PCI DSS Reduction and Assessment
PUBLISHED on
5 Aug
2022
Scope and Applicability Definition
The Payment Card Industry Security Standards Council (PCI SSC) defines scoping as “the process of identifying all system components, people, and processes to be included in a PCI DSS assessment to accurately determine the scope of assessment.”
It is essential that your organisation is able to conduct this process as accurately as possible and an incorrect assessment can lead to security controls being applied above and beyond what is necessary or security controls not being applied to systems that should be in scope of the standard.
URM’s consultants are able to work with you and help determine the correct assessment scope from which you can proceed to analyse the applicability and necessity of each PCI DSS control requirement.
SAQ Selection
In order to assist merchants and service providers validate compliance with the PCI DSS, the PCI SSC has developed and made available a number of self-assessment questionnaires (SAQs), each of which are applicable to a specific payment scenario.
The 9 SAQs are aimed at those qualifying merchants and service providers that are not required to undergo an on-site data security assessment nor submit a report on compliance (ROC).
Choosing the right SAQ is critical, as incorrect submissions can invalidate your compliance and expose your organisation to greater risk of payment card data breaches. The time and effort involved in completing the different SAQs can also vary considerably.
URM’s consultants can assist in advising which SAQ is most applicable to your organisation
They can also provide invaluable assistance in assessing whether there may be opportunity to reduce the scope of your cardholder data environment, resulting in you having to complete a less onerous SAQ.
Scope Reduction
The best and most cost-effective approach to achieving compliance with the PCI DSS is to reduce the scope of your cardholder data environment.
By limiting where card information is held and processed within your organisation, it is possible to both reduce the likelihood of a payment card breach occurring, and also to significantly reduce the costs and efforts of maintaining and validating your compliance programme.
URM’s consultants can advise you on how your PCI DSS scope can be reduced using a variety of techniques and will explain the benefits and drawbacks of the different options available to your unique environment and situation.
All of URM’s proposed scope reductions are totally vendor agnostic and do not involve any specific vendor solutions or technologies.
For organisations that require additional guidance, URM can provide unbiased remediation and solutions advice that leverage existing technology investments.
How URM can help?
Consultancy
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Read more
Consultancy
Do you need any help with ISO 27001 certificate?
URM can help you achieve ISO 27001 certification
Read more
Consultancy
ISO 27002:2022 Support
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Read more
URM’s consultants have assisted over 400 organisations achieve and maintain certification to ISO 27001.
Find out more
related BLog posts
Information Security
Published on
5/8/2022
PCI DSS – The Payment Card Data Security Standard – What is it?Often referred to as the PCI DSS or quite simply PCI, the Standard was developed by the founding payment brands....
Read more
Information Security
Published on
14/11/2023
What are the Key New Requirements with PCI DSS 4.0Everything you need to know about PCI DSS v4.0: With a particular focus on some of the more challenging requirements such as MFA and payment page scripts.
Read more
Information Security
Published on
9/8/2022
Benefits of PCI DSS ComplianceIn recent blogs, we have focused on how best to ensure you comply with the PCI Data Security Standard....
Read more
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.