Payment Card Industry (PCI)
THE CHALLENGE
According to the Association of Certified Fraud Examiners (ACFE) Global Fraud Study, organizations lose about 5% of revenue annually to fraud. While the study shows that implementing targeted anti-fraud controls such as fraud reporting hotlines, anti-fraud policies, and fraud training for employees and management are on the rise and helping to reduce fraud, there’s still a lot of work to do.
The effects of external fraud (i.e., spam emails, cybercriminals, etc.) or internal fraud (i.e., internal employees) on organizations can be all or any of the following:
THE IMPORTANCE OF PCI DSS
To assist businesses with implementing the necessary protections, the Payment Card Industry Security Standards Council established the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security requirements that businesses that handle credit card data (or do so on behalf of another company) must comply with. Organizations are expected to demonstrate their compliance with PCI DSS annually.
PCI DSS compliance is an essential step for any organization which handles credit card data as it helps to protect customer data, prevent fraud, maintain customer trust, and support organizational resilience.
HOW WE CAN HELP
Whether your organization is new to Payment Card Industry (PCI) compliance and needs some help getting started, or you’ve been doing it for a few years and are ready to comply with PCI DSS version 4.0, Richter can help fulfil your PCI needs.
PCI Readiness Assessment
If your organization is new to PCI compliance, Richter can identify and document the scope of your cardholder data environment: what payment processes are used, where payment card data is stored in your network, what systems come into contact with payment card data, what systems help to secure the data, and who is responsible for all of these aspects.
Once we have a good understanding of your PCI scope, annual credit card transaction volume and payment channels, our team of Qualified Security Assessors (QSAs) will conduct a readiness assessment to identify the gaps that may exist that would prevent you from being PCI compliant. Since even one non-compliant requirement would result in a non-compliant assessment, it’s important to get everything right before jumping in to the PCI validation.
PCI Advisory Services
If you have questions or PCI problems to solve, such as understanding the PCI implications of a new project or business initiative, or whether policies or procedures that you are developing will satisfy PCI DSS, Richter’s experienced team of QSAs can provide assistance.
PCI Validation – Self-Assessment Questionnaire (SAQ)
Once your organization is ready for the annual PCI validation, we can assist you in selecting the appropriate SAQ, which is determined based on how your organization accepts and processes credit card payments. We will then help you with assessing your cardholder data environment against the applicable SAQ. Our team of QSAs can perform the assessment activities on your behalf, or if you are comfortable doing this, we can review your assessment work and sign off as the assisting QSA Company.
We will also prepare the Attestation of Compliance, to be signed by an officer of your company, as well as Richter, attesting to the results of the self-assessment.
PCI Validation – Report on Compliance (ROC)
For merchants with a large volume of annual credit card transactions, that is, greater than 6 million per year, or service providers assisting with greater than 300,000 annual transactions, an onsite assessment by a QSA is required. This is a more thorough assessment than the SAQ assessment, and it results in a Report on Compliance. Our team of experienced Qualified Security Assessors will plan the assessment activities, verify the scope of the cardholder data environment, perform the validation, and issue the Report on Compliance.
We will also prepare the Attestation of Compliance, to be signed by an officer of your company, as well as Richter, attesting to the results of the onsite assessment.