PCI DSS with Penayde

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data and may be enhanced by additional controls and practices to further mitigate risks. Penayde provides a thorough assessment of your technology platforms to ensure that your organisation is PCI compliant and provide advice in areas that require remediation.

PCI DSS Scope Determination

One of the greatest challenges of organisation is determining which aspect of their platform is in the scope of PCI DSS assessment. PCI DSS Scope determination by Penayde is a rigorous exercise designed to ensure that all the platforms have been chosen in relation to the storage, processing and transmission of cardholder data within your infrastructure. One of the methods we use is network segmentation which helps to reduce the scope of PCI DSS assessment. At a high level, adequate network segmentation isolates systems that store, process or transmit cardholder data from those that do not. Accurate scoping is essential so that all systems that interact with cardholder data are identified, along with any systems and third parties that connect to them or can have an impact on security. The review is consultant-led and requires key personnel from the network, server, desktop, application and security teams, and consists of an onsite workshop and offsite report writing in PCI DSS compatible format.

PCI DSS Gap Analysis

Penayde will perform PCI DSS Gap Analysis after scope determination to determine the current level of your compliance and the specific steps required to achieve PCI DSS compliance before carrying out the formal assessment. Penayde has a proven methodology that reduces the time and effort taken to perform a Gap Analysis, whilst producing a high-quality result.

The Gap Analysis includes interviews, a review of network and server configuration, an understanding of current policies and procedures, and recommendations with respect to obtaining PCI DSS Compliance. An in-depth PCI DSS Scope Determination. One of the greatest challenges of the organisation is determining which aspect of their platform is in the scope of PCI DSS assessment. PCI DSS Scope determination by Penayde is a rigorous exercise designed to ensure that all the platforms have been chosen in relation to the storage, processing and transmission of cardholder data within your infrastructure. One of the methods we use is network segmentation which helps to reduce the scope of PCI DSS assessment. At a high level, adequate network segmentation isolates systems that store, process or transmit cardholder data from those that do not. Accurate scoping is essential so that all systems that interact with cardholder data are identified, along with any systems and third parties that connect to them or can have an impact on security. The review is consultant-led and requires key personnel from the network, server, desktop, application and security teams, and consists of an onsite workshop and offsite report writing in PCI DSS compatible format.

PCI DSS Audit

The formal PCI DSS Assessment, known as the Report on Compliance (RoC) is what needs to be assessed against in order to demonstrate compliance to third parties, business partners, clients and of course the card schemes, if a listing on card scheme websites such as Visa, Master Card is required.

Following a PCI DSS Gap Analysis and remediation efforts, your company should be well prepared for the final audit and we generally anticipate a 90-95% score, at which point we can put the Audit on hold until the final few controls are resolved.

PCI DSS Remediation

We can provide cost-effective solutions for any PCI DSS control and we do not just mean technology. There can be many ways to address PCI DSS controls, including:

  • Adaption and reconfiguration of existing technology
  • Developing simplified processes
  • Rationalising security policies
  • Compensating controls (risk-based approach)
  • Using open source solutions

Our view is that security technology is generally mature and it is not often that a new solution is required, as this generally involves cost and extensive resources in configuring and maintaining. That’s not to say at some point within the security life-cycle you are not going to need investment in new technology, but it is to say we will always take a balanced, neutral approach and work out exactly what is right for you. The analysis of physical and logical data flows is performed and you will gain a full understanding of all business instances where PCI DSS applies, and how to protect or remove data from these instances to limit the scope and impact of PCI DSS.