Information Technology Consulting Firm Luxembourg

Payment Card Industry - Data Security Standards

PCI DSS:
menuarrow.gif Introduction to Payment Card Industry Data Security Standards
PCI DSS Scope
Key Differentiators of IT WORKS SA for PCI compliancy

Our Audit Services

Self Assessment Questionnaire


Our Consultancy Services

Gap Analysis
Implementation Assistance
Pre-Audit

Useful Related Links
Useful Links



Introduction to Payment Card Industry Data Security Standards

In many countries worldwide, there have been instances of hackers accessing computer systems, stealing cardholder data, and using this data to commit fraud. In most cases, these computer systems have been operated by merchants that accept payment cards, or vendors that process payments on their behalf.

In response, Visa has created the Payment Card Industry Data Security Standards (PCI DSS). This is a set of industry-wide requirements and processes, developed in partnership with MasterCard International, and supported by other major international payment card systems.


PCI DSS Scope

It comprises 12 key requirements

  • Install and maintain a firewall configuration to protect data
  • Do not use vendor-supplied defaults for passwords or other security parameters
  • Protect stored data
  • Encrypt the transmission of cardholder data and sensitive information
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications
  • Restrict access to data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security


The PCI standard aims to give cardholders the assurance that their card details are safe and secure when their debit or credit card is offered at the point of sale, over the Internet, on the phone, mail order or any other media.

Although the initial focus is on online transactions, PCI compliance applies to any company that stores, processes or transmits cardholder data and consequently effects merchants with physical stores as well as banks, processors and service providers





Key Differentiators of IT WORKS SA for PCI compliancy

  • Real independent audit and consulting company.
  • Former Certified QSA for PCI-DSS (until 2016)
  • Former Certified ASV for PCI-DSS (until 2016)
  • Technical security is not our business but Global Information security business is our focus.
  • Recognized ISO27001:2005 ISMS expertise.
  • Real expertise in Card Payment Industry ensuring you usable and credible recommendations.






Our Services

IT Works SA has combined its expertise in card transaction security consultancy to offer a package of PCI compliance consulting services that cover initial risk assessment through to compliance certification

Audit Services – Self Assessment Questionnaire

Objectives: The Self-Assessment Questionnaire is a free online-tool, confidential tool that can be used to gauge your level of compliance with PCI DSS.

Once it has been completed, you will have made a good assessment of your assessed risk level. If the assessment indicates that remediation work is needed, you will need to undertake this work in order to comply with PCI DSS.

Most businesses will want to download the printable version of Self-Assessment Questionnaire before submitting their answers online. This means that questions can be distributed to the appropriate people within the organization in order to obtain accurate answers. In order to validate your compliance with PCI DSS, you will need to pass the self-assessment questionnaire.

To pass the questionnaire you should be in a position to answer all questions positively or indicate, when permitted, that they do not apply to you.

Is this mission appropriate to your needs?
You are considered as Merchant Level 2 or by PCI-DSS and have to fulfill the questionnaire but do not really know how to answer to this questionnaire.

What will be the deliverables?
Our consultant will help you to fulfil the questionnaire in a consistent manner helping you to determine how compliant you are.




Consultancy Services – Gap Analysis

Remark: For independence reasons IT Works SA will never accept to deliver consultancy services and audit services to the same company.

Objectives:
The review will define the nature of the risk that your organization faces and the degree of compliance with the PCI DSS. It will provide a sound foundation for the remainder of the compliance implementation.

If required we can carry out gap analysis against the PCI DSS standard and ISO:27001:2005 at the same time and as part of the same process.

We will work with you to:

  • review your IT infrastructure, network design, applications, Information Security policies and procedures
  • if necessary review your data flows between acquiring and issuing processes to reduce the PCI-DSS impact on your system
  • carry out gap analysis between your existing arrangements and the PCI DSS criteria and should it be required, ISO 27001;


Is this mission appropriate to your needs?
You are subject to on-site audit but currently do not comply with the PCI-DSS requirements


What will be the deliverables?


We will provide you a gap analysis report including

  • Draft of Report of Compliance (ROC)
  • Proposal of prioritized recommendations to mitigate risk and address issues of non-compliance
  • Remediation plan to address those risks and non-compliance issues.






Consultancy Services – Implementation Assistance

Remark: For independence reasons IT Works SA will never accept to deliver consultancy services and audit services to the same company.

Objectives:
During this mission our consultants will help your company to implement the remediation plan and document the processes in a way that fits with the PCI-DSS and any other ISMS standards...

Is this mission appropriate to your needs?
You are subject to on-site audit but currently do not comply with the PCI-DSS requirements.

What will be the deliverables?

We will help your team to reach PCI-DSS compliance.

We will provide you with an implementation report including a draft of Report of Compliance (ROC)






Consultancy Services – Pre-Audit

Remark: For independence reasons IT Works SA will never accept to deliver consultancy services and audit services to the same company.

Objectives: The goal is to prepare your company to an official PCI-DSS compliance audit.

Is this mission appropriate to your needs?
You are subject to on-site audit and think you are compliant with the PCI-DSS requirements.

You have implemented a solution based on PCI-DSS requirements and plan to go for an official compliance audit but want to be sure that everything is in place.

What will be the deliverables?

Our consultants, who were “PCI-DSS QSA” since 2016, are going to realize an audit based on procedures and methodologies which are identical the one that will be used by the certification bodies.

We will provide you with an implementation report including a draft of Report of Compliance (ROC)






Useful Related Links


The  PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

www.pcisecuritystandards.org