PCI DSS Compliance comes in multiple parts. For some, the hardest part might seem to be the road to compliance, but in fact, we see many organizations struggling with remaining compliant: PCI DSS is not a single-use task that is done at a certain date but requires continuous support and Tender, Love and Care.
In fact, the PCI Security Standards Council (SSC) strongly suggest and advocates the development of a plan for continued PCI compliance. The guidance document called “Best Practices for Maintaining PCI DSS Compliance” (January 2019) lists the key issues with maintaining compliance. One of the requirements even requires that businesses develop a PCI Charter and that they assign responsibility for “overall accountability for maintaining PCI DSS compliance.”
The activities and controls within PCI DSS need to be carried out daily, weekly, monthly, quarterly, biannual and annually. There are many reasons why actions can be missed, however, the most common reason is a lack of resourcing. Ideally, maintaining compliance activities should be the core responsibility of an employee or team of employees. However, as a QSA company, we see most companies failing in continuous compliance and see that they stop thinking about PCI as soon as the QSA has left the building. Not to mention the stress when the QSA arrives the next year.
To help companies validating for PCI compliance we developed our PCI Continuous Compliance program, implementing periodic sessions, checks and meetings. This will help to track the PCI DSS Compliance Program activities and to ensure that they are being carried out. By incorporating a QSA in this program you ensure your path towards PCI validation is smooth. Meet our PCI Continuous Compliance Service:
PCI Continuous Compliance service
Our PCI DSS continuous compliance service is a subscription-based service. It offers an attractive and effective method of validating for PCI-DSS and having access to a QSA during the annual cycle. You are guided through the periodic tasks, to help you to keep track of them and that they are available during the compliance period to deal with any issues or questions that come up.
We have summed up the main benefits of our PCI Continuous Compliance service:
- Subscription-based service. Fixed costs
This model is based on a fixed monthly fee, so you can budget the PCI DSS project during the start of the cycle.
- Direct PCI QSA specialized support
The service ensures the availability of a PCI consultant or QSA for any queries during the PCI maintenance management cycle. In addition, any new project or change affecting the PCI scope environment can be pre-analyzed in terms of impact and implemented with the assurance that it is aligned with the requirements of the standard.
- Periodic meetings with a PCI QSA
Periodic coordination by a QSA trains the organization’s resources involved in the dynamics of PCI management and is naturally assimilated within its performance. This is especially important in organizations without resources dedicated to this purpose. This meeting can also be used to discuss any new projects that may impact the cardholder data environment or the way payments are carried out.
- PCI annual assessment at the end of the cycle
Included in the monthly fee is the annual PCI annual assessment. Either the evidence and the full SAQ is checked, or if a Report on Compliance (ROC) is needed, the full audit will be performed. This results in an Attestation of Compliance (AOC).
- Ensures the feasibility of the following PCI certification
The risks of not passing the next PCI audit are minimized, as the service ensures that periodic checks have been executed correctly and in time and that the associated results (of which evidence must be presented during the audit) are compliant with those required by PCI DSS.
- Reduces PCI audit process times
Remediation times and efforts in evaluation processes are drastically reduced. This results in the AOCs recertification and validity deadlines being guaranteed, avoiding unnecessary tensions with customers and/or acquiring entities.
- A gradual reduction in the cost of service
The cost and effort associated with this service can be reduced in the following PCI certification cycles, relegating the comprehensive coordination and review required in the initial cycles to regular monitoring of PCI maintenance activities and QSA support.
The monthly fee depends on the needs of the organization. Included are the 4-mandatory quarterly ASV scans and the annual PCI audit. We also offer annual penetration testing for an attractive price. If you are interested to learn more about how this service could work for your organization. Please contact us at firstname.lastname@example.org or visit our website www.fortytwo.nl