PCI-DSS
The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.
Deloitte can provide expert security services assisting organisations with preparing for PCI-DSS assessments and remediating any findings.
Who needs to comply?
Any merchant, acquirer, issuer bank, and service provider that processes, stores or transmits credit or debit card data, and any party connected to them may need to comply.
Does PCI-DSS apply to you?
If you do any of the following, you may need to adhere to PCI-DSS requirements:
- Process credit card transactions
- Store credit card information, paper or electronically
- Take online credit card payments
- Handle credit card information on paper, online, over the phone or via mail
- Provide services such as network integration and monitoring, managed security services etc to companies that store, process and/or transmit credit card data.
Non compliance may lead to a charge being levied by card issuers. If the non-compliance by the company has compromised the cardholder data, this may result in the company losing the right to take credit card payments followed by fines and forensic investigations.
The standard covers IT systems and components, including servers, applications and databases throughout the transaction process. It also applies to the manual processes and procedures that are an integral part of any successful security and fraud management solution.
How Deloitte can help
Deloitte offers the PCI-DSS services in the following areas:
- Credit Cards Tokenisation design and implementation
- PCI DSS readiness services
- PCI DSS Data Discovery
- PCI Gap assessment services
- PCI DSS Subject Matter Expertise
- Web application security testing.
PCI service offerings
PCI Data Discovery
Accurately determining and documenting different credit card capture points, and the foot print of credit card storage within an organisation’s business processes, systems, applications and networks is one of the key activity of PCI DSS assessments.
Deloitte can provide PCI Data Discovery and identification services to clients assisting with identifying the following:
- Analysis and documentation of all the business function that either accept credit card payments or store, process, transmit credit data
- Identifying and documenting the technologies used to store and process credit card data
- Identifying and documenting the IT infrastructure that process and transmit credit card data
- Provide a detailed data flow report with credit card holder data register.
PCI Gap Analysis
Achieving PCI Compliance is a complex and comprehensive process. It requires an organisation to demonstrate controls around people, process and technology.
Deloitte can assist clients with PCI Gap Analysis services to help an organisation with the following:
- Identify and document the gaps with all the people-based processes against Payment Card Industry Data Security Standards (PCI DSS 1.2.1 or PCI DSS 2.0) or Payment Card Industry Self Assessment Questionnaires (PCI SAQ A/B/C/D)
- Identify and document the gaps within the IT and business processes against Payment Card Industry Data Security Standards or Payment Card Industry Self Assessment Questionnaires
- Identify and document the gaps within the technology controls against Payment Card Industry Data Security Standards or Payment Card Industry Self Assessment Questionnaires.
Deloitte provides a detailed Gap assessment report as part of this offering.
Web application security testing
Security testing of the web facing applications such as e-commerce gateways, shopping cards and other processing facilities is a requirement with PCI DSS. Deloitte has extensive expertise in Web application security and code assessments.
For more information on web application security services, please see our web application security offering.
