Our PCI Services

Our PCI Services will help ensure you’re compliant with the Payment Card Industry Data Security Standard (PCI DSS). We’ll identify problems and implement solutions early – so you can continue ‘business as usual’ and reduce your compliance risks.

  • PCI Gap Analysis
  • PCI ASV Scanning
  • PCI Onsite Assessment
  • PCI DSS SAQ
  • PCI Remediation
  • PCI Security Awareness Programme
  • PA-DSS Validation
  • PCI SAQ Portal

WHY do I need PCI Services?

Any organization or entity that’s involved in payment-card processing or that stores, processes, or transmits account data has to comply with the requirements of the Payment Card Industry Security Standards Council (PCI SSC), founded by American Express, Discover, JCB International, MasterCard and Visa in 2006.

A simple way of looking at this is that if you’re a business that accepts payment cards or a bank or services provider that processes, acquires or issues them, you will need to comply with the PCI Data Security Standard, or PCI DSS.

This means you have to meet six key goals (sometimes referred to as ‘control objectives’) and 12 key requirements:

Build and maintain a secure network

  1. Install and maintain a firewall to protect cardholder data
  2. Avoid vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management programme

  1. Use and regularly update antivirus software or programmes
  2. Develop and maintain secure systems and applications

Implement strong access control measures

  1. Restrict access to cardholder data on a business need-to-know basis
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Monitor and test networks regularly

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Maintain an information security policy

  1. Maintain a policy that addresses information security for employees and contractors

The costs of non-compliance can be considerable – and include disruption to customer service, personal liabilities for directors in card-fraud cases, fines from a number of different entities, and reputational damage. Therefore, the services of PCI-accredited auditors can be vitally important.

WHAT PCI services does Cognosec offer?

Our job is to help you comply with PCI DSS. We provide audits, scans and assessments, and advice on the mitigation of payment card risks.

We offer six – often interlocking – services.

Each service is explained briefly below.

PCI Gap Analysis

WHAT is it?

A PCI gap analysis identifies discrepancies between existing security policies, procedures and controls in your environment and the 12 requirements of PCI DSS. It’s the first step in ensuring you’re compliant.

WHY do I need it?

It means security failures can be prevented, and gaps closed through remediation (see below).

WHEN do I need it?

As mentioned, a gap analysis is the initial stage of PCI compliance. However, we see them as part of an iterative process, to be repeated as organizations develop and grow, and technologies and the ‘threat landscape’ change.

PCI ASV Scanning

WHAT is it?

A vulnerability scan is a test that checks for security weaknesses.

The results provide valuable information that supports efficient patch management and other security measures to increase protection against malicious attacks.

WHY do I need it?

Requirement 11.2.2 of PCI DSS states that organizations must ‘perform’ external vulnerability scans ‘via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SCC).’

As an ASV accredited by PCI SCC, we help make sure you adhere to the standard.

WHEN do I need it?

Scans need to be performed ‘at least quarterly and after any significant change in the network’ to comply with the PCI DSS rules.

PCI Onsite Assessment

WHAT is it?

Our onsite assessment is an evaluation covering all 12 requirements of the standard.

As a Qualified Security Assessor (QSA) with PCI SSC approval, we’ll look at your organization across the three core dimensions of technology, processes and people. Our ‘holistic’ evaluations include technical sampling of systems, staff interviews and a final policy review confirming that appropriate measures have been taken and appropriate procedures put in place.

On completion of the assessment, we draft a Report on Compliance (RoC) in a format acceptable for submission to relevant card brands.

WHY do I need it?

QSA assessments and RoCs are mandated by payment-card industry members for service providers processing more than 300,000 transactions or accounts a year and for merchants processing more than 6 million.

Additionally, they help organizations processing fewer transactions or accounts ‘go the extra mile’, prove their commitment to best practice and mitigate risks.

WHEN do I need them?

If you’re a service provider processing more than 300,000 transactions or accounts a year or a merchant processing more than 6 million, annual assessment by a QSA will be required.

