Total PCI is a service which provides security managed services and a compliant payment environment to cover 100% of the PCI DSS regulations. Total PCI is a total solution and removes all requirements for a client merchant to worry or deal with PCI DSS issues.
We provide the environment, either located in your data centre and segregated from the main networks or we provide the environment hosted from our approved hosting facility that is accredited to PCI DSS, ISO 27001 and the UK Data protection act. Infosec Partners provides the technology for the complete solution, we provide a proactive monitoring service and manage the entire infrasutrcture from our secure location.
We manage all interactions with third parties on your behalf, we manage the liaison and reporting to the aquiring banks and we negotiate contracts with the payment service providers.
Infosec Partners scope and run all of the vulnerability assessments (quarterly scans) and penetrations tests and manage any remediation needed to guarantee compliance, we also provide the final reporting service, either completing the self assessment questionaire on your behalf or utilising our own QSA team to gain formal certification to the PCI standards.
This is a unique offering in the market, Infosec Partners' Total PCI solution eliminates uncertainty and risk.
The PCI DSS is a complex set of requirements, which has an impact on most areas of the business; not just the technical or IT focused locations. Therefore, it is important to make sure that any methodology that is used to service the programme has been tried and tested. The approach we have adopted for the PCI DSS programme of work is as follows:
Scoping studyTo achieve PCI DSS compliance it is necessary to include a scoping study exercise to establish where cardholder data (CHD) is being processed, stored or transmitted by the organisation; defining the cardholder data environment (CDE). More importantly, the scoping exercise will enable the organisation to de-scope the areas where CHD is not present. Typically in carrying out such a scoping exercise I would review the architecture, applications, business processes, and locations associated with CHD for PCI DSS compliance at a high level. It is important to identify any service providers and other third parties that are engaged by the organisation, who may also have access to the CHD.Fully understanding the PCI DSS scope for an organisation can be a complex issue that involves fact finding and research in order to:
- Ensure that all CHD payment channels, all external third parties and service providers are captured in the scope;
- Ensure that all applications, system and network elements within your client's IT infrastructure that store, process and transmit (or are connected to) CHD related information are in the scope of the CDE.
- Ensure that all relevant third party agreements held by the organisation support PCI DSS compliance;
- Ensure that all external links into the IT infrastructure including remote user (or client) access are included.
AttendeesThe workshop is carried out against the PCI DSS Security Assessment Procedures (version 2.0) identifying high-level areas of compliance, non-compliance, partial-compliance and non-applicability. Importantly, at this stage it will be identified where compensating controls may be required for your cardholder data environment(s) (areas where credit card and debit card data is processed either electronically or manually).Consultation with the necessary employees is likely to include (but not be limited to):
IT Manager– To gain an overview of systems that store, process and transmit payment card data and of the main ways in which cardholder data is secured, such as use of encryption and access control;
Information Security– To gain an understanding of the existing information security management processes and procedures in place;
Networks Support– To understand the network topology, segregation and external links into the corporate IT network;
Physical Security Manager– To gain an overall understanding of the arrangements for physical security of the IT installation and in particular the areas where cardholder data is accepted and transmitted;
Processing Centre Staff– To gain an understanding of the working practices of the staff that deal with credit card processing. We would seek to hold discussions with a sample of your staff that are working on client contracts that involve the processing of cardholder data.
Note: One individual may fulfill one or more of the above roles.