PCI DSS Quarterly Compliance Review
In order to comply with the Payment Card Industry Data Security Standard (PCI DSS), a number of recurring requirements need to be completed and presented to a qualified security assessor (QSA) during the annual assessment (naturally assuming that external auditing is applicable). Failure to perform and document these activities on a quarterly basis (within an 87-93 day timeframe) may hinder your ability to demonstrate PCI DSS adherence, potentially leading to a non-compliant or failing Report on Compliance (RoC).
One of the common challenges many organisations face is ensuring consistent compliance throughout each quarter. The need to balance a strict compliance schedule with daily operational demands and unforeseen disruptions can often result in missed compliance tasks. To address this, URM provides quarterly compliance reviews designed to confirm that all required activities are completed, evidence is properly documented, and necessary scans are successful and compliant, as well as discussing any developments that may impact your compliance with the Standard.
URM’s Quarterly Compliance Review Service
URM’s quarterly compliance reviews are scheduled to start at the commencement of your compliance period and take place during each of the 4 quarters. One of our experienced QSAs will initially work with you to identify the periodic activities essential for your compliance, with a particular focus on those that depend on manual processes. In our experience, these are often the most susceptible to being overlooked.
Once the programme of activities is established, our QSA will schedule quarterly reviews to review and discuss any challenges and developments that may impact your PCI DSS compliance. They will seek evidence that the periodic activities have been completed successfully. Where required and as an additional service, our QSAs can also provide assistance and feedback to help you complete any missing tasks.
Examples of activities that URM will cover during the quarterly reviews include:
- Verifying that internal and external vulnerability scans are completed and meet passing criteria
- Ensuring that internal and external penetration tests are completed and deemed successful
- Confirming that required manual processes have been carried out, such as:
- Reviewing firewall configurations
- Ensuring prompt response to security incidents
- Checking that patches have been applied on time when manual patching is used
- Verifying that all staff have completed mandatory training
- Ensuring that change tickets are properly filed and completed for all relevant changes
- Reviewing the scope as required
- Assessing any targeted risk analyses.
Details of Review Service
At the start of the compliance calendar, a kick-off call is arranged to agree the approach and plan when reviews will take place, providing sufficient time for activities to be remediated if required, within the defined quarter.
URM offers two basic options as part of the quarterly review service:
- One day a year (spread over 4 quarters) – quarterly compliance check to ensure activities have been conducted, discuss any challenges/ developments that may impact your compliance, and ensure appropriate evidence is available
- Two days a year (spread over 4 quarters) – as above; however, where compliance gaps are identified during the quarterly review, additional time will be used to validate that those gaps have been appropriately remediated.
URM’s service is tailored to work within your compliance calendar and to address your PCI DSS requirements. It is an expedient, efficient service designed to ensure some of the common pitfalls and omissions are avoided, and can be delivered entirely remotely.
Get in touch
Please note, we can only process business email addresses.
Why URM?
Track record and experience
URM has a team of expert consultants across multiple security disciplines who are all highly experienced in assisting organisations to achieve PCI DSS compliance. Our consultants have worked with hundreds of different companies across a wide range of industries, including local government, entertainment, retail, hospitality, IT services, charities, and many more. They also have experience of working with companies of various sizes, ranging from self-employed individuals to multi-national corporations. So, whatever your PCI DSS needs are, URM will be able to provide a QSA who understands your organisation and can offer the best advice and guidance to help you achieve compliance.
Pragmatic Approach
All of URMs QSAs pride themselves on their pragmatic approach to both compliance and assessments and will work with you to find the most appropriate and sensible way for you to meet the requirements of the PCI DSS.
PCI SSC Announces Changes to the SAQ A
URM’s blog explains the recent update to PCI DSS SAQ-A that has resulted in the removal of 2 new v4 requirements & the additon of new eligibility criteria.
URM’s blog explores how AI can impact PCI DSS compliance, both in terms of the benefits it can provide and the challenges it may present.
URM’s blog dissects the new PCI DSS requirements around targeted risk analysis, what they involve, and how the 2 types of TRA in the Standard differ.
URM’s blog drills down into the PCI DSS v4.0 requirements around forced password changes, with a particular focus on the addition of zero-trust architecture.