• Home Page
• Corporate
  • BCRM Approach
  • BCRM FAQ
  • Case Studies
  • Certifications
  • Code Of Conduct
  • Company details
  • Customer satisfaction
  • Industry Endorsements
  • The Team
  • Why us?
• Policies
  • Business Continuity
  • Conflict of Interest
  • Corporate Social Responsibility
  • Data Protection
  • Disability Discrimination
  • Environment
  • Equal Opportunities
  • Health and Safety
  • Information Security
  • Personnel Screening
  • Quality
• Services
  • Health Checks
    • Business Continuity
    • Security Vetting
    • Data Protection Act
    • Software Asset Management
    • Service Management
    • Information Security
    • PCI DSS
    • Risk Management
  • Information Assurance
    • Disaster Recovery
    • Information Security
    • Physical Security
    • Employee Vetting
    • Software Asset Management
    • Risk Management
    • Identity Management;
    • Secure Disposal
  • Compliance
    • Governance Today;
    • GRC
    • FSA Compliance
    • Data Protection Act;
    • PCI DSS;
    • Sarbanes Oxley;
    • FSAP
    • Workflow and GRC;
    • Using XBRL for GRC;
    • Inspection of Records;
    • Litigation Support
    • Employment Law
    • FSA Support
    • Money Laundering
  • Management Systems Consultancy
    • ISO 9001
    • SO 14001;
    • ISO 17025
    • OHSAS 18001
    • ISO 20000
    • BS 25999;
    • ISO 27001;
    • Do you need us?
    • Auditing
    • Polices and Procedures
  • Continuous Improvement
    • ISO 9004;
    • Total Quality Management (TQM)
    • Six Sigma;
    • Capability Maturity Models;
    • ServQual / RATER;
    • EQF
    • Balanced Scorecards;
  • Certification Services
    • Standards Implemented
    • Management System Implementation Methodology
    • Consultancy to Support Certification
    • Certification Body Audit Markings
    • Certification Pre-Audit Services
    • Remediation
    • Certification FAQ
  • Digital Forensics
    • Forensic Evidence Recovery
    • Expert Witness Services
• Records Management
• Training
• Standards
  • Management Systems
    • BS 25999
    • ISO 14000
    • ISO 17025
    • ISO 20000
    • ISO 27000
    • ISO 9000
    • OHSAS 18000
    • PAS 99
  • Other Standards
    • BS 10008
    • BS 10012
    • ISO 25777
    • BS 7858
    • BS 8470
    • BS 7858
    • BS 8549;
    • ISO 15489
    • ISO 19770
    • ISO 24762
    • ISO 38500
• Legislation
  • Basel II
  • Data Protection Act
  • Financial Sector Assessment
  • Financial Services and Markets Act (UK);
  • Health Insurance Portability and Accountability Act US);
  • Markets in Financial Instruments Directive (EU);
  • Miscellaneous relevant EU Directives;
  • Payment Card Industry Data Security Standards (worldwide);
  • Sarbanes Oxley (US);
  • Single European Payments Area (EU);
• Legal
  • Copyright
  • Legal Disclaimer
  • Privacy
  • Security
  • Links to other sites
• Site Map
• Contact Us
•  

---

?

Payment Card Industry Data Security Standards (PCI DSS) Consultancy

---

• overview;
• service offering;
• approach
• benefits
• next steps

Overview

A major challenge in the area of payments is the implementation of PCI DSS to allow a Bank, Merchant or Service Provider to process credit card Primary Account Numbers (PANs).

PCI DSS is a set of comprehensive requirements for enhancing payment account data security, and was developed by the credit card companies to define minimum requirements for consistent data security measures for PANs on a global basis.

PCI DSS has a number of core elements:

• build and maintain a secure network
• maintain a vulnerability management program;
• implement strong access control measures;
• regularly monitor and test networks;
• maintain an Information Security Policy.

PCI DSS is mandatory for organisations that process PANs and those not demonstrably complying with PCI DSS risk having their ability to process credit and debit cards removed as well as being subject to substantial fines and consequent reputational damage.

Service Offering

BCRM has a well developed, tried ad tested approach to resolving the PCI DSS compliance 'challenge'. This multi stage process will typically consist of:

• scope optimization;
• review of your current Self Assessment Questionnaire (SAQ);
• technical vulnerability review;
• pre-compliance review (gap analysis);
• agree shortfall and how to address it;
• develop appropriate documentation;
• assist in selection of tools to implement;
• implement appropriate controls and tools;
• other remediation as required;
• assist in selection of your Approved Scanning Vendor (ASV);
• PCI DSS awareness training;
• pre-validation review;
• assist in the onsite compliance audit by a PCI DSS Qualified Security Assessor (PCI QSA);
• annual onsite audit;
• quarterly network scans.

As a first step, BCRM consider it essential that a clear scope for PCI DDS compliance be established. BCRM's experience dictates that an initial scoping exercise to investigate opportunities to optimise the scope for compliance can substantially reduce effort and therefore cost of PCI DSS compliance.

BCRM recommend that Clients choose their own QSA and ASV, and have no commercial interest in this process, however they can advise you on the selection process if required.

Note: There is a great deal of synergy between ISO 27001 and PCI DSS, and the implementation of ISO 27001 will assist in may areas of PCI DSS Compliance, a high level mapping is given here showing the synergy between the two standards.

Approach

We approach each project in the same manner:

• definition of the scope of of the project;
• define and agree the legislation and regulation applicable;
• understand your business;
• review your SAQ;
• undertake technical testing;
• undertake a risk assessment;
• perform a gap analysis;
• agree work to be performed and delivery format;
• define and agree workflows;
• produce and agree documented procedures;
• implement awareness training;
• undertake relevant audits;
• assist in selection of ASV and QSA;
• ad hoc advice as required;

Benefits

The benefits of using a BCRM for implementing PCI DSS compliant processes are:

• allow you better understand your data flows in your organisation;
• designing processes and procedures specific to your business;
• developing and delivering relevant training for all your employees to meet their PCI DSS obligations;
• developing innovative solutions to address your PCI DSS compliance issues;
• ensure that your market share for card processing is maintained;
• ensuring that processes and procedures for PCI DSS compliance are documented and tested;
• ensuring your Compliance and Security Officers have the relevant competence to perform their duties in line with PCI DSS requirements;
• increasing customer and public confidence in your products and services;
• managing and treating significant risks to reduce them to an acceptable level in line with risk appetite;
• reduce your reputational risk of breaches and ensuing reputational loss / and / or fines;
• save you money and effort by optimising your scope for PCI DSS;
• taking some of the burden off your overstretched Compliance and Security Officers;
• train the IT department and users in their responsibilities for PCI DSS;

Next Steps

• BCRM has a number of other service offering, these are listed here;
• BCRM is committed to providing a consistently high value service to our Clients;
• David Lilburn Watson, who remains personally 'hands-on' throughout the process, manages this process.
• to understand how the BCRM suite of offerings can be used to transform your business, please contact us
• we look forward to discussing your specific requirements, at your convenience;
• whatever other type of consultancy you require, we can possibly offer a free Health Check.