PCI-DSS Compliance

Payment Card Industry Data Security Standard (PCI-DSS) compliance.

All organisations storing, transmitting or processing debit or credit card data are required to comply with the Payment Card Industry Data Security Standard (PCI-DSS), or face potentially hefty fines and reputational damage should a breach occur.

We have successfully helped organisations of all sizes, with high and low volumes of annual cardholder transactions meet their compliance requirements by identifying process flows, carrying out initial gap analyses against the standard, reviewing self completed SAQs and providing advice on achieving compliance, and we can help you – whether you are already compliant or still have that hill to climb.

An additional benefit we offer, apart from our total independence to any product or service supplier, is our holistic approach to security. We have experts in all aspects of information security including physical security – a key requirement of the standard and one that is often overlooked.

Many of the ISO 27001 controls also map directly with the requirements in the PCI-DSS. So, if you are already complying with ISO 27001 or intending to, you may find compliance to PCI-DSS less arduous.

Do I Need a QSA?

For most organisations the answer is ‘probably not’. A QSA is generally required to sign off a completed SAQ and in effect acts as an external auditor to show you are compliant with the controls. The standard however does not mandate that a QSA is required to sign off SAQs for Merchant levels 2, 3 and 4. Even if your Acquirer insists on a QSA signing off the SAQ, you can still take advantage of independent, cost effective advice and guidance from consultancies such as Advent IM.

It is our role to assess your current situation, guide you through the standard and assist you in identifying appropriate controls to meet compliance. It is a QSA’s role to ensure controls are in place by conducting an evidential audit against the SAQ. The two activities should be carried out independently as clearly it is not recommended best practice to audit your own work. Many QSA’s are also part of a product or managed service provider, which makes it difficult for them to demonstrate unbiased and independent advice.

Advent IM is not a QSA but can offer a comprehensive, complete review based on recommended best practice across all requirements of PCI-DSS, at a price you can afford.

Already Compliant?

Our services include:

  • A regular PCI-DSS assessment against the Self Assessment Questionnaire (SAQ) to meet ongoing compliance requirements
  • Completion of the Annual Attestation of Compliance (AoC) (you may need this to demonstrate compliance to prospective customers)

Not Compliant Yet?

Our services include:

  • Prioritised Assessment of compliance, identifying any gaps and remediation requirements
  • Physical Security Review to comply with Requirement 9 – a major non-IT related part of the standard
  • Identification and documentation of Compensating Controls
  • Ad hoc help and guidance on remediation implementation including a one-off PCI Audit
  • Re-assessment of compliance after you have implemented all remediation requirements

Make sure your business is PCI-DSS compliant.