Through Nettitude’s presence in both Europe and North America, we are ideally suited to deliver PCI consulting and auditing services for organisations with a global reach.
We ensure that each client is provided with both a primary QSA and secondary QSA on all projects and engagements. This ensures that we maintain a consistent interface with your organisation and generate maximum return on your investment.
The PCI DSS covers more than 240 requirements and is applicable for all types of businesses, ranging from traditional bricks and mortar retailers, through to contact centres, mail order companies and e-commerce entities.
Nettitude will guide you through these three phases of the PCI DSS journey, to help achieve and maintain compliance.
PCI Gap Analysis
The recommended approach for organisations embarking on the PCI DSS journey is to have a formal gap analysis. During this exercise Nettitude measures an organisation’s current policies, processes, working practices and technologies against the PCI Data Security Standard (DSS).
A gap analysis typically involves a Nettitude QSA travelling to an organisation’s office and conducting a card data flow assessment. This exercise identifies all areas where card data enters the environment, exits the environment and all places where card data is at rest. The exercise will frequently result in a QSA working closely with IT managers/directors, compliance managers and security officers so as to understand the finer details of how card data is handled. In addition, members of finance and HR may be required to feed in to the process so that all aspects of the security standard can be considered.
Once all card data flows have been mapped out, Nettitude will measure the environment against the PCI DSS. This exercise is effectively a backwards facing assessment of the environment against what the PCI DSS requires. Using this data, Nettitude will identify the gaps and provide feedback on areas that are both compliant and non-compliant.
The gap analysis will produce the following documents:
A high level review of the card holder data environment
Identification of all current card holder data processes and storage locations
A fully completed Self Assessment Questionnaire (SAQ)
Fully completed Prioritised Approach Document (PAD)
As part of the gap analysis, Nettitude will also provide a forward facing roadmap on how the gaps can be bridged. This document provides strategic guidance on how to reduce risk, leverage existing technologies and enhance the environment in line with PCI DSS requirements. At the same time, Nettitude will produce a defined project-plan with key milestones that can be realistically achieved.
PCI Card Discovery Services
One of the most fundamental elements within a PCI DSS project is identifying where card data resides. It is common for organisations to be unaware of the intricacies around card data storage in log files, temporary files, backup files and legacy processes. Virtualisation, snapshotting and cloud based technologies can result in card data being stored in many different files, images and locations, and all of these elements influence the risk of card fraud to an organisation.
So as to address the issues around card data storage, Nettitude provides card discovery services to find PAN data using forensic methods and commercial card discovery tools. As part of this service, Nettitude can identify all areas where card data is stored and provide a road map on how it should be managed.
Complimentary to the card discovery service, Nettitude is also able to purge unwanted data. This approach uses secure deletion techniques to ensure that the information is removed securely and permanently.
For organisations that want to deploy a proactive PAN scanning tool, Nettitude is able to deploy a small snippet of code to continually assess devices for the storage of card data. If a PAN is detected, an alert is generated to a SIEM device or to an SMTP daemon.
PCI Policy & Procedure Services
A large part of PCI DSS is based around having strong policies and procedures. In many instances, organisations may have working practices that fit with PCI DSS, however these processes are frequently organic and not shared amongst the organisation at large.
Start your PCI DSS Journey
To become PCI DSS compliant and reduce the risk of card fraud, organisations need to document the working processes, document the security technology and document the card data flows that exist within the environment. Once many of these elements are documented they need to be communicated to the organisation at large. Through strong documentation and improved staff awareness, organisations will be able to reduce their risk and maintain a posture that is more consistent with the PCI DSS.
Specific PCI Services
For some clients a gap analysis may not be required. In these instances Nettitude is able to assist with specific areas of the PCI DSS.
In instances where organisations have conducted their own gap analysis or where gap analysis has been conducted by another QSA company, Nettitude is able to provide both on-going and focused consultancy to help bridge the gap.
There is no explicit blue-print for achieving compliance and as a consequence, guidance from an experienced assessor that will have seen many types of card data environments can prove to be invaluable.
Nettitude focuses on helping organisations reduce their risk. This may be achieved through numerous approaches and technologies and can frequently result in a PCI DSS scope reduction. These types of approaches can make the compliance journey easier and also reduce the cost of compliance year-on-year.
PCI Support Services
The Payment Card Industry Data Security Standard (PCI DSS) has gone through a series of revisions and will continue to evolve as new technologies and payment solutions develop. As a consequence of this, and due to the annual audit requirement, many organisations choose to work with a Qualified Security Assessor (QSA) partner on an on-going basis.
As part of Nettitude’s security services, we are pleased to be able to offer our clients access to a focused PCI DSS support service. Clients can contact us during standard office hours, and gain unlimited access to our skilled team of QSA’s and security consultants. Clients that use Nettitude’s PCI DSS support services will benefit from proactive advice and guidance when information is released from the PCI Special Interest Groups (SIGs) and when clarification is given around some of the hotter topics of the security standard.
Nettitude provides access to real security consultants, with real security expertise. Instead of accessing an anonymous Wikipedia or extranet service, our consultants can offer you pragmatic advice and guidance that is tailored to individual requirements.
PCI QSA Pre-Audit Services
PCI DSS audit can be a relatively stressful exercise for organisations approaching their first assessment. So as to provide organisations with more confidence that they will pass, and to iron out any deficiencies prior to the full audit, Nettitude recommends that they embark upon a pre-audit approximately one month before the final audit.
A full QSA audit can sometimes take weeks to complete. In order to maximise the success of this exercise or even to seek confidence before submitting an SAQ, Nettitude can perform a pre-audit compliance check. During a pre-audit, a QSA consultant will walk through all aspects of the audit, from start to finish. All policies, procedures and working practices will be measured against the PCI DSS requirements.
Configurations will be reviewed, logs will be assessed and vulnerability information will be reviewed and considered. This whole process will be similar to a PCI DSS audit, but with less focus on data collection or data validation.
PCI QSA Audit & ROC Services
Nettitude is one of only a handful of elite PCI approved companies that is a PCI QSA, a PCI PA-QSA, a PCI P2PE-QSA and a PCI ASV. As a consequence, our highly skilled consultants are able to offer advice and guidance for all types of organisations embarking on the PCI DSS compliance journey. We provide consulting and audit services in the UK, EMEA, the US and Asia Pacific and have a strong portfolio of happy customers.
Nettitude has been involved in PCI DSS since the beginning. Starting as a QSA and ASV and then moving on to become a PA-QSA and P2PE-QSA, Nettitude delivers Information Security services for a diverse range of clients. As part of the Payment Card Industry reporting requirements, Level 1 Merchants and Services providers must go through a formal audit once a year. Nettitude provides strong QSA consulting and auditing services to support this requirement.
Nettitude has developed a set of tailored tools and techniques that help us undertake audits both seamlessly and consistently. During our audits, we collect evidence through interview, through review of system configuration, through review of policies and procedures and through review of working practices. Where sampling can be undertaken, Nettitude’s QSAs will collect representative samples of your working practices.