PCI DSS SAQ

WHAT is it?

If you handle smaller volumes of transactions, you can self-certify your compliance with PCI DSS through a Self-Assessment Questionnaire (SAQ).

We can provide professional advice to make self-assessment easier, guiding you through the questionnaire, validating your compliance and countersigning your SAQ.

You can think of the service as similar to that provided by an accountant helping someone complete their self-assessment tax return.

WHY do I need it?

Validation makes compliance less stressful – and provides that bit of extra reassurance you’re doing the right thing.

WHEN do I need it?

SAQs are usually filled in once a year – so validation usually takes place annually.

PCI Remediation

WHAT is it?

Remediation is a follow-on service that provides effective solutions for non-compliance discovered during the gap analysis.

Tailored to your needs, it fills the gaps – and ensures your security controls and documentation and the requirements of the PCI DSS closely match.

If you’ve already put in place a ‘compensating control’ to ‘cover’ you for non-compliance due to legitimate technical or business constraints, we’ll tell you whether it’s good enough for the PCI SSC.

WHY do I need it?

Without remediation, compliance can’t be achieved, and risks increase.

WHEN do I need it?

Like gap analysis, remediation will be part of an iterative process, repeated as and when non-compliance occurs.

PCI Security Awareness Programme

WHAT is it?

We provide services that increase awareness of the importance of PCI DSS and data security across the organization.

After more than ten years working with clients in a wide variety of industries, we know that effective security is security that’s ‘embedded’ at all levels.

Our two-day workshop, delivered by a QSA, has three major components:

  • Training sessions for senior managers, HR executives and chief officers.
  • Training sessions for end-users.
  • Review of existing security awareness programmes.

We help change ‘cultural norms’ to reduce the risks of payment-card fraud – and protect the long-term interests of your organization.

WHY do I need it?

PCI DSS requirement 12.5 refers to the need to ‘establish, document and distribute security policies and procedures’ (our italics), and requirement 12.6 stipulates the implementation of ‘a formal security awareness programme to make all personnel aware of the importance of cardholder data security’.

WHEN do I need it?

Staff training needs to be ‘renewed’ at least annually as technologies and the risk landscape change and PCI DSS requirements evolve.

You might also find our awareness programmes particularly useful when you grow by acquisition or take on new staff from a different corporate culture.

PA-DSS Validation

WHAT is it?

The PCI Payment Application Data Security Standard (PA-DSS) applies to software vendors and others who develop applications that store, process or transmit cardholder data as part of authorization and/or settlement.

These applications are typically sold and installed ‘off the shelf’ without customization by vendors.

Validation ensures they meet the required security standards.

WHY do I need it?

PA-DSS Validation services can provide reassurance for both vendors and their clients that the right security standards are being observed.

They will not make merchants and service providers PCI DSS compliant per se – but they will reduce the time and effort spent on achieving PCI-DSS compliance overall.

WHEN do I need it?

PA-DSS Validation by a Qualified Security Assessor (QSA) is required in order to comply with PCI security standards. Annual revalidation is mandatory but the involvement of a PA QSA company will usually only be required if significant changes have been made to the application.

The Cognosec PCI SAQ Portal

A fast and effective compliance tool

If you’re a card acquirer (typically, a bank or other financial institution), you’ll need to take steps to ensure merchants (entities that accept it) comply with the requirements of PCI DSS. If you’re a merchant or service provider (for example, a data centre, sales agent or remittance processing company) handling smaller numbers of transactions, you’ll need to prove your compliance through a Self-Assessment Questionnaire (SAQ).

We’ve developed an online portal that can help in either case – and make compliance and acquirer–merchant communication easier.

It’s a simple electronic tool, and it allows merchants to download the PCI SAQs, sign them and send them to acquirers, and acquirers to use the information to create reports for card providers.

Importantly, we can see all the data, and offer support for both acquirers and merchants. We even provide electronic certificates.

Our portal is the fast-track to compliance.

