PCI Security Standards Audits

Why It's Important
Credit card fraud in the US is at an all-time high. The PCI DSS standard establishes a framework by which organizations can protect their cardholder data environment. By complying with PCI requirements, merchants and service providers can reduce the risk of a breach, gain competitive advantage, and increase their credibility.

How We Can Help
Our PCI engagements focus on managing the full life cycle of our client’s certification process for their cardholder data environment. CompliancePoint offers a full suite of services to assist organizations with all aspects of their compliance effort.

CompliancePoint's services related to PCI Security Standards include the following:

PCI DSS - The PCI Data Security Standard (PCI DSS) applies to major credit card providers and is intended to protect cardholder data. To achieve PCI DSS compliance, all members, merchants and service providers must adhere to this standard, which offers a single approach to safeguarding sensitive data for all card brands.

PCI PA-DSS - The Payment Application Data Security Standard (PA-DSS) applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.

Point-to-Point Encryption (P2PE) - Point-to-Point Encryption, also known as end-to-end encryption, is an emerging technology that is used to protect sensitive credit card data from point of swipe, while in transit, all the way to the payment processor. This type of protection is critical as hackers increasingly focus on stealing credit card data while it is in transit. As a QSA P2PE, CompliancePoint is one of a very select group of PCI compliance certification firms authorized to certify to P2PE standards.

Experian Independent 3rd Party Assessment (EI3PA) - EI3PA is an annual assessment of Experian's 3rd Party Processors' ability to protect Experian's Personally Identifiable Information (PII) data. If you are a company processing, storing, or transmitting PII provided by Experian, you may be required to have your systems assessed by a QSA to determine how well you are protecting this information externally and internally from unauthorized users.

Network Vulnerability Scanning & Penetration Testing - These services ensure that the network is secure and are a necessary step for compliance with various Industry and Regulatory standards.

Policies & Procedures - Every organization needs written policies and procedures that clearly define the company’s methods for protecting information and data assets.

Daily Logging & Monitoring - CompliancePoint will design and implement a log management solution that fits your regulatory log retention requirements. The design will ensure that devices log the required information, the logs are consolidated in a secure central repository and that the logs are automatically moved to near-line or offline storage for worry-free, long-term retention.

Security Awareness Training - Employees who are not trained or generally aware of information security can be the weakest link in your organization. Many industries require a continuing employee education program and proof of performance.

Security Consulting - Our Security Consultants understand the risks involved and the security processes and procedures that should be implemented. These services can be related to any aspect of information security such as technology, policy and procedures, network design, disaster recovery, and more.

Key activities, deliverables, and milestones for ensuring your organization's PCI compliance and certification:

PHASE I: Gap Assessment
Our team will review and analyze current policies, procedures, and initiatives relevant to the organization’s debit/credit/payment transaction environment or payment application design. All significant third-party outsourcers and managed service providers will be reviewed as well.

PHASE II: Gap Report & Remediation Plan
After the gap analysis report is developed and delivered, our team will conduct a joint review of the findings and recommendations. Additionally, our team will create a remediation and implementation project plan.

PHASE III: Audit & Reporting
Once the assessment and report of the organization’s PCI compliance is complete, our team will issue or validate the appropriate compliance certificate.