+1.703.483.6383

PCI Compliance and Certification Services

More information

Quote

ControlCase offers the following standardized methodology of PCI Certification for all its clients year 1. The methodology consists of the following steps:


Gap Analysis (Steps 1 to 3):

ControlCase will perform a gap analysis and perform the required testing to be able to inform the client of the controls that need remediation to achieve PCI compliance. The assessment will include a review of the cardholder production network (including vulnerability and penetration testing) and supporting technical documentation. The assessment process may include interviews with company personnel to determine what PCI requirements are in place and where remediation is required.

The first phase of the project will involve reviewing and validating the current cardholder network environment, policies and procedures against the PCI Data Security Standard (DSS). The methodology for validation will include:

  • Review of current cardholder environment technology and security features;
  • Mapping touch points to the corporate network;
  • Examining access points and network components for security shortcomings from a PCI perspective;
  • Verification that current documented controls meet the specific PCI DSS requirements;
  • Scans and penetration tests to validate that the client has attained an appropriate level of security.

For this phase, ControlCase consultants will require the following documentation from the client,

  • Current network diagrams of the appropriate environments with respect to cardholder data;
  • Firewall/router configuration details;
  • Data retention and disposal procedures;
  • Policy and Procedures for physical security;
  • Encryption Key Management Policy;
  • Incident Response Policy;
  • Password Policy;
  • Change Control Policy;
  • Build/Patch Policy;
  • Internal Security Testing Procedures.

ControlCase will provide standard templates for the above mentioned policies and procedures, if so desired by the client.

Remediation plan and support (Steps 4 & 5):

ControlCase will keep a track of all remediation efforts and provide monthly status report to the client for the remediation steps. During this time, client is expected to implement PCI controls and inform ControlCase continuously of all remediation measures.

Certification (Steps 6 to 9):

ControlCase will, as required for the project, deploy a PCI audit team of qualified personnel to carry out an on-site security assessment. After going through internal quality procedures the client will be issued a Report on Compliance (ROC) and appropriate certification will be submitted to various credit card brands.

Certification requirements are dependent on the level of the service providers. Following are the certification requirements from Visa and MasterCard,

Visa USA & CEMEA - Service Provider Levels and Validation Actions

LevelDescriptionValidation Action
1 Any service provider that stores, processes or transmits more than 300,000 Visa accounts/transactions* annually 1>Annual PCI DSS onsite review
2>Quarterly network scan
3>Annual PCI DSS self-assessment questionnaire
2 Any service provider that stores, processes or transmits less than 300,000 Visa accounts/transactions* annually. 1>Annual PCI DSS onsite review
2>Quarterly Network Scan
3>Annual PCI DSS self-assessment questionnaire

* Includes all transactions, regardless of type / channel

Visa Asia/Pacific - Service Provider Levels and Validation Actions

Service Providers More than 300,000 Visa transactions per year Less than 300,000 Visa transactions per year
Onsite review Mandated Recommended
Quarterly network scan Mandated Mandated
Self assessment questionnaire Optional Mandated

MasterCard - Service Provider Levels and Validation Actions

LevelDescriptionValidation Action
1 All TPPs.
All DSE's that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually.
1>Annual On-Site PCI Data Security Assessment
2>Quarterly Network Scan
2 Includes all DSE's that store, transmit, or process less than 1,000,000 total combined MasterCard and Maestro transactions annually. 1>Annual PCI Self-Assessment Questionnaire
2>Quarterly Network Scan

Merchant Service Provider Levels and Validation Actions

Merchant LevelSelection CriteriaValidation ActionsValidated By
1 Any merchant -regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1 Annual On-Site Security Audit and Quarterly Network Scan Independent Security Assessor or Internal Audit if signed by an Officer of the company Qualified Independent Scan Vendor
2 1 million – 6 million Visa or MasterCard transactions per year Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan Merchant Qualified Independent Scan Vendor
3 20,000 – 1 million Visa or MasterCard e-commerce transactions per year Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan Merchant Qualified Independent Scan Vendor
4 Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year Recommended Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan Merchant Qualified Independent Scan Vendor
Note:
While compliance is mandatory for Level 4 Merchants, validation is optional but strongly recommended