Home Our Solutions PCI-DSS Compliance

PCI-DSS Compliance

PCI-DSS Compliance Services Offering.


All companies that process, handle or store data from payment cards must comply with PCI-DSS requirements. The global Data Security Standard created to reduce fraud associated with the use of payment cards during commercial transactions.

Integrity S.A., as Qualified Security Assessor (QSA), provides audits and professional advice to companies that process and transmit payment card data in the course of their activity.

Additionally, we provide a persistent management advisory service, named DSSManager, to help organisations be compliant with the PCI-DSS requirements.


PCI-DSS Advisory

PCI Advisory services are intended for those companies that are just starting their efforts towards PCI compliance, or wish to engage with PCI standards without a formal relation with the PCI-SSC.

Training

Readiness Assessment

Remediation Services

PCI-DSS training allows companies that need to achieve PCI-DSS compliance, but do not have adequate resources to do so, to be able to inform and form elements of a potential work team.
The training focuses on:

  • What is PCI-DSS
  • PCI-DSS Controls Explained
  • Compliance Implementation Methodologies
  • The payment process
  • The certification process and the documents that are part of the certification process

Our QSA team will provide PCI guidance, through a risk-based approach, where:

  • Compliance report, aligned with PCI requirements;
  • All compliance goals will be validated;
  • Client’s team will be supported in the definition of the scope and limit of cardholder data;
  • Client will be provided with a workbook with a PCI-DSS Priority Approach, and also a timetable for achieving that compliance.

If corrections are required to achieve or maintain PCI compliance, Integrity S.A. QSA elements may:

  • Determine the main cause of non-compliance;
  • Identify potential solutions to achieve compliance;
  • Propose a project plan and remediation schedule to achieve it.

The team will remain available to review the progress, while the client performs remediation activities, to ensure the efforts are made in the correct way to achieve compliance.

PCI-DSS Attestation

PCI Attestation services are intended for those companies that have a formal obligation of pursuing PCI DSS compliance and require the expertise of a QSA Company.

SAQ

Self
Assessment
Questionnaires

ROC

Report
on
Compliance

AOC

Attestation
of
Compliance

SAQs are designed for a specific type of credit card transactions, there are 9 types of SAQs to date, for example, A, B, B-IP, C, D. These questionnaires allow the merchant to self-assess their PCI-DSS compliance, document the different practices necessary to be able to conduct credit card transactions securely, as well as identify cases where there are divergences with control objectives to identify and document how latent concerns are addressed in the PCI-DSS.

Report made of more than 200 requirements resulting from the face-to-face work developed out in the field, such as inspection of evidence, and interviews made by an Integrity S.A. QSA. The assigned QSA element will be responsible for conducting the assessment and will guide the client through this process.

The PCI-DSS assessment carried out includes:

  • Detailed analysis of the organisation's cardholder data environment;
  • As well as a detailed description of the client's compliance with PCI-DSS.

The Compliance Certificate is a formal document issued by Integrity S.A. that certifies the execution of the conformity assessment and its result. This document demonstrates that the controls defined as necessary by the PCI Consortium are correctly implemented in the respective Organization and in the specific environment under this Certification. This document can be issued when accompanied by a SAQ or ROC.

  • Compliance Level No. 1

    Integrity S.A. QSA consultants can help merchants and service providers in this level carrying out their QSA assessment, through:


    PCI compliance assessments;

    Completion of compliance reports;

    And the SAQ’s (Self-Assessment Questionnaire).

  • Compliance Levels No. 2, 3 and 4

    Merchants and service providers at these levels can request an Integrity S.A. consultant (QSA) to help them:


    Determine their scope;

    Define which PCI requirements are appropriate for the organisation;

    Complete the Self-Assessment Questionnaire (SAQ *).


    * SAQ = Self-Assessment Questionnaire. It’s a self-validation tool to assess the security of cardholder data. It demonstrates to both consumers and the bank, that the organization has used an external and independent partner to assess its compliance.

LEVEL NUMBER   NUMBER OF CARD TRANSACTIONS/12 MONTHS   *SAQ REQUIREMENT
1   6M +   *SAQ replaced with PCI DSS certification
2   1M - 6M   *SAQ mandatory, signed by a QSA or a trained PCI SSC ISA employee
3   20K - 1M   *SAQ mandatory
4   up to 20K   *SAQ recommended, not mandatory
* SAQ stands for Self-Assessment Questionnaire. It's a self-validation tool to assess the security of cardholder data.

What is PCI-DSS?

PCI-DSS stands for Payment Card Industry Data Security Standard and represents a global security standard, with operational and technical requirements, designed to improve control over data on users' payment cards.

This security standard, and its 12 standards, aim to ensure a safe environment for users and entities that process data from payment cards, avoiding fraud.

PCI-DSS compliance goals and requirements

PCI-DSS compliance requirements cover technical and operational components of the system, included or directly linked to cardholder data.

If your company accepts or processes payments with credit cards, you need to be compliant with the 12 requirements shown in the table below:


GOALS   PCI-DSS REQUIREMENTS
Build and Maintain a Secure Network   1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data   3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program   5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures   7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks   10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy   12. Maintain a policy that addresses information security for employees and contractors

Who must ensure compliance with the PCI-DSS security standard?

All companies that process, handle, or store data from payment cards must comply with PCI-DSS requirements.

These requirements ensure that the processing of transactions, using payment cards, is safe for all parties involved, safeguarding consumers and businesses against problems of theft and data breach.

Are there any penalties for non-compliance?

Yes. The payment card brands that make up the PCI consortium can fine a receiving bank up to $ 500,000 per month for breaches of PCI compliance, and it's quite likely that banks pass this fine on to the merchant.

However, more serious than fines is the revocation of the right to process payment card transactions, that may be issued by the PCI Council, and will dictate the death sentence for many companies.

What is the PCI Council and what responsibilities does it have?

The PCI Council (PCI-SSC), is an independent global entity created in 2006 by the five main payment card systems (American Express, Discover, MasterCard, Visa, and Japan Credit Bureau).

This entity has the responsibility to develop, manage, educate, and raise awareness about the PCI Data Security Standards. In addition, it also recognizes QSAs (Qualified Security Assessors) and ASVs (Approved Scanning Vendors) as qualified entities, enabling them to validate compliance, in alignment with the PCI Security Standards, as is the case with Integrity S.A., acting as a vendor.

Cybersecurity newsletter

Do you want to receive our newsletter?

Subscribe here

Contact us.

Headquarters

Edifício Atrium Saldanha
Praça Duque de Saldanha, nº 1, 2º andar
1050-094, Lisboa | Portugal
T: +351 21 33 03 740
E: info@integrity.pt

And we are present in 18 more countries across EMEA.
world map
 




Cookie Consent X

Devoteam Cyber Trust S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.