PCI

Payment Card Industry (PCI) Readiness Assessments and Compliance Testing

Overview

The Payment Card Industry (PCI) Data Security Standard is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. The Payment Card Industry Security Standards Council, which created the PCI standard, did so to increase controls around cardholder data to reduce credit card fraud via its exposure. Increasingly, merchants, financial institutions, and service providers are finding they need to be PCI compliant. SSAE 16 Professionals provides the solutions to your PCI compliance needs.

Project Scoping

Our professionals will work closely with your management team to ensure your business operations are aligned with the PCI standard. It is critically important to determine which systems are in scope. Through interviews with key management and IT personnel, we can identify the controls that need to be in place to meet the PCI compliance requirement. Once the scope of the project has been determined, we begin the PCI Readiness Assessment.

PCI Readiness Assessment

Companies who are required to be PCI compliant often find the first year is the most difficult. Not only do they have to comply with new audit requirements, but they need to build out their documentation and processes to comply with the standard. This is where our professionals step in. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform walkthroughs. We work side-by-side and collaboratively with your management team and IT personnel and walk through each control objective and control activity. We prepare a detailed work program and identify which controls will pass and which controls will fail. For each failed control, we will provide remediation assistance.

Remediation Assistance

Once the Readiness Assessment has been completed, we will provide a detailed gap matrix which includes specific remediation steps our client must perform to pass the control. In cases where documentation is required, we assist in the development of policies and procedures. Once controls have been remediated, our team will test the control to ensure it will pass. This second phase of testing is performed at no additional cost to our clients. Our vast experience in this area will create efficiencies in the remediation process, saving your company time and money.

PCI Compliance Testing

For clients who do not require a Readiness Assessment, we can begin the PCI compliance testing immediately. Once we have identified the scope of the project, we create a detailed document request list which includes every piece of documentation we need to perform our test procedures. This detailed document request list is sent well in advance of onsite fieldwork, saving your personnel time and creating efficiencies in the process. Once onsite, we work side-by-side and collaboratively with your management team and IT personnel and walk through each control objective and control activity. Since our professionals are very experienced in PCI compliance testing, we are able to minimize disruptions to your business operations while testing is being performed. Our testing procedures will include a mix of interviews, observations and sampling. Once test results have been compiled, we will share the results with management. We will assist management when drafting responses to any gaps which were identified during testing and draft a report for management’s review.

PCI Compliance Reporting

We will tailor the final report to suit the needs of its intended audience. If your agency, department, or bureau intends to use the report for internal purposes, we will conduct a consulting engagement and collaborate with management to determine the best reporting format for your particular needs. If the primary purpose of the report is to present the findings to external parties, we will perform an agreed upon procedures engagement and draft the report to comply with the standard reporting format.

Resources

SSAE 16 Professionals has assembled top tier leadership to help our clients through the PCI Readiness Assessment and PCI Compliance Testing process. For further information regarding these services, or to request a fee proposal from SSAE 16 Professionals, please visit our Contact Us page to submit an informational form or call 1-866-480-9485 today. We look forward to hearing from you!