PCI Compliance and Certification Services
ControlCase offers the following standardized methodology of PCI Certification for all its clients year 1. The methodology consists of the following steps:
Gap Analysis (Steps 1 to 3):
ControlCase will perform a gap analysis and perform the required testing to be able to inform the client of the controls that need remediation to achieve PCI compliance. The assessment will include a review of the cardholder production network (including vulnerability and penetration testing) and supporting technical documentation. The assessment process may include interviews with company personnel to determine what PCI requirements are in place and where remediation is required.
The first phase of the project will involve reviewing and validating the current cardholder network environment, policies and procedures against the PCI Data Security Standard (DSS). The methodology for validation will include:
For this phase, ControlCase consultants will require the following documentation from the client,
ControlCase will provide standard templates for the above mentioned policies and procedures, if so desired by the client.
Remediation plan and support (Steps 4 & 5):
ControlCase will keep a track of all remediation efforts and provide monthly status report to the client for the remediation steps. During this time, client is expected to implement PCI controls and inform ControlCase continuously of all remediation measures.
Certification (Steps 6 to 9):
ControlCase will, as required for the project, deploy a PCI audit team of Qualified Security Assessors (QSAs) to carry out an on-site portion of the PCI DSS assessment. After completion of our internal quality assurance procedures, the client will be issued a Report on Compliance (ROC) and appropriate certification documentation will be submitted to various credit card brands. PCI DSS certification requirements are dependent on the level of the service providers as determined by their acquirer or the payment brands and is summarized below. Merchants and Services providers should contact their acquirer or the payment brands to identify their specific validation and reporting requirements.