PCI security standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standard applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks.
There are three ongoing steps for adhering to the PCI DSS
- Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.
- Remediate — fixing vulnerabilities and not storing cardholder data unless you need it.
- Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with
Pre-ROC and Gap Analysis
Identify areas where an organization does not comply with the Payment Card Industry Data Security Standard (PCI DSS), and outlines areas requiring remediation. The goal is to evaluate your company’s readiness to pass a PCI On-Site Assessment.
- Evaluate operations to determine areas in scope for PCI
- Identify gaps in compliance with PCI-DSS
- Recommend and prioritize remediation activities
- Provide an actionable report for remediation
Organizations undergoing initial PCI DSS compliance unearth a laundry list of “must do” action items; areas requiring immediate attention and remediation. Symosis PCI experts can help you effectively fix these issues, save thousands of dollars and hundreds of hours when it comes to an actual PCI Level 1 on-site assessment and move on with PCI Compliance. We use a combination of propriety methodology and open source software to achieve compliance with substantial saving passed on to our customers.
- Develop / Tune information security policies, standards, and guidelines
- Help secure networks environment, system configuration and applications
- Secure stored cardholder data, encrypt data in transit
- Perform required network scanning, code review, penetration testing and vulnerability management
- Provide security awareness training • Secure access control systems and web application firewalls
- Physical Security
- Track and monitor access to network resources and cardholder data
- Regular Security Testing of In-scope Systems and Processes
PCI Validation & Reporting (SAQ or ROC)
To validate compliance, a merchant or service provider needs to have clean external vulnerability scan reports and one of two assessment documents – A Self Assessment Questionnaire (SAQ) or A Report on Compliance (ROC). Symosis can help you complete an accurate Self Assessment Questionnaire (SAQ) or provide Report on Compliance (ROC) using our QSA partner.
- Provide Guidance/Assist with Self Assessment Questionnaire (SAQ)
- Prepare Report on Compliance (ROC)
- Prepare Quarterly Network Vulnerability Scanning Reports
- Submit Documentation as Required
PCI DSS 3.0 Security Awareness Training
Symosis provides focused training for meeting your PCI compliance as part of or in addition to your existing PCI compliance efforts. The training addressees specific developer and IP requirements under sections 5.2 and 6.5 of the PCI-DSS as well as the security awareness training necessary to ensure the compliance objective is met and across your organization.
- Topics Covered: PCI DSS Regulatory standards, goals, impact, development processes, security vulnerabilities, remediation techniques, security requirements for data storage, processing and transmission, how design choices affect compliance, security best practices
- Delivery: The course is accessible online or delivered in-person. For more information on this training and more please visit our training compliance page
PCI DSS Policy and Documentation Templates
Payment Card Industry compliance, specifically requirement 12: Maintain a policy that addresses information security for employees and contractors, requires organizations to develop a comprehensive set of documented policies and procedures for their organization. Symosis will provide key security security policy and procedure templates and coordinate with your IT / business to customize them and demonstrate compliance