PCI Compliance Methodology

We tailor every compliance review to our clients’ requirements; however we have a four phase fundamental process that normally meets our clients’ needs and creates an efficient unobtrusive review so you can focus on your business and we can focus on your compliance.

Scope (phase 1): Since the Payment Card Industry’s (PCI) counsel defines the requirements for compliance, defining the scope of a PCI engagement involves understanding how your organization’s operations align with the Data Security Standards (DSS) requirements.  In order to successfully scope a PCI DSS compliance engagement the following needs to be answered:

1.    Understand your credit card data: Assess what kind of data you maintain, where it resides, and how it is transmitted within your organization and third parties.

2.    Understand who has access to critical systems that handle credit card data:  Security breaches commonly start within your organization.  Have you taken into account best hiring / screening practices and appropriate training of personnel?

3.    Evaluate Vendors: Are you aware of all vendors who may have access to your systems that handle credit card data?  Have you taken precautions to limit your risk with vendors?

4.    Is your network segmented according to the DSS requirements?  Having a properly segmented network can drastically reduce the necessary compliance initiatives and save your company large compliance fees on an annual basis.

Plan (Phase 2):  We offer two options for the planning phase of your compliance review.

1.    We provide our in-house developed questionnaires and request list that are based on the PCI DSS requirements.  Customers benefit from this approach by getting to work at their own pace with just a deadline in mind.

2.    The other option is an onsite visit to perform walkthroughs of the relevant service offerings.  We then customize our review plan and deliver a detail document request list to prepare our clients for phase three (fieldwork).

Fieldwork (Phase 3): Consists of onsite interviews, walkthrough of relevant business processes and testing as it relates to PCI DSS.  Our auditors have a minimum of five years of experience with the big 4, large consulting firms and smaller boutique firms specializing in information technology advisory services.  Due to this we are efficient and understand what is required for each review.   Don’t worry, you don’t have to train our auditors, we are qualified at what we sell.

Report (Phase 4): Your PCI DSS Report on Compliance (ROC) is essentially what you pay us for, therefore we make sure that we have quality written, well define reports that are focused on providing your organization with everything needed to understand how you compare to PCI DSS requirements.  We also provide management recommendations and a road map to correct any deficiencies identified.  We take pride in delivering quality and timely reports and stand behind everything we issue.

Project Timeline for the Four Phase Compliance Review

More Information