WHY Cognosec?

Seven good reasons…

  1. We are one of only 16 companies worldwide certified by the PCI Security Standards Council as a Qualified Security Assessor (QSA) for Europe, Central Europe, the Middle East and Africa (CEMEA) and the US.
  1. We provide a structured approach to assessments, and include pre- and post-audits that allow you to engage with us fully.
  1. We provide a fast-track SAQ portal that banks or other financial institutions and smaller businesses can use to ‘manage’ compliance and meet their obligations.
  1. We think of the causes of problems as well as the symptoms, providing training for both executives and end-users to avoid security failures.
  1. We have detailed understanding of the PCI DSS standard and of the way it’s evolving – and our security experts combine decades of experience with up-to-date technical knowledge.
  1. We are a NASDAQ-listed, agile EMEA company, capable of responding quickly to rapid changes in the risk landscape.
  1. More than all this… We take a ‘bespoke’ approach, tailoring our services to help our clients make the right decisions and the right investments. Our experts have experience as both providers and clients – they understand what it’s like to be on the customer’s side of the fence, and the need to balance (often competing) spending priorities.

3 – Detect

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

4 – Respond

Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

5 – Recover

Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

Services

PCI DSS SAQ

Cognosec offers professional guidance to small-to-medium sized businesses in achieving PCI compliance and completing the Self-Assessment Questionnaire.

Cognosec Services

Cognosec Services

Features

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organisations that store, process and/or transmit cardholder data. The framework covers technical and operational system elements connected to cardholder data. If you store, process or transmit credit card data you are subject to this standard. Cognosec is a Qualified Security Assessor (QSA) and as a QSA we are authorised to help your company obtain and maintain PCI DSS compliance. Cognosec GmbH can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer –creating a rounded and comprehensive compliance package. Cognosec is an Approved Scanning Vendor (ASV) – an organisation with a set of security services and tools available to validate adherence to the external scanning condition of the PCI DSS requirement 11.2. The scanning vendor’s ASV scan solution is always tested and approved by the PCI SSC before an ASV is added to the list of approved scanning vendors. As Cognosec is a Qualified Security Assessor (QSA) for the PCI-DSS and PA-DSS as well as an Approved Scanning Vendor (ASV)– making Cognosec a one-stop-shop for your PCI compliance needs.  Cognosec can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer – creating a rounded and comprehensive compliance package. We are authorised to help your company obtain and maintain PCI DSS compliance.

Description

All business that store, process or transmit payment cardholder data must be PCI Compliant. As a Qualified Security Assessor (QSA), Cognosec offers professional guidance to small-to-medium sized businesses in achieving compliance and completing the Self-Assessment Questionnaire. The PCI DSS self-assessment questionnaires (SAQs) are validation for merchants and service providers self-evaluating their compliance with PCI DSS.  Organizations can either undergo their own PCI DSS assessments, or  a QSA company can conduct PCI DSS assessment and underwrite their SAQs.

Specification

There are different versions of the SAQ to meet different merchant environments. As a Qualified Security Assessor (QSA) we are able to provide PCI DSS SAQ assessment to organizations seek professional guidance in achieving compliance and completing the following Self-Assessment Questionnaires. SAQ A is intended for merchants that accept only card-not-present transactions (that is, e-commerce, mail order or telephone order), and that outsource all their cardholder data functions to PCI DSS compliant service providers. SAQ A would never apply to face-to-face merchants. SAQ B is for those merchants who process cardholder data using only imprint machines or using only dial-out terminals. SAQ C-VT is for merchants using only web-based virtual payment terminals, where cardholder data is manually entered into a secure website from a single system. SAQ C is for merchants with dedicated payment application systems segmented from all other systems, and connected to the Internet for the purposes of transaction processing. SAQ P2PE-HW is for merchants using a validated P2PE solution that is listed on the PCI SSC website. SAQ D is for all other SAQ-eligible merchants that do not fall into any of the other SAQ categories, and for any service providers defined by a payment brand as eligible to complete the SAQ.

