Infosec Partners Group
Url:
cash, check, credit card, invoice
RG28 7RH The Long Barn, Tufton Warren
Hampshire, England
Total PCI
Fully Managed PCI DSS compliant platform

Total PCI is a service which provides security managed services and a compliant payment environment to cover 100% of the PCI DSS regulations. Total PCI is a total solution and removes all requirements for a client merchant to worry or deal with PCI DSS issues.

We provide the environment, either located in your data centre and segregated from the main networks or we provide the environment hosted from our approved hosting facility that is accredited to PCI DSS, ISO 27001 and the UK Data protection act. Infosec Partners provides the technology for the complete solution, we provide a proactive monitoring service and manage the entire infrasutrcture from our secure location.

We manage all interactions with third parties on your behalf, we manage the liaison and reporting to the aquiring banks and we negotiate contracts with the payment service providers.

Infosec Partners scope and run all of the vulnerability assessments (quarterly scans) and penetrations tests and manage any remediation needed to guarantee compliance, we also provide the final reporting service, either completing the self assessment questionaire on your behalf or utilising our own QSA team to gain formal certification to the PCI standards.

This is a unique offering in the market, Infosec Partners' Total PCI solution eliminates uncertainty and risk.

The PCI DSS is a complex set of requirements, which has an impact on most areas of the business; not just the technical or IT focused locations. Therefore, it is important to make sure that any methodology that is used to service the programme has been tried and tested. The approach we have adopted for the PCI DSS programme of work is as follows:

Scoping study

To achieve PCI DSS compliance it is necessary to include a scoping study exercise to establish where cardholder data (CHD) is being processed, stored or transmitted by the organisation; defining the cardholder data environment (CDE). More importantly, the scoping exercise will enable the organisation to de-scope the areas where CHD is not present. Typically in carrying out such a scoping exercise I would review the architecture, applications, business processes, and locations associated with CHD for PCI DSS compliance at a high level. It is important to identify any service providers and other third parties that are engaged by the organisation, who may also have access to the CHD.Fully understanding the PCI DSS scope for an organisation can be a complex issue that involves fact finding and research in order to:

  • Ensure that all CHD payment channels, all external third parties and service providers are captured in the scope;
  • Ensure that all applications, system and network elements within your client's IT infrastructure that store, process and transmit (or are connected to) CHD related information are in the scope of the CDE.
  • Ensure that all relevant third party agreements held by the organisation support PCI DSS compliance;
  • Ensure that all external links into the IT infrastructure including remote user (or client) access are included.

Attendees

The workshop is carried out against the PCI DSS Security Assessment Procedures (version 2.0) identifying high-level areas of compliance, non-compliance, partial-compliance and non-applicability. Importantly, at this stage it will be identified where compensating controls may be required for your cardholder data environment(s) (areas where credit card and debit card data is processed either electronically or manually).Consultation with the necessary employees is likely to include (but not be limited to):

IT Manager

– To gain an overview of systems that store, process and transmit payment card data and of the main ways in which cardholder data is secured, such as use of encryption and access control;

Information Security

– To gain an understanding of the existing information security management processes and procedures in place;

Networks Support

– To understand the network topology, segregation and external links into the corporate IT network;

Physical Security Manager

– To gain an overall understanding of the arrangements for physical security of the IT installation and in particular the areas where cardholder data is accepted and transmitted;

Processing Centre Staff

– To gain an understanding of the working practices of the staff that deal with credit card processing. We would seek to hold discussions with a sample of your staff that are working on client contracts that involve the processing of cardholder data.

Note: One individual may fulfill one or more of the above roles.

Investment

The workshop will take one day, based on the information that has been provided. The output of the exercise will be the accurate scope of the cardholder data environment and a realistic assessment of the areas that need improvement to achieve full compliance.

What is PCI Compliance?
The Payment Card Industry Security Standards Council (PCI SSC) requires the use of PCI Qualified Security Assessors to perform PCI on-site security audits using the PCI Security Audit Procedures to assess compliance with the PCI Data Security Standard.

As a Merchant or Service Provider, you are responsible for ensuring that you achieve and maintain compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). The DSS defines requirements for the protection of consumers' payment card information while stored, in transit or during processing. Organizations that fail to comply with the PCI DSS potentially face significant fines, loss of customer goodwill, and may lose the ability to accept credit cards for payment.

Each payment card brand assigns merchants and service providers with a 'level', based on the organization's annual volume of payment card transactions. While every merchant and service provider must comply with all applicable requirements in the DSS, reporting requirements differ by 'level'. Organizations of all levels are required to have quarterly external network scans performed by an Approved Scanning Vendor (ASV). Additional reporting requirements include either the completion of a Self-Assessment Questionnaire or an onsite audit performed by a Qualified Security Assessor (QSA). InfoSec Partners is a PCI Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV).

We assist clients in meeting and maintaining their PCI compliance requirements by providing sustainable solutions that may be integrated with other compliance requirements to reduce the overall cost of compliance.S FOR
Copyright MAXXmarketing Webdesigner GmbH
  • arqiva-logo
  • BBC-Logo 1
  • cw-logo
  • gov-logo
  • infosec-partners-fsa-security 1
  • jlt-logo
  • marriott-logo
  • mizuho-logo
  • nao-logo
  • psn
  • nhs-logo
  • rics-logo2
  • virgin-logo
  • xchanging-logo

Follow us on:

Infosec Partners

Join Our Newsletter:

24/7 support contracts available

Contact us to discuss your requirements

247@InfosecPartners.com  (+44) 1256 893662