PCI-DSS or Payment Card Industry Data Security Standard is the de-facto standard that all merchants, payment providers and banks are required to comply to as a contractual obligation for the major card brands such as Visa, Mastercard and Amex. Since 2010 we have worked with leading Qualified Security Assessors such as Control Case International for the regional business. We remain independent of these QSAs and have no influence over their opinions or reports or audits; which makes us ideal to provide independent advice to our clients to our best knowledge possible and with the information we have available from our clients.
We are also certified PCI Professionals and have undertaken various successful PCI projects for banks, merchants and payment service providers. Contact us at avantedge@pkfmalaysia.com
Our journey started in 2010 when we were approached by a bank to advise on their PCI project. Back then we were very active in ISO27001 and we immediately latched on to this new standard, and coordinated with one of the QSAs, Control Case, quickly to serve our clients. Over the course of the years, and hundreds of hours of training and experience in how QSAs perform gap assessment, certification audits and implementation, we have built a portfolio of products and services for PCI:
a) PCI Project Management – PMP certified consultants who are focused on compliance projects. Some of the biggest challenges in PCI Projects that it is often running into 9 – 15 months of implementation, and often longer for banks. This is due to the scope involved, which usually is expansive for any bank projects.The key consideration is for any project of this magnitude and involvement of resources, an experienced and independent (not part of the QSA) project team is a must.
b) Card Data Scanning – We use QSA developed and qualified product, the CDD Scanner for this requirement that requires a validated scanner to scan the entire scope for presence of card data. This is a very large scope to consider, if branches are involved and requires configuration of the scanners. Our team has experience on Control Case CDD scanner to efficiently run this for the bank and ensure that the report is submitted as per the standard required.
c) Risk Assessment – This is considered mandatory for PCI-DSS v3.0. For organisations that do not have a risk management team or enterprise risk group with technology capability, we are certified in ISO27001 and 27005 Risk Management practices, which is acceptable under PCI-DSS standards.We can conduct the entire RA in behalf of the bank, including documentation of methodology, training, facilitating the risk control assessment (RCA) workshops, reporting of risk and development of risk treatment plan.
d) PCI training – While training itself seems a mere formality, the new version of the standard requires more support documents to be done, as well as capability of trainers to be verified. PCI is a very large subject and requires trainers to be certified or trained in security subjects related to the compliance. We can provide any service on training, from materials to conducting the service itself. We also have train the trainer programs, for more cost effective coverage of this requirement. As we can also be claimed on HRDF, this represents a good cost savings for the bank as well as to comply to requirement 12. Depending on the number of people in scope for the training, the materials will be developed and distributed to the standards of PCI.
e) Vulnerability Scans and Penetration Testing – Often considered the largest implementation activity in PCI. This is commonly done as a standalone project/program due to the sheer involvement of resources. ASV (Approved Scan Vendor) scans are mandatory every quarter, as well as internal vulnerability assessments. External and internal penetration testing is required every year and MUST comply to standard of testing. In V3 of PCI-DSS, a documented and accepted methodology needs to be verified and accepted, and the entire exercise of scanning and penetration testing to be tracked, including the qualifications and tools used in the process. We are qualified penetration testers, trained in PCI, and have invested in commercial pentest tools for this purpose. We have also experience, having been involved in projects with more than 2,000 assets in scope.
f) Other Products and Services for PCI-DSS
– Logging and Monitoring solutions (SIEM) to address requirement 10, for our client’s operation to use and leverage
– Firewall ruleset analysis to address requirement 1
– Policy & Procedures review – Addresses Requirement 12. Done annually to maintain PCI Documentation Requirements
I would like to find out more about PCI-DSS in compliance with the requirement from our insurance company. We are operating as a college where we would collect tuition fees from students via credit card. May I know how do I make sure that we are in compliance with PCI-DSS?
Thanks.