Download as PDF

PCI Security Awareness Programme 

The Cognosec Security Awareness Program is designed to help you raise the level of understanding of how important security is today, and to help you push responsibility throughout the company.

Cognosec Services

Cognosec Services

Features

Cognosec is a Qualified Security Assessor (QSA) for the PCI-DSS and PA-DSS as well as an Approved Scanning Vendor (ASV)– making Cognosec a one-stop-shop for your PCI compliance needs.

Cognosec can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer – creating a rounded and comprehensive compliance package.

We are authorised to help your company obtain and maintain PCI DSS compliance.

Description

It is imperative that any individual capable of accessing information technology resources understands the value of the information resources and their responsibility of keeping those resources safe from abuse. To address PCI DSS requirements 12.5 and 12.6, which refer to the distribution of security polices throughout the company and the existence of a formal security program, Cognosec offers full support in the development of security policies and security awareness programs.

The Cognosec Security Awareness Program is designed to help you raise the level of understanding of how important security is today, and to help you push responsibility throughout the company.

Specification

The Cognosec 360 Security Awareness Program is designed to help you raise the level of understanding of how important security is today and help you push responsibility throughout your organisation. Our highly international staff have decades of experience in IT Security, having worked directly with the major card brands, acquirers as well as merchants and payment service providers. The Cognosec Team fully understands the kind of risk and pressure our clients go through to reach their IT security, compliance and governance objectives.Cognosec’s 2-Day workshop, delivered by a QSA, has three components:

  1. A management training session for senior managers, HR executives and CxOs.
  2. An end-user security awareness training session – including a test of the material.
  3. A session analysing the company polices and ad- dressing any gaps. On completion of the workshop, Cognosec will help you build a sustainable security awareness program into the company.
Download as PDF

PCI Remediation

We provide individual services for implementing missing elements of an organisation’s security policies to match those of the PCI DSS. Variances between the PCI DSS Standard and an organisation’s currently established policies and practices detected in the gap assessment need to be addressed.

Cognosec Services

Cognosec Services

Features

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organisations that store, process and/or transmit cardholder data. The framework covers technical and operational system elements connected to cardholder data. If you store, process or transmit credit card data you are subject to this standard. Cognosec is a Qualified Security Assessor (QSA) and as a QSA we are authorised to help your company obtain and maintain PCI DSS compliance. Cognosec GmbH can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer –creating a rounded and comprehensive compliance package. Cognosec is an Approved Scanning Vendor (ASV) – an organisation with a set of security services and tools available to validate adherence to the external scanning condition of the PCI DSS requirement 11.2. The scanning vendor’s ASV scan solution is always tested and approved by the PCI SSC before an ASV is added to the list of approved scanning vendors. As Cognosec is a Qualified Security Assessor (QSA) for the PCI-DSS and PA-DSS as well as an Approved Scanning Vendor (ASV)– making Cognosec a one-stop-shop for your PCI compliance needs.  Cognosec can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer – creating a rounded and comprehensive compliance package. We are authorised to help your company obtain and maintain PCI DSS compliance.

Description

PCI Remediation is a follow on from a PCI DSS Gap Assessment and involves remediating those requirements of PCI DSS in which you are not compliant. We provide individual services for implementing missing elements of an organisation’s security policies to match those of the PCI DSS. Variances between the PCI DSS Standard and an organisation’s currently established policies and practices detected in the gap assessment need to be addressed. PCI DSS compliance is achieved when solutions and sound policies are implemented that fully address and satisfy PCI DSS. Variances between the PCI DSS and an organisation’s currently established policies and practices detected in the gap assessment need to be addressed. Any entity that accepts payment card transactions must be compliant with all 12 elements of the PCI Data Security Standard. Cognosec provides individual services for implementing missing elements of an organisation’s security policies to match that of the PCI DSS.

