Risk management with the pci dss

Let us know how we can help

What is PCI DSS and why is it relevant?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect cardholder data and reduce credit card fraud. It applies to any organization that stores, processes, or transmits payment card information, including merchants, service providers, and financial institutions. 

Failure to comply with the terms of the merchant agreement increases the risks associated with penalties including (at the acquirer’s discretion) increased merchant fees, increased compliance and reporting costs, increased recovery costs in the event of a security breach that affects payment card data, and (albeit in an extreme and quite unlikely case) suspension of the organisation’s merchant status. 

How does dotSec help your business with the PCI DSS?

Compliance with the PCI DSS incurs a financial burden that all organisation can do without.  Even if an organisation can self-report (more on that below) it still takes time and resourcing to address the annual reporting requirements, and there is a level of risk associated with accidental misreporting that must also be taken into account. We understand this because dotSec is a PCI DSS-compliant service provider and a PCI QSA company, so we know what it takes to remain compliant with the DSS.  

So what benefits does our experience bring to the table?

  1. The financial benefit that we provide is that we know how to help your business to reduce its reporting scope, requirements and costs as well!  

  2. We also bring a risk-management benefit because, being compliant ourselves, we can help you to manage your PCI DSS reporting risks and cost by guiding you through the compliance and process, and ensuring that no omissions or mistakes are made along the way.  

The scoping and reporting process

A typical PCI DSS engagement will proceed as follows:

1. Reduce scope and recommend reporting

The first thing to do is to get an overview of Relevant documentation including for example:

  • Network diagrams.

  • Cardholder Data Environment (CDE) and related system architecture documentation.

  • Card-Holder Data (CHD) flows.

  • Relevant policy, network maps, payment system and web-site design documents, and payment-card processing procedures.

  • If necessary, dotSec will conduct interviews with the client stakeholders, in order to confirm its understanding of the client CDE.

  • Any payment acquirer-specific requirements and/or business-specific requirements that the client seeks to meet.

dotSec will then provide a gap-analysis that includes breadth and boundaries of the CDE, the systems that are included within the CDE, and those systems and components which are in-scope because they are connected to the CDE and/or may affect the security of the CDE. The gap analysis focuses on how effectively the client meets applicable PCI DSS controls, and by recommending effective remediation strategies where short-comings are discovered.

2. Reporting option 1: SAQ and AOC

Generally speaking, all merchants have reporting requirements, irrespective of their level. However, the specific requirements differ: Most merchants, except for the highest level (Level 1), are typically required to complete a Self-Assessment Questionnaire (SAQ). Level 1 merchants, on the other hand, usually need to undergo an annual assessment by a Qualified Security Assessor (QSA).

For the bulk of merchants, the key to PCI DSS compliance is the Self-Assessment Questionnaire (SAQ). Different SAQs exist, each tailored to different types of payment processing environments. The specific SAQ a merchant needs to complete depends on how they process card payments.

SAQ A (Self-Assessment Questionnaire A) is the leanest of the PCI DSS reporting paths, meaning that it can be used (in general) with very little effort or time. 

Merchants prefer SAQ A because there are only 26 controls (and some of those might be non-applicable) and it’s often possible for the merchant to offload many of it’s  PCI DSS responsibilities to third-party providers such as payment gateways or security service providers, as long as those third parties are themselves PCI DSS compliant.

To be eligible for SAQ A, all cardholder data functions must be fully outsourced to PCI DSS-compliant TSPs, and merchants must:

  • Not store, process, or transmit cardholder data on their systems

  • Use only redirects, iframes, or hosted payment pages

  • Confirm their ecommerce site is not susceptible to script-based attacks. 

3. Reporting option 2: ROC and AOC

Tier 1 merchants and service providers, or those merchants/service-providers who have particular acquirer requirements, will need to report using a Report On Compliance (ROC). In this scenario, DotSec’s QSA will formally assess the merchant or service provider with the goal of understanding and reporting upon how effectively they meet the applicable requirements from the PCI DSS.

In contrast to the collaborative nature of a scoping or gap-analysis project, the QSA-led PCI DSS assessment will be a formal assessment process, the outcomes of which are documented in a formal Report on Compliance (ROC):

  1. If DotSec’s QSA finds that the reporting entity is compliant with the requirements of the PCI DSS, then DotSec will complete and deliver to the entity a RoC and an Attestation of Compliance (AoC).

     

  2. If DotSec’s QSA finds that the entity does not comply with the requirements of the PCI DSS, then those findings will be documented in the RoC which will be delivered to the client, and a non-compliant AoC will be issued. A subsequent re-assessment will need to be arranged, under the terms of a separate agreement.
 
It is important to note that the formal QSA-led assessment must be conducted in a timely manner, since the results of the assessment are intended to provide a point-in-time review of the state of the entity’s in-scope systems, and so dotSec would complete the assessment in line with its requirements as a QSA Company, ensuring that the client remains aware of the assessment timetable, impending deadlines and project completion date as we go.

What next?

If you need to report under the PCI DSS, either using a SAQ or as part of a QSA-led assessment, DotSec is here to help. Our team of experienced professionals can guide you through the entire process, helping you to reduce scope and reporting costs wherever possible.  Doesn’t saving you cost reduce our income?  Why yes, for one job it does!  But if we can cut the costs you’ve been paying to your incumbent QSA company, you’ll be happier and that’s the recipe for the kind of long-term relationship that we value above all else. 

 

Ensuring compliance with the PCI DSS has the potential to be risky, painful and expensive experience, but with a dotSec QSA by your side, your journey becomes a lot easier.

Let us know how we can help