PCI DSS
What is PCI DSS?
You can read more about PCI DSS in our PCI Basics series and our blog posts, but at the basic level, it is a set of twelve (12) high-level requirements that organisations who accept transactions via credit or debit cards or who store, process, or transmit cardholder data for themselves or on behalf or other people must comply with.
The Compliance Cycle
We often talk about PCI as a staged process to start out with. Stage 1 is understanding your current state – this is often done through a gap analysis. Stage 2 is fixing the risks identified. Then Stage 3 is the assessment stage where we complete the SAQ or ROC.
But after that is when you need to start about how you maintain compliance. Compliance is not a one-time process. The assessment happens annually, but you need to be maintaining that compliance throughout the year. This is when we start talking about ongoing assurance or our Managed Assurance Programme, which is a way to minimise the risk that you will fall out of compliance over time and minimise the stress at the end of an assessment.
How Can Confide Assist?
Confide is the longest-serving local Qualified Security Assessor Company (QSAC) in New Zealand. We are licensed to operate in the Asia Pacific market and regularly work with Australian companies. Over the years we have assisted organisations further afield in Papua New Guinea, East Timor, the UI, and the USA in achieving their PCI DSS compliance goals.
With our years of experience, we help organisations of all sizes, large and small to meet their PCI DSS requirements. Our consultants have a range of skills to help assess your organisation.
Our Services
Read more about the services we can provide in the section below. And if you have any questions or want to know how we can help in your specific case, reach out and we’re more than happy to schedule a time to chat.
Understand Your Current State
If you’re just starting on your compliance journey, Confide can help you understand your current state against the relevant PCI requirements. This can include:
- Reviewing the payment channels you support.
- Reviewing and confirming your scope.
- Identifying areas to reduce your compliance scope.
- Identifying areas of non-compliance that will need to be addressed.
We help you understand where the gaps are and how you can remediate them in an effective and efficient way that will help your organisation demonstrate a clear commitment to security and compliance that becomes sustainable.
Benefits
- Understand where gaps in your compliance could expose you to risk
- Understand how to build projects with compliance and security from the start
- Benchmark your current alignment with security requirements
- Provide independent assurance to your board, senior leadership team, and key stakeholders
Achieve Compliance
Once you know your current state, the next step is to close the gap. We don’t fix the issues that have been identified, but we help review your options so that you don’t go down the garden path, spending time and money only to find that the solution you were promised doesn’t help you achieve PCI compliance at all.
Benefits
- Early review of steps you are taking to achieve compliance
- Review whether the products you are evaluating will help close the gap
- Provide suggestions for improvements to processes based on what we know of your environment
Validate Your Compliance
If you’re a merchant with fewer than 6 million transactions annually or a service provider with fewer than 300,000 transactions annually, you might be asked to complete a “Self-Assessment Questionnaire” or SAQ. If you have been asked to complete a RoC, see the section on Report on Compliance.
There are nine different SAQs that could apply depending on your payment channels. We understand that sometimes these documents are difficult to understand and you want to know that what you’re saying is true really is true. Our QSAs can help explain the documents and requirements in plain English and help you navigate the intricacies of PCI DSS.
We tailor our SAQ assistance to the level of assurance you need from light touch high-level reviews right through to full independent assurance.
For charities and small businesses, we have tailored offerings to assist you.
Benefits
- An independent specialist resource with years of experience helping guide you based on how others have met their PCI DSS compliance requirements
- Additional assurance for your leadership team and bank showing that your compliance has been independently and accurately verified
Independent Assessment
For merchants who have more than 6 million transactions annually or service providers that have either 300,000 transactions annually or are designated as a Level 1 service provider, we can complete a Report on Compliance (ROC).
Our QSAs undertake an in-depth review of the people, processes, systems, and documents that are part of your cardholder data environment (CDE) and compile a RoC and Attestation of Compliance (AoC). This in-depth report provides the highest level of assurance that you meet the minimum requirements for showing you are protecting your customers’ data or you are providing your customers with a secure service offering.
For designated entities, we can also complete the Supplemental Report on Compliance for Designated Entities (S-RoC, DESV) which adds additional controls around governance and technical requirements.
Why Confide?
- Confide has completed hundreds of RoCs over the years. Our QSAs understand the Standard in-depth and have years of experience to make the process as smooth as possible.
- We understand the unique challenges faced by New Zealand organisations with team sizes and structures – we know how to fit this into the requirements.
- We have a broad set of skills assessing different technologies, organisation types, and industries.
- We work with you to help you understand different ways you can meet compliance and achieve continuous improvement.
Compliance Becomes Business as Usual
PCI DSS is a continuous process of maintaining compliance. As the Standard has evolved, more requirements need to form part of your BAU processes and security strategies.
Confide can provide subject-matter expertise to help perform ongoing checks of your BAU activities for PCI DSS compliance to help identify any issues early on to minimise the risk of an extended remediation period when your QSA comes onsite to do your annual assessment.
Our managed assurance program (MAP) can be tailored to your environment and include other supporting services including:
- Managed vulnerability scanning
- Card Scanning as a Service
- Staff awareness training
We can also help you improve the maturity of your internal compliance programme supporting your staff with our specialist knowledge and helping their build up their knowledge.
Benefits
- Increased productivity for your teams – put the focus on doing the tasks not oversight of the tasks
- Improved security programme awareness
- Reduced compliance expenses
- Reduced risk of non-compliance
- Create a proactive security posture
What To Do if You’ve Had an Account Data Compromise
If you’ve had an account data compromise (ADC) or been identified as a common point of compromise (CPC) then the bank will require you to have ea QSA validate your compliance. Depending on the bank and the breach this could mean that they need you to have a QSA sign your SAQ or it might mean that they require a Report on Compliance. We can help you with either.
As part of your remediation programme, we can also provide services that help you show that the risk has been minimised through:
- Managed vulnerability scanning
- Quasar Card Scanning as a Service
We can also put you in touch with independent penetration testers who can assist you in investations to determine the cause of the breach.
Benefits
- We understand the stress that organisations suffer as part of a breach – and work with you to understand ways to mitigate the risks.
- Quasar card scanning can be used to show the bank that you’re not storing any cardholder data that would add to the risk.
- Our vulnerability scanning specialists can configure and manage internal and external vulnerability scans to ensure they are run by a qualified independent resource.