Payment Card Industry Data Security Standards (PCI DSS)
- Overview
Payment Card Industry Data Security Standards (PCI DSS)
SecuriCentrix helps organisations complying with the PCI Data Security Standard (PCI DSS), from introductory gap analysis to assessments, technology validation, and security strategy.Â
We don’t just assess for compliance; we work with you to align your compliance investments with broader business and security objectives.
- Challenges
The Challenges Of PCI DSS
- Identifying the CDE scope and understanding of PCI DSS applicability.
- Underestimating the complexity of the technical and operational procedures.
- Failure to recognise the importance of regular testing of systems, applications and processes.
- Lack of active monitoring of audit and system logs resulting in undetected anomalies.
- Adequate policies and procedures mitigating the risk of cardholder data exposure.
- Benefits
The Benefits Of Our Services
Experienced and Approachable QSAs
Our QSAs have in-depth knowledge and experience of the Payment ecosystem.
Remediation Advisory
Our QSAs guide you on non-compliance remediation requirements of the PCI DSS standard.
Well defined methodology
Our QSAs guide you most effectively while educating you on the process. Our QSAs provide feedback on the gap analysis, assessment and remediation phase.
Unhindered protection
We can also help you customise a business as usual (BAU) approach that provides year-round compliance program support by applying security best practices.
- Scope
Scope of Services
PCI DSS compliance applies to any organisation that stores, processes, or transmits cardholder data. For some businesses, compliance is considered a requirement. For others, PCI DSS is fundamental to business objectives. To address your needs, we offer a portfolio of PCI DSS compliance services:Â
- Introductory and Advisory
- PCI DSS Level 1 assessment
- Self-assessment (SAQ) assistance
- Vulnerability scanning
- Penetration testing
- Managed SIEM
- Why SecuriCentrix
Why Choose Us
Experienced and Approachable QSAs
Our QSAs have in-depth knowledge and experience of the Payment ecosystem.
Remediation Advisory
Our QSAs guide you on non-compliance remediation requirements of the PCI DSS standard.
Well defined methodology
Our QSAs guide you most effectively while educating you on the process. Our QSAs provide feedback on the gap analysis, assessment and remediation phase.
We can also help you customise a business as usual (BAU) approach that provides year-round compliance program support by applying security best practices.
Frequently Asked Questions
The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) along with Cardholder name, Expiry date and Service code.Â
- Firstly, if there is no need to store cardholder data- it will reduce and possibly take you out of scope for PCI DSS.
- Truncation: Only the first (six) 6 and last four (4) digits of the PAN are visible, and the rest represented by non-numerical characters.
- Encryption: Using industry best practices and non-deprecated algorithms to encrypt the PAN.
- Hashing uses an industry-accepted, non-deprecated hashing algorithm to hash the entire PAN and only display the hashed PAN value. If hashed and truncated version of the same PAN, you will need to apply a random salt value to the hashing algorithm to ensure that the hashed PAN value cannot be reconstructed using the truncated PAN values.
Any organisation that stores, processes, or transmits cardholder data is in the scope of PCI DSS. Always consult your acquirer or card brands for more information.Â
Any system which stores, processes, transmits, or can affect the security of the cardholder data or the cardholder data environment is in the scope of a PCI DSS assessment.Â
Merchant PCI Levels are based on the number of annual transactions processed through the environment:
Level 1 – Over 6 million transactions annually.
Level 2 – Between 1 and 6 million transactions annually.
Level 3 – Between 20 000 and 1 million transactions annually.
Level 4 – Less than 20 000 transactions annually.
Service provider levels are based on the number of annual transactions processed through the environment.
Level 1 – processes over 300 000 card transactions annually.
Level 2 – processes under 300 000 card transactions annually.
However, it is an authorising authority, Card Brands or Acquirer, that ultimately decides on the level of PCI Compliance.
PCI DSS compliance is an annual process.Â
- Contact your acquirer to determine your level of compliance, and if Level 4, complete the self-assessment questionnaire (SAQ) according to the instructions.
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note ASV scanning does not apply to all merchants. It is required only for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
- Complete the relevant Attestation of Compliance in its entirety (located in the SAQ).
- Submit the self-assessment questionnaire, a completed passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
- Our Services
Our services
SecuriCentrix’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.Â