Specification

All organisations that store, process and/or transmit cardholder data must be compliant with PCI DSS 12 requirements.  PCI Remediation is basically identifying and fixing the “not in place” items to be remediated of PCI DSS. If items are discovered to be not in place in the organization, the QSA provides as much detail as needed to explain the remediation actions and the timeline for compliance and the organization perform the remediation activities. PCI Remediation is basically identifying and fixing the 12 elements of PCI DSS in which you are not compliant. Cognosec provides individual services for implementing missing elements of an organisation’s security policies to match that of the PCI DSS. Variances between the PCI DSS and an organisation’s currently established policies and practices detected in the gap assessment need to be addressed. Remediation recovery is achieved when solutions and sound policies are implemented that fully address and satisfy the compliance requirements. AS a QSA company, we provide both workshops and individual services for implementing missing elements of an organisation’s security policies to match that of the PCI DSS. – Cognosec offers workshops to dive deep into the data security standard – allowing you to select the right technologies and architecture to attain and maintain the PCI DSS. – Cognosec helps you complete the gaps in your documentation and review the policies, procedures, and processes of your business. – As an ASV, Cognosec is able to perform external vulnerability scans in accordance with PCI DSS requirement 11.2. These scans provide a consistent outlook over an organisation’s security posture – identifying the potential threats to their IT system. – Cognosec offers Penetration Testing of a PCI DSS Scoped Environment and Internal Penetration Testing of a PCI DSS Scoped Environment – Cardholder Data Discovery

Download as PDF

PCI GAP Assessment

Cognosec’s PCI Gap Assessment is available for both remote and onsite activities. To create the most accurate assessment possible, it also includes interviewing system architects, systems administrators, testing personnel, and support staff.

Cognosec Services

Cognosec Services

Features

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organisations that store, process and/or transmit cardholder data. The framework covers technical and operational system elements connected to cardholder data. If you store, process or transmit credit card data you are subject to this standard. Cognosec is a Qualified Security Assessor (QSA) and as a QSA we are authorised to help your company obtain and maintain PCI DSS compliance. Cognosec GmbH can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer –creating a rounded and comprehensive compliance package. Cognosec is an Approved Scanning Vendor (ASV) – an organisation with a set of security services and tools available to validate adherence to the external scanning condition of the PCI DSS requirement 11.2. The scanning vendor’s ASV scan solution is always tested and approved by the PCI SSC before an ASV is added to the list of approved scanning vendors. As Cognosec is a Qualified Security Assessor (QSA) for the PCI-DSS and PA-DSS as well as an Approved Scanning Vendor (ASV)– making Cognosec a one-stop-shop for your PCI compliance needs.  Cognosec can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer – creating a rounded and comprehensive compliance package. We are authorised to help your company obtain and maintain PCI DSS compliance.

Description

A PCI DSS Gap Assessment is an analysis on the differences between  an entity’s present security standards and policies and the twelve requirements of PCI DSS. The variances, or “gaps”, are then determined and can be corrected with PCI Remediation. If you have been asked to comply with the PCI DSS by a card brand, an issuing or acquiring bank, a business partner, or a customer who requires it as part of a due diligence exercise, Cognosec can help you. Cognosec’s PCI Gap Assessment is available for both remote and onsite activities. To create the most accurate assessment possible, it also includes interviewing system architects, systems administrators, testing personnel, and support staff.

Specification

Most companies have established security standards and procedures in place, but as the world is conforming on one standard, a reassessment is necessary. A PCI DSS Gap Assessment is an analysis on the differences between established security standards and those demanded by the PCI SSC. The variances, or “gaps”, are then determined and corrected. Our process includes interviewing system architects, systems administrators, testing personnel, support staff and others to gather the most information possible – aiding the subsequent analysis and generation of the final PCI DSS Gap Analysis report. Many companies already have security standards and procedures in place, but as the world is conforming to one standard, a re-assessment is often necessary. A PCI Gap Assessment is an analysis on the variances between established security standards and those required by the PCI SSC for PCI certification.

