As a Merchant or Service Provider, you are responsible for ensuring that you achieve and maintain compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). The DSS defines requirements for the protection of consumers’ payment card information while stored, in transit or during processing. Organizations that fail to comply with the PCI DSS potentially face significant fines, loss of customer goodwill, and may lose the ability to accept credit cards for payment.
PCI Service Offerings
Each payment card brand assigns merchants and service providers with a ‘level’, based on the organization’s annual volume of payment card transactions. While every merchant and service provider must comply with all applicable requirements in the DSS, reporting requirements differ by ‘level’. Organizations of all levels are required to have quarterly external network scans performed by an Approved Scanning Vendor (ASV). Additional reporting requirements include either the completion of a Self-Assessment Questionnaire or an onsite audit performed by a Qualified Security Assessor (QSA). eGRC.COM is a PCI Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV).
We assist clients in meeting and maintaining their PCI compliance requirements by providing sustainable solutions that may be integrated with other compliance requirements to reduce the overall cost of compliance. All of eGRC.COM’s PCI services are located in the following table.
eGRC.COM PCI Services
All of eGRC.COM’s PCI professionals currently hold the Qualified Security Assessor (QSA) designation as required by PCI SSC. In addition, our security professionals also maintain one or more of the following certifications: Certified Information Systems Security Professional (CISSP); Certified Information Systems Auditor (CISA); Certified Information Security Manager (CISM); and Certified Information Privacy Professional (CIPP). Our Professionals have delivered multiple engagements to all levels of merchants and service providers across a broad spectrum of industries in the public, private, government and not-for-profit sectors.
- Annual Onsite Audit
- ASV & Internal Network Scans
- Automated Network and System Data Searches
- Continued Compliance Programs
- Gap Analysis/Compliance Roadmap
- Penetration Testing
- Remediation Assistance
- Secure Network and Systems Architecture
- Scoping Assistance
- Self Assessment Questionnaire Assistance
- Web and Application Code Reviews
- Wireless Analysis
Sample PCI Assessment Process Overview
The eGRC.COM assessment process minimizes the impact on business operations by providing a logical, structured approach that emphasizes productivity and maximizes return on investment. A brief example of how eGRC.COM conducts assessments follows:
- Define the scope of work to be performed during the assessment.
- Conduct a pre-assessment meeting to establish expectations, identify the key players in the assessment process, and to provide guidance to the client.
- Receive and review off-site all relevant policies, procedures, and technical documentation.
- Arrive on-site and perform the data security assessment process as detailed in the initial scope of work.
- Provide an initial statement of findings which identifies deficiencies and provides recommendations so that remediation efforts may begin as promptly as possible.
- Generate a Report on Compliance.
- Conduct quarterly and/or on-demand network scans to fulfill ongoing PCI compliance requirements.