Payment Card Industry Data Security Standard (PCI DSS) compliance is designed to protect organizations and their clients against payment card theft and identity fraud. Any organization that stores, processes or transmits cardholder data, PCI compliance is considered an obligation.
For others, it’s fundamental to broader business objectives. To address your individual needs, we offer a portfolio of PCI DSS compliance readiness/gap assessment services, including PCI DSS 4.0, PCI SSF, PCI P2PE 3.1, PCI in the cloud, and continuous compliance.
As PCI standards and obligations evolve to PCI DSS v4.0, sustaining and demonstrating compliance has become a complex administrative process and requires certified resources to keep up with evolving requirements.
PCI Challenges
PCI compliance is still mandatory, and the clock is ticking. PCI DSS v3.2.1 will be retired on 31 March 2024, after which organizations must immediately move to PCI DSS v4.0 in respect of those core updated aspects of PCI DSS v3.2.1. Organizations have until a year later—early 2025—to comply with PCI DSS v4.0’s wholly new requirements.
- Mandatory Requirements
- Maintaining Compliance
- Risk Of PCI Fines / Even Disqualification
- PCI-DSS Technical Capabilities
- Organizational Certification
- Competency Gap
- Requirements Understanding / Fulfillment
- True PCI Scope Definition
PCI v4.0 Requirements
The PCI v4.0 keeps PCI DSS current, relevant and effective to combat emerging threats and technologies.
PCI DSS v4.0 framework is designed with six security objectives, and within those, 12 separate requirement areas. Each requirement incorporates a range of preventative, detective and directive controls.
- The Payment Card Industry is releasing the newest version of the PCI DSS – version 4.0.
- The framework supports flexibility and unique/customized methodologies used to achieve security.
- It allows tailored validation procedures and methods for unique or customized security solutions.
Build & Maintain Secure Network | Protect Cardholder Data | Vulnerability Management Program |
---|---|---|
1. Install & Maintain Network Security Controls
2. Apply Secure Configurations Across All System Components | 3. Protect Stored Cardholder Data
4. Protect Cardholder Data with Strong Cryptography During Transmission over Open Public Networks | 5. Protect All Systems & Network from Malicious Software
6. Develop & Maintain Secure systems & Software |
Strong Access Controls Meaures | Continuous Monitoring & Testing | Information Security Policy |
7. Restrict Cardholder Data & System Components Access By Business Need-To-Know
8. Identify Users & Authenticate Access to System Components 9. Restrict Cardholder Data Physical Access | 10. Proactively Log & Monitor All Access to System Components & Cardholder Data
11. Test System & Network Security Regularly | 12. Maintain Information Security & Organizational Policies Across Employees / Contractors |
PCI DSS v4.0 Goals
The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. PCI DSS v4.0 is the next evolution of the standard. The new standard was driven by industry feedback to furthers the protection of payment data with new controls to address sophisticated cyber attacks.
Meet PCI Requirements
Security as Continuous Process
Methodology Flexibility
Validation & Authentication
PCI Methodology
Forecight’s senior consultants can augment ongoing compliance maintenance by supporting critical, resource-intensive tasks, technology investments and proactively decrease PCI footprint to achieve and maintain compliance with ease.
Depending on your current PCI state, Forecight will define a customized approach to your compliance, budgetary and time requirements. The phased engagement provides specific work streams aligned to the PCI Cybersecurity posture and the impact of compliance requirements. Each work streams will adopt and build on your organization’s existing PCI activities already accomplished to further provide manageable compliance strategy.
- Cybersecurity Risks & Threat Modelling
- Targeted Industry Specific Maturity Levels
- Current Cybersecurity Strategy
- Cybersecurity Program Adjustment & Sequencing
- Detailed Final Report & Management Presentation
The output will include a phased approach of activities, quick-wins, long term strategy, and appropriate key performance indicators to track PCI DSS compliance progress.
PCI Advisory Services
PCI Workshops
Review your organization’s PCI requirements with key decision makers and align the road-map to reduce PCI footprint.
PCI Gap Analysis / Remediation
Discover areas of PCI non-compliance with a final detailed report highlighting recommendations, remediations and scope reduction to support the ease of maintaining PCI compliance.
SAQ / AOC Completion
Quick workshop focused on your PCI requirements to provide your organization with Self Assessment Questionnaire (SAQ) completion and execution of Attestation of Compliance (AOC).
PCI Pre-Audit
PCI compliance test developed for clients and their key stakeholders with a Level 1 PCI Audit to ensure your organization with successfully meet all PCI Level 1 audits.
PCI Analysis & Preparation
Review of your organization’s PCI policies and procedures combined with PCI gap analysis to provide a comprehensive documented processes.
PCI Vulnerability Scan
Internal and external vulnerability scans to identify known weaknesses in network structures and to search for vulnerabilities on internal hosts that could be exploited in a pivot attack.
Penetration Testing
Analyze network environments, identify potential vulnerabilities and try to exploit those vulnerabilities aligned to PCI DSS Requirement 11.3 (applicable to SAQ C and SAQ D).
Web Application Security Audit
Utilization Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM) and Penetration Testing Execution Standard (PTES) testing against your PCI card data environment (CDE) to discover vulnerabilities through a blended approach of automated discovery and manual testing.
PCI Level 1 Audit & Support
An in – depth assessment outlining your PCI requirements, gaps and remediation report, coupled with an executive summary and a final PCI Certificate required to meet PCI Requirements.