Payment Card Industry Data Security Standard Compliance

PCI DSS Compliance is not an overnight process; rather, it’s the collaboration of numerous initiatives undertaken by various personnel within your organization, all working toward a common goal. Obtaining successful PCI DSS compliance can sometimes be a monumental effort needing coordination that includes a number of business processes spanning a variety of business units that may encompass both manual and automated procedures involving a variety of systems and personnel throughout the organization. So, where do you begin, what’s needed of you and your organization, and where do you find the tools and resources for undertaking PCI DSS compliance? At Schneider Downs, we assist clients with their PCI Compliance requirements by providing scalable, efficient solutions for meeting the rigorous demands of PCI compliance.

Incorporated within our compliance approach is the strategy to develop a control environment that will ensure future compliance is sustainable. Based upon published guidance and experience, we developed a six-phase approach to achieving an effective PCI compliance program with each phase following a clear concise framework designed to deliver value to our clients. Our six-phase approach can be tailored to meet the existing needs of and current task being undertaken by your organization.

Phase I – Awareness and Project Support
Develop the awareness of PCI compliance requirements and the related consequences of non-compliance at the senior management level. The objective of this phase is to obtain the support and backing of management and help make PCI compliance a priority in your organization throughout the compliance lifecycle.

Phase II – Inventory and Dataflow
The objective of Phase II is to inventory and document the flow of credit card information throughout the organization’s various processes. This will encompass data in all forms including electronic, paper and magnetic media such as tape or disk. The engagement team will perform a walkthrough of credit card transactions from initiation, transmission and data usage, to the final storage of the information.

During the credit card information lifecycle assessment, we will utilize the following attributes associated with the flow of credit card data:

  • Data origination – The methods for initiation of credit card transactions throughout the organization including identifying the electronic and manual methods used to accept credit card information.
  • Data in Motion – Map the flow of the credit card information throughout the organization either in paper or electronic form to identify an inventory of all technology components that are instrumental in the transportation, processing and routing of the credit card information.
  • Data at Rest – Identify throughout the organization where credit card information is stored and the format (paper, electronic) of the data.
  • Data in Use – Develop a list of personnel that can access or that utilizes the credit card information. 

Phase III - Design and Scoping
Begin to formulate our strategic IT architecture and process design recommendations that will limit the areas of the network that fall within the scope of the PCI compliance effort. These strategies are designed to help isolate the data involved in your credit card processing process to reduce the ongoing cost and effort necessary to maintain a sustainable compliance program.

Phase IV - Gap and Risk Analysis
Our team of technology and security professionals will conduct the necessary evaluation procedures to test the operating effectiveness of each of the controls. The primary goal of the assessment is to identify all technology and process vulnerabilities that pose a risk to the security of cardholder data that is transmitted, processed or stored. The assessment includes the components that support the payment card infrastructure, including PCs and laptops which access critical systems and storage mechanisms for paper receipts, etc. and the role of any third parties involved with your credit card process flow.

Phase V - Reporting and Remediation Roadmap
Our team will prepare an executive level report detailing the results of our analysis designed to provide a realistic understanding of the current state of your control environment and the risk associated with each of the identified weaknesses or gaps. Detailed recommendations will be developed for each of the gaps that will be designed to provide your organization with a reasonable approach to remediate the gap and achieve compliance objective. The report will classify and rank the recommendations and help prioritize the order of remediation. Working together with your Project Team, we will establish a remediation plan, which will include the necessary steps to remediate the control gaps, estimated time lines and milestones that can be used to manage the remediation effort and track progress over the course of the project.

Phase VI - Sustainment and Governance
Affordable sustainability is critical in maintaining a successful PCI DSS compliance program given PCIs ongoing compliance requirements and the continued threat of credit card breach. We will provide recommendations that would enhance your compliance governance structure and imbed controls in your ongoing processes that will address key security and control activities into operational processes to help make PCI a core organizational competency and provide continual awareness activities focused on keeping management and employees aware of the significance of a continual compliance effort.

We have assisted numerous clients achieve PCI compliance by participating in the design, development, and implementation of internal controls to protect sensitive credit card information. Integrated into our approach is an effective project management to deliver on expectations and to meet management’s deadlines.

For more information on Schneider Downs’ Compliance Services, please contact Eric M. Wright at 412-697-5328 or ewright@schneiderdowns.com.

PCI Management Process, Schneider Downs, 412-261-3644