We don’t do “drive-by assessments”. We work to reduce your costs and improve your overall security. Rather than taking shortcuts and producing quick compliance reports, our reports cover all aspects of your compliance footprint.
We are your long term partner for PCI compliance services. After your initial assessment, we are here to serve as your ongoing resource for your security questions throughout the year.
Our thorough compliance experience and expertise enables us to help you reduce the scope of your compliance process, all the while improving your security and the security/privacy of your customers.
Having assisted many companies with our PCI compliance services, we have found that organizations benefit most from our formalized, predictable, repeatable, and consistent approach. Although our suggested solutions may vary depending on your Merchant Level, we recommend the following for Level 1 and Level 2 merchants:
The vQSA PCI compliance program is a subscription-based service that takes the burden off you by providing access to our team of expert QSAs, security engineers, technical writers, and more at a fraction of the cost of hiring full time employees. [Read more…]
The ROC provides an independent validation of compliance to customers, card brands and acquiring banks. Our ROC assessments are led by experienced senior security analysts who intimately understand the retail and service provider processing models and the idiosyncrasies that make your business unique. We help our customers understand compliance risk, control options and compensating control strategies as they work toward achieving and maintaining PCI compliance.
PCI DSS Requirement 12.1.2 prescribes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment. Sword & Shield includes the risk assessment as part of our services. Alternatively, you can conduct the risk assessment and provide results as evidence to the QSA during the PCI Assessment.
For Level 1 and Level 2 merchants and service providers who are planning their first PCI Audit and facing a full Report on Compliance (ROC) assessment, the task can be overwhelming. The first-year ROC almost always reveals significant gaps in operations, security processes, and controls. Our PCI Gap Analysis/Remediation Plan reviews your security processes and controls against the full PCI DSS without the in-depth control operational testing required by the ROC testing procedures. Our process identifies gaps and creates a remediation plan to allow your organization to concentrate on meeting compliance time lines and budgetary constraints.
The PCI DSS requirements apply to all of the components of the network containing cardholder data. Therefore, it is important to scan all of the networks to search for cardholder data that may be stored on desktops or back-end accounting systems. A Sensitive Data Discovery Scan will find this cardholder data so that actions can be taken to contain it within the defined cardholder network. Sword & Shield can include the scan in our proposals or you can provide evidence that the cardholder data is contained as described.
Contact Sword & Shield to get a handle on your PCI Compliance.
In addition to the basic services we commonly recommend, these additional services address other areas of PCI-DSS to further mitigate risk.
If you have wireless access points in your payment card network, PCI DSS Requirement 11.1 may be applicable. This requires you to test for the presence of wireless access points by using a wireless analyzer at least quarterly.
PCI DSS Requirement 11.3.1: PCI Penetration Test: requires the performance of a network-layer penetration test at least once a year and after any significant infrastructure upgrade or modification. For this service, see the Penetration Testing and Vulnerability Assessment page.
Sword & Shield can provide a formalized policy and procedure package to include fully validated documentation that will meet the twelve domains of the PCI-DSS requirements.
Quarterly scanning by an approved Authorized Scanning Vendor is required for levels 1 – 4 merchants who transmit, store or process credit card data. We can help you choose an ASV that’s right for you as part of your PCI audit. We can run the scans for you and provide consulting to assist you in remediating the vulnerabilities, as well. Ask us for a quote for a Facilitated ASV Quarterly Scanning Service.
If you have a Website that collects, stores or transmits card data, PCI DSS Requirement 11.3.2 may be applicable. This requires you to perform application-layer penetration testing at least once a year and after any significant application upgrade or modification. For this service, see the Web Security Testing page.
Sword & Shield provides general PCI-related consulting to assist with the completion of an SAQ and the submission of an Attestation of Compliance (AOC). We will help you complete the PCI self-assessment and provide you with practical remediation guidance to help you achieve secure PCI compliance.
If your organization uses multiple merchant accounts (universities and hospitals, for example) and services multiple business applications that provide transactions on the level of each merchant account, this may place your organization at a SAQ Level 3 or 4. Your acquiring bank may ask you to roll all the merchant accounts under one or more corporate accounts because of your SAQ level. We can survey your organization to find all of the merchant accounts and determine the method of transmitting, processing and storing payment card information. Through this survey we can find the most cost effective way to manage your PCI compliance.