PCI Compliance Governance & Strategy
Maintaining PCI DSS compliance across multiple payment channels, subsidiaries and payment technologies can be complex and challenging. PwC can help your organisation to deal with the challenges of PCI governance and implementing programmes that ensure that compliance is maintained and monitored over time to avoid “compliance fatigue”.
Key elements we can help your organisation with are:
- PCI Governance Model
- PCI Operating Model
- Development of PCI Framework
- Roles and Responsibilities Matrix
In addition, we can help you define your PCI strategy taking into consideration the wider change road map of your organisation to set you on the correct path to achieving and maintaining compliance long term.
PCI DSS Scope Identification, Definition and Reduction
Using our systematic approach that put equal focus on People, Process and Technology we can help you understand your complete PCI DSS compliance landscape. We can rapidly deploy our global team of PCI DSS experts to quickly understand your country specific or global PCI DSS compliance landscape. This will help you identify and enforce appropriate PCI DSS control requirements, and reduce risk. With this information we can also assist you in identifying scope reduction opportunities (related to both technologies and business processes) to reduce the cost, administrative overhead and overall risk associated with Cardholder Data.
Payment Process and Cardholder Data Flow Mapping
Our PCI DSS specialists can help you in creating detailed Cardholder Data and Payment Process Flow Diagrams to provide you clarity with your “as-is” and “to-be” scope where needed. This is also one of the key requirements (PCI Requirements 1.1.3) for achieving and maintaining PCI DSS compliance.
PCI DSS Readiness Assessment
Assess your PCI DSS compliance against the latest version of the PCI DSS standard and provide you will a detailed report on how you are meeting the requirements and recommendations on areas for improvement. In addition, our report will provide you with clear roadmap for improvements required to meet all of the PCI requirements, in line with PCI DSS prioritised approach.
We can support any required remediation activity by collaborating with your internal teams as you work towards achieving your PCI DSS compliance. This will ensure that all remediation activity is carried out in line with PCI DSS requirements and will meet project deadlines.
Managed PCI DSS Compliance Services
Our Managed PCI DSS compliance services allow you to focus on what matters. Our talent, technology and market insights can ensure that you continue to meet your PCI DSS compliance demands whilst achieving economies of scales.
PCI DSS Compliance Programme Management
Perform end-to-end programme management in order for you to achieve PCI DSS compliance. This includes scope identification and reduction, a PCI gap assessment, remediation management, audit support advisory and transition of your compliance programme into BAU. We are with you every step of the way to give you the best chance of achieving compliance.
Penetration Testing Services
Our CREST / CHECK qualified teams can provide vulnerability management and penetration testing services for you to meet a number of PCI DSS requirements. These are:
- External Penetration Testing (Requirement 11.3.1) – External penetration test annually and after any major change to your network, applications or devices.
- Internal Penetration Testing (Requirement 11.3.2) - Internal penetration test annually and on request after any major change to your network, applications or devices.
- Internal / External Vulnerability Scans (Requirement 11.2) – Internal and External quarterly network vulnerability scans (non-ASV only) and after any major change to your network.
- Segmentation Penetration Test (Requirement 11.3.4) – Annual penetration tests to test your segmentation controls and after any significant change to your environment.
- Wireless Access Point Scan (Requirement 11.1) – Quarterly WAP scans to detect all WAPs connected to your network.