PCI

Sword & Shield can help your organization not only understand your compliance requirements, but also develop risk-based strategies to remediate and maintain compliance. We have cost-effective PCI compliance solutions to enable your organization to become compliant and maintain this compliance regardless of your merchant or service provider level.

Which SAQ Should I Complete?

Level 2, 3 and 4 Merchants and Level 2 Service Providers must complete an annual Self-Assessment Questionnaire (SAQ) to evaluate their organization’s compliance with PCI Data Security Standard. Management must sign off on the accuracy of their self assessment assertions. Sword & Shield can provide you with the confidence that the requirements are well understood by your staff and that the responses accurately reflect the state of security claimed. We deliver cost-effective options to facilitate the understanding of the assessment questionnaire, the accuracy of responses, the tracking of compliance gaps and the ease of assessment reporting to acquiring banks.

What Are the Requirements?

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized.

Build and Maintain a Secure Network

Requirement 1: Protect your perimeter with properly configured firewalls.
Requirement 2: Change default password and security parameters for all systems.

Protect Cardholder Data

Requirement 3: Protect stored data.
Requirement 4: Encrypt cardholder data when transmitting over public networks.

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anit-virus software.

Requirement 6: Develop and maingain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Requirement 10: Maintain audit logs for all access to cardholder data.
Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain an information security policy for employees and contractors.

PCI GAP Analysis (Pre-Audit)

For first time Level 1 merchants and service providers, facing a full Report on Compliance assessment can be a daunting task. The first-year ROC almost always reveals significant gaps in operations, security processes, and controls, leaving the organization with many unanswered questions and an unclear roadmap to compliance.

Our PCI Gap Analysis/Remediation Plan helps avoid the drain of resources of both time and capital associated with a first-time ROC by performing a review of your security processes and controls against the full PCI DSS without the in-depth control operational testing required by the ROC testing procedures. Our process identifies gaps and creates a remediation plan to allow your organization to concentrate on meeting compliance timelines and budgetary constraints.

PCI Onsite Report on Compliance (ROC)

As a PCI QSA, Sword & Shield provides comprehensive security assessments of the Data Security Standard to Level 1 Merchants and Level 1 and 2 Service Providers, resulting in a documented Report on Compliance (ROC). The ROC provides independent validation of compliance to customers, card brands and acquiring banks. Our ROC assessments are led by senior security analysts who maintain CISA and CISSP certifications. Our auditors intimately understand the retail and service provider processing models and the idiosyncrasies that make your business unique. We help our clients understand compliance risk, control options and compensating control strategies as they work toward achieving and maintaining PCI compliance.

PCI Quarterly Scans

Sword & Shield resells Qualys and SecureWorks ASV Scanning Service. Scanning by an approved ASV is required for levels 1 – 4 for merchants who transmit, store or process card data.

PCI Compliance Central

If you are a service provider processing payment card charges for a number of merchants, your merchants must, at a minimum, complete an annual SAQ. If you are a organization with a large number of widely dispersed points of sale locations processing payment cards, you are responsible for completing an annual SAQ for each location. Sword & Shield can provide you with a cost-effective way of assisting the merchants in completing the appropriate SAQ and conducting quarterly vulnerability scans where required.

PCI Web Application Test

If you have a web site that collects, stores or transmits card data, PCI DSS Requirement 11.3.2 may apply: Perform application-layer penetration testing at least once a year and after any significant application upgrade or modification. For this service, see the Sword & Shield Web Security Testing page.

PCI Annual Network Vulnerability and Penetration Test

PCI DSS Requirement 11.3.1: PCI Penetration Test: perform network-layer penetration testing at least once a year and after any significant infrastructure upgrade or modification. For this service, see the Sword & Shield Penetration Testing and Vulnerability Assessment page.

PCI Wireless Assessment

If you have wireless access points in your payment card network, PCI DSS Requirement 11.1 may apply: Test for the presence of wireless access points by using a wireless analyzer at least quarterly. For this service, see the Sword & Shield Wireless Security Testing page.

Find Out More

Sword & Shield has been outsmarting cybercriminals and improving security for enterprises around the world since 1997. To learn more about our Security Testing service and our other areas of expertise, please fill out our Request Consultation form or contact us by phone today.

U.S. Toll-free: 800-810-1885

International: 865-244-3500