What is PCI remediation?
PCI DSS remediation is an essential phase for organizations wishing to comply with the Standard. Although implementing these changes can be costly both in time and resources, an expert-driven remediation plan can significantly streamline compliance efforts.
An engagement to implement and improve PCI compliance will normally start an assessment of any gap analysis work that has been done. If items are discovered not to be in place in the organization, the consultant will formulate a project plan to document the required remediation, including detailed tasks, suggested timeframes, and prioritization, and resourcing requirements.
On conclusion of the assessment, a final report will be produced detailing the compliance status and a business case for executive sponsorship and funding.
Did you know?
Many organizations are overly reliant on external validation assessments for protection and compliance.
While a PCI DSS assessment is a point in time event, adhering to the PCI DSS and maintaining PCI compliance is an ongoing process. An annual review can leave an organization exposed to weaknesses, as controls fail to adapt to changes in the environment. Which is why the recent 2018 Payment Security report identified that:
- Two thirds (67%) of organizations approach and manage their PCI DSS compliance as an ongoing program with a formal structure, defined objectives, scope and supporting projects.
- Only one third (33%) of organizations are still treating PCI compliance as an annual project.
The benefits of PCI remediation and continual improvement
By receiving a PCI remediation and improvement plan, you can help your organization to:
- Receive help to manage your team’s PCI DSS remediation efforts
- Gain clear, implementable recommendations to bring you back in line
- Obtain accurate estimates and forecasts to gain required budget and sponsorship
- Implement and maintain the appropriate processes and procedures
- Gain support for any necessary policy and procedure documentation
- Clearly define your and service provider responsibilities
- Achieve an improved ongoing state of operations
Is a PCI remediation service right for you?
If you are responsible for implementing the PCI DSS in your organization, you should ask yourself:
- Has an assessment or gap analysis identified necessary changes?
- Has there been a change to the PCI DSS or the interpretation of the PCI DSS?
- Has there been a change in your cardholder data environment that was not implemented with PCI controls in mind?
- Is there a process or policy that needs refinement?
- Have there been personnel changes?
- Has the scope of your assessment changed?
Our engagement process
The service typically involves several days on-site for our consultants to meet with the managers who oversee the PCI DSS program; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.
- Pre-assessment information gathering: During this step, we will review all the remediation recommendations that have been identified by a previous gap analysis or other exercise or source.
- Assessment and analysis: Our consultants will then conduct an assessment to reducing the PCI compliance burden and assess your own and your service providers’ responsibilities.
- Post-assessment: We will provide a management report outlining the findings of the assessment, along with a detailed project plan to fulfil remediation activities. Where required, we can provide ongoing guidance and consultative support to achieve your compliance goals.
How IT Governance can help you
Our services provide a tailored route to PCI compliance, scalable to your budget and need.
We go further than a simple ‘yes/ no’ approach to understand better how security measures work.
We work in partnership to help you understand what is required and why giving you control.
We can offer expertise to vet compensating controls and determine whether they are acceptable.
Companies using our PCI DSS products and services:
"IT Governance were very professional and pragmatic in their approach, and displayed a level of understanding of our business that we found unique and refreshing.”
Damien Everard, COO of Appletree.