PCI SSC and the payment brands

The standard represents a baseline of technical and operational requirements designed to protect cardholder data and is maintained by PCI Security Standards Council (PCI SSC) – a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The standard is enforced by the payment brands, namely VISA, MasterCard, Amex, JCB and Discover.

Who is it for?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment! It is aimed at ALL entities involved in payment card processing (merchants, processors, acquirers, issuers, and service providers) as well as ALL other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

The standard

The core of the PCI DSS (current version) is a group of six principles and accompanying requirements, around which the specific elements of the data security standard are organised:

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

Why should my organisation be PCI DSS compliant?

The answer is quite simple, keep your systems secure, and customers can trust you with their sensitive payment card information. When you stay compliant, you are part of the solution – a united, global response to fighting payment card data compromise. 

How can we help

Although the standard itself is quite detailed with its technical (systems), organisational (people) and business (processes) requirements, it can raise quite a few questions and misinterpretations.

Our PCI DSS services aim at:

  • helping you understand the requirements, how they apply to your environment and setting the scope for assessment
  • performing GAP analysis and providing report on findings
  • performing mandatory IT audit required by PCI DSS
  • performing mandated cyber security assessments (vulnerability scanning, penetration testing, ASVs)
  • creating a mitigation action plan and providing detailed guidance to address all findings
  • creating necessary IS documentation (policies, procedures)
  • implementing technical solutions / security controls
  • performing the final audit and submitting the Report on Compliance (RoC)
So, before engaging in the final audit itself, our professional consultants will guide you and prepare your for the certification process. Our team of highly skilled Qualified Security Assessors (QSA) will perform the audit and upon determining the compliance, submit the RoC and Attestation of Compliance (AoC) to attest to the results of a PCI DSS assessment.

PCI DSS validation levels

Depending on your business, whether merchant or service provider, and the number of processed transactions, there are different PCI DSS validation levels set.

For Merchants, levels are defined by the Payment Brands and are based on transaction volume which are determined by the Acquirer. For Service Providers, levels are defined by the Payment Brands according to transaction volumes and the type of Service Provider whilst determined by the Payment Brands or Acquirer.

Therefor, different types of assessments (self-assessment or onsite) as well as different documents are required at different levels.