PCI DSS

General information on PCI DSS 

The Payment Card Industry Data Security Standard is a set of requirements to ensure the security of cardholder data stored, transmitted, and processed in company information systems. This standard was developed by the Payment Card Industry Security Standards Council (PCI SSC) founded by international payment systems such as Visa, MasterCard, American Express, JCB and Discover.

Who is required to have a PCI DSS audit? 

The PCI DSS requirements apply to all organizations that participate in cardholder data processing, including merchants, processors, acquirers, emitters, and service providers. PCI DSS also applies to all other companies that store, process or transmit cardholder data (CHD) and/or Sensitive Authentication Data (SAD).

How often do you need to recertify? 

PCI DSS recertification must be done annually.

Results of PCI DSS compliance certification 

    Reports from external ASV and internal network scans (after each scan)
    Internal and external penetration test reports
    Wi-Fi scan reports
    Updated regulatory documents in the IS sector
    Completed and validated Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AoC)
    PCI DSS Compliance Certificate

 Stages of service provision 

  • Preparation

    1. Preliminary audit2. External vulnerability scan (ASV) of network3. Internal vulnerability scan of network4. Assessment of client’s corporate network security by performing external and internal pentests5. Search for unauthorized Wi-Fi access points6. Penetration tests for network segmentation control tools

  • Certification audit

     1. Collection and analysis of organizational and regulatory documents, information about the client’s Cardholder Data Environment (CDE) system composition
    2. Analysis of processes related to protection and maintenance of system components in the CDE
    3. A compliance audit of the client’s CDE system components according to the PCI DSS requirements:
    ● Interviewing client employees (third-party, if necessary) within the audit procedure developed by the PCI SSC consortium and adapted by the QSA consultant
    ● Analysis of the client’s CDE system component settings and configurations
    ● Assembling an evidence base for compliance of the client’s CDE system components with the PCI DSS requirements
    4. Analysis of security assessment reports on the external and internal perimeter of the client’s CDE network
    5. Development of reporting documents for acquiring banks and International Payment Systems, Report on Compliance (RoC) or Self-Assessment Questionnaire (SAQ), as well as Attestation of Compliance (AoC)
    6. Sending the AoC by the consultant to the VISA international payment system to confirm successful completion of the PCI DSS audit

Made with