Download as PDF

PCI ASV Security Scan 

We are a Certified Approved Scanning Vendor ASV and provide vulnerability scanning services in accordance with PCI DSS.

Cognosec Services

Cognosec Services

Features

Security vulnerabilities of Internet facing systems can potentially have severe, wide-reaching implications for your organisation. Cognosec’s certified ASV Scans will identify weaknesses and vulnerabilities as well as quantify their severity – allowing them to be managed efficiently and effectively. Cognosec is an Approved Scanning Vendor (ASV) – an organisation with a set of security services and tools available to validate adherence to the external scanning condition of the PCI DSS requirement 11.2. The scanning vendor’s ASV scan solution is always tested and approved by the PCI SSC before an ASV is added to the list of approved scanning vendors. As Cognosec is a Qualified Security Assessor (QSA) for the PCI-DSS and PA-DSS as well as an Approved Scanning Vendor (ASV)– making Cognosec a one-stop-shop for your PCI compliance needs.  Cognosec can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer – creating a rounded and comprehensive compliance package. We are authorised to help your company obtain and maintain PCI DSS compliance.

Description

An Approved Scanning Vendor (ASV) is an organization with a set of security services and tools to validate adherence to the external scanning requirement of PCI DSS Requirement 11.2.2. We are a Certified ASV and provide vulnerability scanning services in accordance with PCI DSS. Vulnerability scan results provide valuable information that supports efficient patch management and other security measures that improve protection against Internet attacks. Any organisation who wants to maintain their PCI compliance, who wants to know what their weaknesses and vulnerabilities are, and who wants to prevent financial and reputational loss has to conduct ASV scans.

Specification

Cognosec’s Approved Scanning Vendor scans identifies weaknesses and vulnerabilities as well as quantifies their severity – allowing them to be managed efficiently and effectively. This means that an organisation:

  • Fulfils the PCI DSS Requirement 11.2 for quarterly vulnerability scans performed by an ASV.
  • Provides proof of due diligence to regulators, customers and shareholders.
  • Prevents financial loss through fraud or unreliable infrastructure.
  • Protects your brand against the loss of reputation.

Cognosec performs regularly scheduled scans (monthly or quarterly), as well as ad hoc scans – producing and delivering an ASV Report containing every discovery and an evaluation thereof. Security matters covered range from authentication, authorisation and misconfiguration issues to information disclosure and obsolete software version concerns.

What is included in a scan?

Cognosec’s Scanning Solutions test and report on:

  • Firewalls & Routers
  • Operating Systems
  • Database Servers
  • Web Servers
  • Application Servers
  • Common Web Scripts
  • Built-in Accounts
  • DNS Servers
  • Mail Servers
  • Web & Other Applications
  • Common Services
  • Wireless Access Points
  • Backdoors
  • SSL/TLS
  • Remote Access
  • Point-of-sale (POS) Software
Download as PDF

PCI QSA Onsite Assessment

Cognosec’s PCI On-site Assessment is a systematic evaluation of an organisations level of compliance to the Payment Card Industry Data Security Standard (PCI DSS), which needs to be performed during the securitisation process and at regular intervals.

Cognosec Services

Cognosec Services

Features

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organisations that store, process and/or transmit cardholder data. The framework covers technical and operational system elements connected to cardholder data. If you store, process or transmit credit card data you are subject to this standard.

Cognosec is a Qualified Security Assessor (QSA) and as a QSA we are authorised to help your company obtain and maintain PCI DSS compliance. Cognosec GmbH can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer –creating a rounded and comprehensive compliance package.

Cognosec is an Approved Scanning Vendor (ASV) – an organisation with a set of security services and tools available to validate adherence to the external scanning condition of the PCI DSS requirement 11.2. The scanning vendor’s ASV scan solution is always tested and approved by the PCI SSC before an ASV is added to the list of approved scanning vendors.

As Cognosec is a Qualified Security Assessor (QSA) for the PCI-DSS and PA-DSS as well as an Approved Scanning Vendor (ASV)– making Cognosec a one-stop-shop for your PCI compliance needs.  Cognosec can provide you with a full PCI DSS audit portfolio on top of the consultancy service we already offer – creating a rounded and comprehensive compliance package. We are authorised to help your company obtain and maintain PCI DSS compliance.

Cognosec’s PCI On-site Assessment is a systematic evaluation of an organisations level of compliance to the Payment Card Industry Data Security Standard (PCI DSS), which needs to be performed during the securitisation process and at regular intervals. As a Qualified Security Assessor (QSA) we are able to perform an evaluation which covers all twelve requirements of the PCI DSS standard.  A multitude of facets including: technical sampling of in-scope systems, staff interviews and a final policy review – are included, confirming that suitable measures have been taken and that appropriate policies have been put into place. Upon completion of the PCI On-site Assessment, a Report on Compliance (ROC) will be drafted in a format that is acceptable for submission to relevant card brands.

Specification

“As a Qualified Security Assessor (QSA), Cognosec offers the highest quality and smoothest assessment possible. The evaluation will cover a multitude of facets including: technical sampling of in-scope systems, staff interviews and a final policy review – confirming that the suitable measures have been taken and that appropriate policies have been put into place. Upon completion of the PCI On-site Assessment, a Report on Compliance (ROC) will be drafted and will be ready to be submitted to relevant card brands.

There are 5 PCI DSS phases to the Cognosec PCI methodology. Four of them are audit processes and one of them is a half yearly customer review.

  1. Initial Gap Analysis and Onsite Audit
  2. Evaluation of gathered Evidence and Remediation
  3. Report and Review
  4. Project closeout
  5. Half Yearly Review

– For PCI Level 1 Service Providers, to maintain PCI compliance, a PCI On-site Assessment needs to take place absolutely no later than four months (six months is recommended) before the expiration of a PCI certificate, as specified by the card brand listings.

– For PCI Level 1 Merchants, to maintain PCI compliance, a PCI On-site Assessment needs to take place at least four months before the initial PCI compliance date mandated by an acquirer, or four months before the initial re-certification.

Client related activities related to Payment Card Industry Data Security Standard (PCI DSS) are

  1. Validate the scope of the assessment
  2. Contract Drafted & Signed
  3. Onsite Audit Preparation Phase

– Scheduling Phase

– Client Hub Created in Secured OwnCloud

– Client Data Upload to Secured Owncloud

– Policies and Procedures Excel File completed

  1. Conduct PCI Data Security Standard assessments

– Verify all technical information given by merchant or service provider

– Be onsite for the duration of any relevant assessment procedure

– Review the work product that supports the assessment procedures

– Adhere to the PCI DSS Requirements and Security Assessment Procedures

– Select representative samples of business facilities and system components where sampling is employed

–  Evaluate compensating controls (if any)

  1. Produce the final Report on Compliance
  2. Produce the Compliance Certificate
  3. Submit Validation Documents to Card Brands
  4. Client Feedbacks & Testimonials

 

Download as PDF

Cognosec SAQ Portal

We’ve developed an online portal that make compliance and acquirer-merchant communication easier.

Cognosec Services

Cognosec Services

A fast and effective compliance tool

If you’re a card acquirer (typically, a bank or other financial institution), you’ll need to take steps to ensure merchants (entities that accept it) comply with the 12 requirements of PCI DSS. If you’re a merchant or service provider (for example, a data centre, sales agent or remittance processing company) handling smaller numbers of transactions, you’ll need to prove your compliance through a Self-Assessment Questionnaire (SAQ).

We’ve developed an online portal that can help in either case – and make compliance and acquirer-merchant communication easier.

It’s a simple electronic tool, and it allows merchants to download the PCI SAQs, sign them and send them to acquirers, and acquirers to use the information to create reports for card providers.

Importantly, we can see all the data, and offer support for both acquirers and merchants. We even provide electronic certificates.

Our portal is the fast-track to compliance.

Download as PDF