Home Services Publications News About us Contact Recruitment Site map
PCI DSS Services:
  Consultancy

  Compliance    Workshop

  Cardholder data    identification

  Gap analysis

  Health check

  Develop a    compliance    roadmap

  Compliance    remediation

  Audit
PCI ASV Services
PCI QSA Service

MWR InfoSecurity hold PCI QSA and ASV accreditation, and offer a complete range of services to all organisations involved in PCI compliance.

The background
The major payment card companies such, as VISA and MasterCard, have for a long while been concerned at the large number of attacks on organisations’ computer networks that have resulted in the theft or misuse of large blocks of cardholder information (payment card numbers etc.).  Often the information stolen could also facilitate identity theft attacks on the information owners.  This can cause considerable distress to the people involved and significant additional costs to the card companies.

It was the recurrence of similar types of attack mainly originating from the Internet that convinced the big card brands that positive action was necessary to ensure an acceptable level of protection was provided on all computer networks that process payment cards.  This action has resulted in the Payment Card Industry Data Security Standard, commonly called the PCI DSS.

PCI DSS has been a mandatory requirement on all organisations that process any form of payment card payments (credit, debit or pre-paid), develop products for payment card transactions or store payment card details on their networks. It is a complex and prescriptive standard which can be resource intensive to implement.

PCI DSS compliance is only required where an organisation processes payment cards itself, rather than just accepting card payments through a Point of Sale Terminal and passing the transactions directly (untouched) to a Merchant Acquirer. 

PCI DSS Services

One day tailored onsite workshop

The MWR InfoSecurity onsite workshop are tailored to address current and potential future issues regarding PCI DSS compliance.  The Agenda is agreed prior to the day, with adequate time allocated to discuss individual problems or concerns; ensuring that delegates end the day with the knowledge and insights to address their own particular PCI DSS compliance issues.

The MWR InfoSecurity workshop will provide workshop attendees with a unique insight into the PCI DSS and guide them into developing a structured approach to PCI DSS compliance.  The areas to be covered will include:

  • The governance structure for PCI DSS compliance
  • Who and what is covered
  • The two components of PCI DSS compliance: compliance to the standard, validation of compliance
  • Issues between the Self Assessment Questionnaire and the standard
  • The possible consequences
  • Insights into the requirements
  • A structured approach to PCI DSS compliance
  • Addressing individual issues within the organisation
  • Your questions answered

Benefits
Workshop members will gain an insight into the way that the PCI DSS is managed and the issues surrounding its implementation.  They will also gain an improved understanding of the requirements and how they can be best met within a structured process that addresses all of the Card Brands hot buttons. 

The workshop will be tailored to meet the specific needs of the organisation and there will be ample time to address particular problems or situations.

Specialist consultancy on all aspects of PCI DSS compliance

MWR InfoSecurity has specialist consultants in all information security disciplines.  PCI DSS consultants are not only expert in interpreting the standard but they are able to add value in ensuring that clients do not undertake unnecessary work in implementing the standard.

Cardholder Data Identification Exercise

When conducting any project to facilitate compliance with PCI DSS it is essential that the project team have access to all of the information about the organisation’s use and management of payment cards.  The first part of any PCI DSS compliance project is to identify what payment card information is processed, communicated or stored by the organisation and where this information traverses the organisation’s networks and systems.

The process of producing a distribution map of payment card data within the organisation starts with identifying all applications that process payment card data.  These applications would then be to be documented in detail so that their payment card processing, acquisition of data and output of data is clear and there are no anomalies.  In particular exactly what the cardholder consists of and what format it is in, needs to be determined at each point. 

When all applications have been clearly documented the inputs and outputs of cardholder data need to be documented so that all data transmissions are accounted for.  When this is complete the applications’ cardholder data needs to be mapped to individual servers and the cardholder data transmissions mapped to physical network components.

This mapping is complex if many applications are spread across a number of separate servers with associated network links.

PCI DSS Gap analysis

During a PCI DSS gap analysis MWR InfoSecurity will look at the current security management capability of the organisation and whether it is appropriate to the PCI DSS.

The investigation into the existing PCI information security controls will be compared against the 260 information security control requirements of PCI DSS.  This is comparing the existing controls against those controls mandated by PCI DSS and identifying the differences.  This review is not just a mechanistic comparison against the standard, but uses accumulated knowledge and experience and takes into account the intention of the PCI DSS.

The output will be a report setting out the organisations’ capability set against the 260 PCI DSS controls.

PCI DSS Health check

A PCI DSS health check comprises a detailed review of the current security management capability of the organisation and whether it is appropriate to the PCI DSS. The MWR InfoSecurity health check considers the client’s knowledge, understanding, and ethos towards security, which will give a good indication of whether it has an adequate level of security knowledge and understanding to provide the required level of protection to cardholder data.

There will also be an examination of the network infrastructure and network management controls and procedures to ensure that traffic is controlled, documented, managed and reported in accordance with the PCI DSS requirements.  Maintaining continuity of services throughout the network requires that the computer networks are run in accordance with sound practices and procedures.  The health check covers the way in which the client monitors network performance, manages changes and handles information security incidents. It also covers the procedures for providing physical security, back-ups and service continuity.

The results of the investigation into the existing PCI information security controls will be the criteria for a review of the findings against the 260 information security control requirements of PCI DSS.  This is comparing the existing controls against those controls mandated by PCI DSS and identifying the differences. 

The health check report will also provide the client with a prioritised set of necessary controls and documentation for remediation before compliance may be attained.

Development of a PCI DSS compliance roadmap

The results of a MWR InfoSecurity gap analysis or health check can be developed into a remediation road map providing the client with a set of tasks and criteria for a remediation project.  This set of criteria will; be prioritised with the quick wins clearly set out and a resource estimate and priority for each task.

PCI DSS compliance remediation

PCI DSS is a requirement that is additional to an organisation’s information security Business as Usual.  This means that the organisation often does not have the appropriate resources available to complete the task without taking resources away from other important areas.

MWR InfoSecurity is outstanding at providing specialised resource to backfill in areas where organisations cannot provide either the people or the expertise to complete the job.  MWR InfoSecurity has a wide range of skilled and knowledgeable consultants in all information security specialisms associated with PCI DSS.

PCI DSS Audit

This is a full PCI DSS compliance audit which follows a formal set of procedures and has a prescribed reporting structure.  MWR InfoSecurity is a QSA and can complete the PCI DSS audit on behalf of the clients Acquirer or equally add weight to an organisation’s Self Assessment Questionnaire submission.

On Top
Penetration testing
Application Security Testing
Wireless Testing
Fasthold Vulnerability Assessment
Load Testing
Security Management Consultancy
Firewall Testing
Internal Penetration Testing
Physical Testing

 
home       services       news       about us       contact       recruitment       sitemap

MWR InfoSecurity St Clement House Alencon Link Basingstoke Hants RG21 7SB
Tel: 01256 300920   Fax: 01256 844083