Securing business data

PCI DSS Consultancy

CNS have been a Payment Security Standard Qualified Security Assessor since 2008.

PCI DSS projects often begin in the middle, with a gap analysis or implementation of technical controls to meet the standard – this can be an expensive way to proceed as, often as not, it involves committing funds to assessing systems that are not even in the final scope, or implementing complicated solutions that never contribute to compliance. CNS initiate all PCI DSS projects with a strategy review, assessing which parts of the business are currently in scope for PCI DSS and  deciding how to deal with these elements in a cost effective way that reduces risk as well as meeting the standard.

The CNS ethos is to move as much out of scope as possible, and then simplify the remainder until a viable compliance project remains. This may mean changing business process rather than altering technical solutions. CNS will examine each acceptance channel in turn, and offer alternative strategies to compliance for each.

PCI DSS Strategy

Strategies will include: business process alteration; outsourcing; tokenization; point-to-point encryption and technical change. The outcome of the strategy phase is a viable, cost-effective roadmap to compliance. Also in the strategy phase we will answer questions about merchant levels, reporting, compliance validation, potential costs and other areas that have a bearing on the success of the project.

CNS can also help in senior stakeholder briefings at the strategy stage, as senior stakeholder buy-in across the business can be critical to the success of a PCI DSS compliance project. 

PCI DSS Scope & Gap Analysis

Identifying an accurate scope of your environment is one of the most critical phases of the compliance programme. During this phase a Qualified Security Assessor (QSA) will assist you in identifying the areas of the business that store, process and transmit cardholder data in the light of the strategy phase above, ensuring that scope reduction strategies are fully documented and agreed. At the end of this phase a fully defined, minimal scope for compliance should remain.

For any PCI DSS project to be effective, it is essential that every remediation decision made includes consideration of the current compliance status, as documented in an up-to-date gap analysis report. A full onsite review of the identified card data environment (CDE) is performed and documented against the applicable requirements identified from the scoping phase; all areas of non-compliance are documented and recorded in a security improvement plan and clear advice is given on turning the reds to green.

Get in touch

Talk to our experts today
secure data management

PCI DSS Remediation & Pre-audit Assessment

This remediation phase will address the gaps identified in the PCI DSS Gap Analysis above, and will involve technical change, business process change, training, awareness and all the other steps identified in the previous phases as being necessary to achieve compliance. CNS can play a number of roles in the remediation phase as desired by the client – we can act as a simple sounding board for proposed changes, or we can fully engage in aiding the often complex organisational changes required by the compliance project.

The pre-audit validation is a documentation and interview-based review of the readiness of the environment for a compliance audit. At this stage, we will run through the expectations of the final audit in terms of evidence and documentation, and ensure that we are as prepared as we can be for a successful final audit.

PCI Compliance Remediation Service & PCI-DSS Training

When a pre-assessment or onsite audit identifies a compliance gap, quick remediation is vital. CNS's PCI compliance team includes technology and GRC experts from a range of functional practice areas. This expertise assures you that any identified gap will be remediated by highly qualified experts.

Provides everything you need to know for PCI DSS compliance. An ideal starting point for anyone new to this standard and wishes to gain a comprehensive and practical knowledge of the ins and outs of all aspects of the standard. This course will allow you to develop a cost effective plan to meet all the appropriate requirements for your organisation.

cyber security analysis


PCI DSS compliance validation is an annual requirement for any organisation that is required to comply with the PCI data security standard.

The assessment includes:

  • Certification Assessment Preparation
  • Onsite Validation Assessment
  • Compliance Reporting

The onsite assessment is conducted in accordance with the validation requirements of the PCI Security Standards Council. This can result in a full Report on Compliance, or assistance with a Self Assessment Questionnaire as required.

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere