PCI DSS

PCI certifications

The PCI DSS (Payment Card Industry Data Security Standard) is a vital security framework developed by the PCI SSC (PCI Security Standards Council), encompassing 12 core areas and around 260 control points.

Compliance with this standard is required by major card organisations, including Visa, Mastercard, American Express, JCB, Diners Club, and UnionPay International.

PCI DSS,PCI DSS Assessment,PCI DSS audit,PCI DSS Certification
The standard applies to any organisation that processes, stores, or transmits cardholder data, or has an impact on its security. The certificate of compliance is valid for one year and, depending on the type of entity (merchant or service provider), the results are reported either to the Acquiring Bank (for merchants) or directly to the Card Brands (for service providers).

How can we help you?

At Patronusec, we take pride in protecting your organisation from the vulnerabilities that can threaten card data security. Like a Patronus guarding against dark forces, we will guide you through the entire PCI DSS audit process. Our experts will assess your card acceptance environment, highlight areas for improvement, and prepare all necessary documentation, including a PCI DSS certification report and Attestation of Compliance (AOC).

Once you’ve signed the Attestation, we’ll also assist with your submission to the card organisations and issue a Marketing Certificate for you to proudly display on your website and corporate documents. As a PCI QSA (Qualified Security Assessor), we are accredited to carry out certification audits for PCI DSS compliance.

How will we work with you?

Stage 1

Scoping

The first step in PCI DSS certification is determining the scope. This involves defining the technologies, processes, personnel, and vendors that process or affect the security of cardholder data. Remember, the responsibility for scoping lies with you, though we are here to assist you with any questions. For further guidance, you may find this article useful.

Stage 2

Gap Analysis

This step is optional, but highly recommended for new clients who may not be sure if they’re ready for a PCI DSS assessment. During the gap analysis, we’ll simulate the certification audit and pinpoint any areas of non-compliance, helping you address any weaknesses with practical solutions.

Stage 3

Certification
Audit

The PCI DSS audit can be conducted remotely, on-site, or in a hybrid format. You can learn more about what the audit involves here. Within two weeks of completing the audit, we will provide you with a list of required documents and evidence (we call this document a tracker) that you will need to submit to us.

Stage 4

Remediation and
Evidence Collection

You’ll have up to 90 days to provide us with the requested audit evidence or implement necessary corrections. The sooner you provide the evidence, the faster we can move forward with the certification process.

Stage 5

Reporting

This is the phase where we compile the detailed audit report, based on the evidence and documents you’ve provided. The report is a comprehensive document, spanning over 330 pages, detailing your cardholder environment. In addition, we perform a QA process before finalising the report. On average, this step takes up to a month.

Stage 6

Completion

This is the step we truly value. If the audit is successful, we’ll provide you with an Attestation of Compliance (AOC) for electronic signature. After completing the audit, we’ll also assist you with registration with the card organisations and issue a Marketing Certificate to help demonstrate your commitment to PCI DSS compliance.

Certification audit

The PCI DSS certification audit combines on-site and remote activities aimed at confirming your organisation’s compliance with the PCI DSS standard. The audit consists of four essential components:

1.

Interviews Before the audit, we’ll provide you with an agenda and outline the topics to be discussed with your staff or vendors. The aim of these interviews is to get a deeper understanding of your organisation, the scope of responsibilities, and how you manage your cardholder data environment.

2.

Configuration Review The next step involves reviewing and verifying the configuration of your environment. We will ask your team to show us the configuration of systems, devices, and tools, as well as elements such as access control systems and alarm systems. During this review, we may also ask for specific audit evidence.

3.

Review of Management Processes This step focuses on reviewing the processes that govern your cardholder data environment. We will request items such as change request reports, evidence of log reviews, and documentation of patch management activities.

4.

Documentation Review This stage is typically done remotely. We’ll ask you to provide a list of documents describing your cardholder data environment, including network diagrams, policies, and procedures. Please ensure that these documents are up-to-date, with the last review date not older than 12 months.

After the audit, we will provide you with a tracker—a document that consolidates all observations, documents, and evidence. The tracker is our way of ensuring that once you provide us with all required elements, we can proceed to work on the final report.

Don't buy a pig in a poke -
request a free consultation and check how we can assist you.

Free consultation
Contact form
PCI DSS,PCI DSS Assessment,PCI DSS audit,PCI DSS Certification

Use the contact form or contact us directly.

Patronusec Sp z o. o.

Head Office:
ul. Święty Marcin 29/8
61-806 Poznań, Polska

KRS: 0001039087
REGON: 525433988
NIP: 7831881739
D-U-N-S: 989454390
LEI: 259400NAR8ZOX1O66C64