PCI DSS COMPLIANCE
Achieving PCI DSS Compliance
Understanding PCI DSS Requirements
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the leading payment card brands to protect cardholders’ credit card information. PCI DSS defines twelve requirements that map to six overall goals:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
PCI DSS defines different compliance requirements based upon the type and volume of card payments that a company processes and its access to cardholder data. Based on a company’s situation, annual audits, quarterly security scans, and other requirements may be required to accept card payments.
Achieving PCI DSS Compliance with MorganFranklin
MorganFranklin has extensive experience in supporting companies throughout the PCI DSS compliance process and is a PCI DSS Qualified Security Assessor (QSA). Based on experience with PCI DSS compliance audits and cybersecurity best practices, MorganFranklin has developed a five-phase strategy for helping companies achieve and maintain PCI DSS compliance with minimal disruption to the business and key personnel.
Phase 1: Scoping
MorganFranklin believes that scoping is the most important part of a PCI DSS compliance project. This phase includes two key steps:
- Performing scoping assessment: The scoping assessment identifies which systems and personnel have access to cardholder data and are part of the cardholder data environment (CDE) that is subject to PCI DSS requirements.
- Developing project standards: MorganFranklin will work with stakeholders to develop a project plan and identify required reporting templates for the PCI DSS compliance project.
Phase 2: Testing
Phase 1 identifies a company’s compliance requirements and the required PDI DSS report(s) needed for compliance. During Phase 2, MorganFranklin determines the company’s current compliance status by completing the following tasks:
- Perform a PCI DSS assessment: MorganFranklin’s QSAs will perform a full PCI DSS compliance audit to determine which required controls are in place and any areas where remediation is needed to be compliant with PCI DSS requirements that may need to be implemented.
- Status reporting: Throughout the testing process, MorganFranklin will provide regular reports on the status of the assessment and the current findings to date.
Phase 3: Remediation
At the conclusion of the assessment, MorganFranklin will provide a complete listing of deficient controls that were identified during the assessment. During this phase, MorganFranklin will assist in addressing these issues via the following tasks:
- Remediating gaps: MorganFranklin will provide the client with subject matter expertise on how to close any compliance gaps identified during the testing phase.
- Policies and procedures: MorganFranklin will advise the company regarding any policies and procedures required by PCI DSS that are lacking and assist in developing and implementing the missing policies.
Phase 4: PCI Validation Reporting
After the company has addressed any lacking security controls and passes a PCI DSS evaluation, MorganFranklin will perform the following steps to assist with compliance reporting:
- Preparing validation documentation: Based on the compliance audit, MorganFranklin will generate the reports that the company requires to demonstrate PCI DSS compliance, including a complete listing of audit findings and any required Attestations of Compliance (AOCs)
- Assisting with Archiving Artifacts: As a QSA, MorganFranklin is required to retain audit-related records for three years, which are organized and stored on a secure extranet site.
Phase 5: Sustainment and Ongoing Compliance
Compliance is not a one-time activity but a continuous process. MorganFranklin provides the following services to support clients with maintaining ongoing PCI DSS compliance:
- Advisory services: MorganFranklin advisors will provide ongoing advisory services to ensure that the company understands how best to maintain PCI DSS compliance throughout the year.
- Compliance management: MorganFranklin will periodically review evidence to ensure that the company maintains compliance with applicable PCI DSS requirements.
The MorganFranklin Way™
MorganFranklin’s approach to cybersecurity strategy and GRC solutions allows our consultants to better protect your organization’s brand against threats of all kinds. We’ll tackle the broader issues associated with corporate governance, enterprise risk management, and corporate compliance with a simple, structured approach.
By aligning with your business objectives, you’ll reap benefits such as:
- Improved decision-making
- Optimal IT investments
- Reduced fragmentation with the elimination of silos
You may have a thorough understanding of the need for a GRC strategy, but you may not have the team or resources to implement internally. MorganFranklin can connect you with one of our GRC experts to create a business-aligned strategy that improves your GRC and overarching cyber security decision-making abilities. From security strategy, planning, budgeting and delivery, our consultants have a strong background in IT leadership and organization design. Whether you need part-time, interim or fully outsourced help, MorganFranklin is your trusted source to define and implement an effective GRC strategy.