PCI-self assessment
PCI - self assessment www.pci-selfassessment.com
PCI-self assessment
All of your PCI Related projects are in a
single platform Assets
Policies
Gap Analysis
2
Risks
Procedures
Compliance Reviews
3
INTRODUCTION
Our PCI DSS GRC solution provides an end to end framework for managing your PCI compliance obligations, starting from the gap analysis that defines an organisations PCI scope through to the population of their PCI compliance dashboard that monitors all the aspects of the PCI estate. We track all changes from the PCI projects and business changes in your organisation that utilises payment solutions and link them to your PCI scope via our PCI change management functionality. This is achieved through an integrated PCI Service Catalogue linked to all of the other PCI DSS functions within your business. With this turnkey approach, we enable a complete business as usual environment for PCI DSS within your organisation across your extended enterprise. The PCI service catalogue contains all of your approved PCI service providers, products and services to ensure the risk management function always keeps your PCI estate compliant and ultimately provides the empirical evidence to aid the generation of your SAQ. This document describes how PCI 3rd party service providers can place their products and services directly with PCI merchants, thereby enabling the PCI merchants to choose the products and services that can assist them in complying with their PCI compliance obligations as defined by your QSA. A new PCI compliance management service that takes merchant through to PCI compliance. We present your estate as follows – dashboard and organisation chart. We approve all changes to your estate PCI request management
4
PCI compliance is expensive and complicated to a lot of merchants because:
Many service providers that serve merchants today will lose revenue if you eventually fix your PCI compliance If you don’t believe us, look at your current costs relate to PCI and imagine whether you would need to spend such amounts when you become PCI compliant Most of the cost is repeated cost because your PCI architecture is fundamentally flawed and many compliance supplier would rather keep making money off you than fix the root cause You spend money repeatedly in generating logs from assets that are unnecessarily in your PCI scope The fact that you have the same problem every year means you are not moving forward and wasting your money on so called PCI compliance projects
5
OUR APPROACH IS DIFFERENT We start by fixing your PCI compliance architecture and that is why we can say we can reduce your CAPEX and OPEX for PCI by half and give you a PCI compliant estate that can be maintained for the next 5 to 7 years It is in our invested interest that you become PCI compliant because the more merchants we make PCI compliant the more clients we get and this is what differentiates us from other PCI compliance solution providers We look at your end to end PCI estate from your business units that have the payment channels to the, legal agreements you have with all your suppliers, the products and services your use in your PCI estate all the way to your reporting of your PCI compliance and generating the audit reports you need for PCI compliance reporting Due to the fact that we automate the process, it does not matter how big, small or complex your PCI estate is, our job is to simplify the end to end process, reduce your cost of PCI compliance and allow you to maintain your PCI compliance for the next 5 – 7 years
6
WHY OUR SOLUTION IS DIFFERENT • Our solution was designed by PCI Technical Design Authorities and Compliance Consultants who have worked with Acquiring Banks and large retailers with some of the most challenging estates in the world • Our motivation is simple, we want to be the PCI Compliance solution provider that can Guarantee making you PCI compliant in less than 12 months 60% reduction in your CAPEX and OPEX for PCI compli ance Ensure you can maintain your PCI compliance for the next 5 – 7 years • No other service provider can give you that assurance
7
HOW WE DO IT? Business Unit
Service Catalogue
Telephone
Online
We start by taking control of the source of the problem which is your merchant ID, the products and services you use within them and the security around the payment channels.
This means all your new changes and additions will be using pre-approved PCI compliant products and services and automatically be building up your PCI estate. This method means as long as you follow this process, you will maintain your PCI compliance, we are involved from the onset of your PCI journey, even before your Merchant ID has been allocated.
8
Cardholder Present
3rd Party Products and Services
Merchant ID request
We also ensure all the products and services that you use in your PCI estate forms part of an approved service catalogue of PCI approved service providers.
Payment Channel
3rd Party Provider
PCI Contracts
PCI Compliance Audits
PCI Architecture
Payment Channel Compliance Security
Telephone
DTMF
Online
Tokenization
Cardholder Present
P2PE
9
BELOW IS A DESCRIPTION OF THE PROCESS YOUR PARTICIPATION WILL FOLLOW:
DASHBOARD Our dashboard allow you to manage all your payment channels and the assets associated with them, this makes it possible for you to continuously manage your PCI estate at any point in time
3rd Party Registration
Product and services registration with AOC compliance report
Merchant product and service selection
We maintain all your service providers on our service catalogue, all service providers are pre-approved and their compliance to PCI DSS tracked regularly to keep them compliant.
Product placement with merchants
Service provision to the merchant
10
11
Managing your payment channel is made easier and avoids having to constantly audit or carry out gap analysis
PCI Assets like PEDs require weekly audits since we know the owners of the asset, we can maintain the audits
12
13
We manage all your PCI controls allowing you to assign all the controls to a deliverable
Audit Checklist
Our Organisation chart gives you an idea of what your PCI Estate looks like at any point in time and allows you to view the PCI assets in each location
14
15
PCI request register allows you to manage all changes to your PCI estate from every business unit
Card requests from your business units are selected from your service catalogue of approved 3rd party providers
16
Our unique PCI request module is directly connected to your Acquiring Bank, which allows you to automatically track and approve changes before your Bank fulfils the demand
Below, 3 levels of approvals for all changes to your PCI estate
17
Phone: Fax: Email:
+44 (0)1604 521 109 +44 (0)1604 521 001 info@pci-selfassessment.com rory.o@pci-selfassessment.com
2017