the compliance programme. During this phase a Qualified Security Assessor (QSA) will assist you in identifying the areas of the business that store, process and transmit cardholder data in the light of the strategy phase above, ensuring that scope reduction strategies are fully documented and agreed. At the end of this phase a fully defined, minimal scope for compliance should remain.
PCI DSS Gap Analysis
For any PCI DSS project to be effective, it is essential that every remediation decision made includes consideration of the current compliance status, as documented in an up-to-date gap analysis report. A full onsite review of the identified card data environment (CDE) is performed and documented against the applicable requirements identified from the scoping phase; all areas of non-compliance are documented and recorded in a security improvement plan and clear advice is given on turning the reds to green.
PCI DSS Remediation
This remediation phase will address the gaps identified in the PCI DSS Gap Analysis above, and will involve technical change, business process change, training, awareness and all the other steps identified in the previous phases as being necessary to achieve compliance. CNS can play a number of roles in the remediation phase as desired by the client – we can act as a simple sounding board for proposed changes, or we can fully engage in aiding the often complex organisational changes required by the compliance project.
PCI DSS Pre-audit Assessment
The pre-audit validation is a documentation and interview-based review of the readiness of the environment for a compliance audit. At this stage, we will run through the expectations of the final audit in terms of evidence and documentation, and ensure that we are as prepared as we can be for a successful final audit.
PCI DSS Audit
PCI DSS compliance validation is an annual requirement for any organisation that is required to comply with the PCI data security standard.
The assessment includes:
- Certification Assessment Preparation
- Onsite Validation Assessment
- Compliance Reporting
The onsite assessment is conducted in accordance with the validation requirements of the PCI Security Standards Council. This can result in a full Report on Compliance, or assistance with a Self Assessment Questionnaire as required.
PCI Compliance Remediation Service
When a pre-assessment or onsite audit identifies a compliance gap, quick remediation is vital. CNS's PCI compliance team includes technology and GRC experts from a range of functional practice areas. This expertise assures you that any identified gap will be remediated by highly qualified experts.
Provides everything you need to know for PCI DSS compliance. An ideal starting point for anyone new to this standard and wishes to gain a comprehensive and practical knowledge of the ins and outs of all aspects of the standard. This course will allow you to develop a cost effective plan to meet all the appropriate requirements for your organisation.