HOME OUR SOLUTIONS PCI-DSS COMPLIANCE

PCI-DSS COMPLIANCE

PCI-DSS Compliance Services Offering.


All companies that process, handle or store data from payment cards must comply with PCI-DSS requirements. The global Data Security Standard created to reduce fraud associated with the use of payment cards during commercial transactions.

INTEGRITY, as Qualified Security Assessor (QSA), provides audits and professional advice to companies that process and transmit payment card data in the course of their activity.

Additionally, we provide a persistent management advisory service, named DSSManager, to help organisations be compliant with the PCI-DSS requirements.


DSSManager is composed of 3 tiers of service, delivered and managed on a proprietary platform owned and developed by INTEGRITY. The base services will assist the PCI compliance process in any Organisation and the continued services will allow the PCI compliant organisation to maintain the compliant status. The opcional services will address the specific reality of each PCI compliant company needs.

Base Services include:

• Compliance Portal Access - customised compliance Portal, in order to monitor compliance at any time;
• SAQ Assistance - assistance with Self Assessment procedures and reporting (SAQ);
• Risk Assessment - promote a risk based approach to PCI compliance;
• Gap Assessment - identify and prioritise actions and control implementations.

Continued Services include:

• Cyber Risk Assessment Reports - generate and deliver a monthly report assessing your cybersecurity and PCI-DSS compliance posture;
• Security Advisor Reviews - regular compliance reviews with your team and one of our expert security advisors for continuous improvement;
• Compliance Updates & Changes - alerts on any updates or changes regarding PCI-DSS, also the Portal will reflect the changes;
• Continuous pentesting - regular pentesting of all assets in scope;
• Continuous ASV Scan (for Organisations required - provided by a Third Party);
• Vulnerability Scan (when ASV not required or to cover additional assets);
• KEEP-IT-SECURE-24 Integration / Network Penetration Testing.

Optional Services include:

• Attestation of Compliance (AOC) certificate;
• Onsite security assessments and full report on PCI compliance (ROC);
• Employee Education & Cybersecurity Awareness Training services;
• And a vast list of additional on demand or continuous consulting services related to PCI-DSS compliance maintenance.

Our QSA team will provide PCI guidance, through a risk-based approach, where:

• Compliance report, aligned with PCI requirements;
• All compliance goals will be validated;
• Client’s team will be supported in the definition of the scope and limit of cardholder data;
• Client will be provided with a workbook with a PCI-DSS Priority Approach, and also a timetable for achieving that compliance.

Report made of more than 200 requirements resulting from the face-to-face work developed out in the field, such as inspection of evidence, and interviews made by an INTEGRITY QSA. The assigned QSA element will be responsible for conducting the assessment and will guide the client through this process.

The PCI-DSS assessment carried out includes:

• Detailed analysis of the organisation's cardholder data environment;
• As well as a detailed description of the client's compliance with PCI-DSS.

If corrections are required to achieve or maintain PCI compliance, INTEGRITY QSA elements may:

• Determine the main cause of non-compliance;
• Identify potential solutions to achieve compliance;
• Propose a project plan and remediation schedule to achieve it.

The team will remain available to review the progress, while the client performs remediation activities, to ensure the efforts are made in the correct way to achieve compliance.

Our team is made of professionals with extensive and in-depth experience in data protection, to attend and support clients in all they might need to keep their cardholder data processed, transmitted, or stored by the customer, protected.

The client will be provided with not only a report but with a deep understanding of their business to take the next step.

We are able to provide the required quarterly external vulnerability scan through a trusted business partner, an Approved Scanning Vendor (ASV).

  • Compliance Level No. 1

    INTEGRITY QSA consultants can help merchants and service providers in this level carrying out their QSA assessment, through:


    PCI compliance assessments;

    Completion of compliance reports;

    And the SAQ’s (Self-Assessment Questionnaire).

  • Compliance Levels No. 2, 3 and 4

    Merchants and service providers at these levels can request an INTEGRITY consultant (QSA) to help them:


    Determine their scope;

    Define which PCI requirements are appropriate for the organisation;

    Complete the Self-Assessment Questionnaire (SAQ *).


    * SAQ = Self-Assessment Questionnaire. It’s a self-validation tool to assess the security of cardholder data. It demonstrates to both consumers and the bank, that the organization has used an external and independent partner to assess its compliance.

LEVEL NUMBER   NUMBER OF CARD TRANSACTIONS/12 MONTHS   *SAQ REQUIREMENT
1   6M +   *SAQ replaced with PCI DSS certification
2   1M - 6M   *SAQ mandatory, signed by a QSA or a trained PCI SSC ISA employee
3   20K - 1M   *SAQ mandatory
4   up to 20K   *SAQ recommended, not mandatory
* SAQ stands for Self-Assessment Questionnaire. It’s a self-validation tool to assess the security of cardholder data.

What is PCI-DSS?

PCI-DSS stands for Payment Card Industry Data Security Standard and represents a global security standard, with operational and technical requirements, designed to improve control over data on users' payment cards.

This security standard, and its 12 standards, aim to ensure a safe environment for users and entities that process data from payment cards, avoiding fraud.

PCI-DSS compliance goals and requirements

PCI-DSS compliance requirements cover technical and operational components of the system, included or directly linked to cardholder data.

If your company accepts or processes payments with credit cards, you need to be compliant with the 12 requirements shown in the table below:


GOALS   PCI-DSS REQUIREMENTS
Build and Maintain a Secure Network   1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data   3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program   5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures   7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks   10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy   12. Maintain a policy that addresses information security for employees and contractors

Who must ensure compliance with the PCI-DSS security standard?

All companies that process, handle, or store data from payment cards must comply with PCI-DSS requirements.

These requirements ensure that the processing of transactions, using payment cards, is safe for all parties involved, safeguarding consumers and businesses against problems of theft and data breach.

Are there any penalties for non-compliance?

Yes. The payment card brands that make up the PCI consortium can fine a receiving bank up to $ 500,000 per month for breaches of PCI compliance, and it's quite likely that banks pass this fine on to the merchant.

However, more serious than fines is the revocation of the right to process payment card transactions, that may be issued by the PCI Council, and will dictate the death sentence for many companies.

What is the PCI Council and what responsibilities does it have?

The PCI Council (PCI-SSC), is an independent global entity created in 2006 by the five main payment card systems (American Express, Discover, MasterCard, Visa, and Japan Credit Bureau).

This entity has the responsibility to develop, manage, educate, and raise awareness about the PCI Data Security Standards. In addition, it also recognizes QSAs (Qualified Security Assessors) and ASVs (Approved Scanning Vendors) as qualified entities, enabling them to validate compliance, in alignment with the PCI Security Standards, as is the case with INTEGRITY, acting as a vendor.

CONTACTS

Portugal

Av. João Crisóstomo, n.º 30, 5º
1050-127, Lisboa | Portugal
T: +351 21 33 03 740
E: info@integrity.pt

United Kingdom

Suite 4B
43 Berkeley Square
Mayfair, Westminster
London, W1J 5FJ | United Kingdom
T: +44 20 3318 0800

España

Calle Edgar Neville, 6
28020, Madrid | España
T: +34 91 73 73 417




x