Show clients you process payment card information securely.
Show clients you process payment card information securely.
The Payment Card Industry (PCI) Data Security Standard (DSS) is a security standard for organizations that process, store, or transmit cardholder data or can influence the security of cardholder data. While a defined set of security requirements may seem straightforward, many organizations struggle to keep up with the changes and complexities of their cardholder data environment (CDE) and therefore PCI DSS compliance becomes problematic.
Auditwerx has extensive experience with service providers and Service Organization Control (SOC) audits so conducting PCI assessments are a natural extension of our services.
Service providers are unique in that while they may not directly deal with cardholder data, because of or how they deliver their services they could influence the security of their customers’ processing, storing or transmitting of cardholder data and therefore the service provider is required to be PCI compliant. Many service providers do not realize the need to be PCI compliant until customers clamor for it because it is required for their own PCI compliance efforts.
Another unique aspect of PCI compliance for service providers is registering for the Visa Global Registry of Service Providers or MasterCard SDP Compliant Registered Service Provider List. These lists are maintained by Visa and MasterCard for use by prospective customers to find service providers that Visa and MasterCard deem as PCI compliant. The process for being listed is straight forward but can be particularly daunting for organizations that are not directly dealing with cardholder data and therefore do not have a relationship with an acquiring bank. Auditwerx can provide the guidance and assistance necessary to get a service provider easily through the Visa and MasterCard service provider registration process as well as keeping them listed.
Merchants are still considered the core of the PCI DSS.
With the advent of point-to-point encryption (P2PE), end-to-end encryption (E2EE) and tokenization, merchants are drastically reducing their PCI scope thus simplifying their PCI assessments. We work with merchants to get through their assessments as quickly and easily as possible.
Auditwerx QSAs understand the Cloud and what makes up the Cloud.
Auditwerx QSAs understand the Cloud and what makes up the Cloud. Whether it is VPCs, Docker, Kubernetes or micro-segmentation, we understand Cloud technologies and how they need to be assessed and made PCI compliant. We also understand today’s application development methodologies and the toolsets of DevSecOps.
Every organization is unique. Auditwerx provides a tailored approach to every assessment based on your needs. We think outside the traditional black and white landscape of the security standard to help you assess and design controls within the constraints of your environment to meet the intent of the PCI DSS.
Auditwerx is a boutique consulting firm who understands the challenges of working with large QSA companies and was designed to provide the attention and expertise that companies should expect.
Auditwerx is not just a vendor, but a trusted advisor and long-term partner. We are your “go to resource” as questions and issues arise, not just during the assessment.
Auditwerx brings over a decade of PCI experience and has performed hundreds of assessments across organizations of all sizes from small businesses to service organizations and fortune 10 merchants.
Auditwerx understands the challenges of resources, compliance deadlines, and evidence gathering and will work with your team to ensure our approach meets your expectations.
Auditwerx can help build a foundation for your compliance initiatives and transform your compliance fatigue with integrated solutions for PCI, SOC, HIPAA, and HITRUST.
When new business or PCI initiatives arise, large or small, you need someone capable of looking at all facets of the project from a PCI perspective to determine the potential impact. Auditwerx can provide guidance on architecture changes, scoping definition, technology implementations, scope reduction, compliance cost reduction, new payment channels, and other areas. Every project is specifically tailored to your needs to ensure you receive the most value.
There are a variety of SAQs available and determining which apply in your situation may be challenging. Auditwerx professionals are here to assist you with identifying the appropriate SAQ associated with each payment channel and evaluating if you comply with the applicable requirements. We are your partner in this process and our goal is to assist your team in understanding and being able to accurately answer each question as you fill out the SAQ.
Auditwerx will serve as your qualified security assessor (QSA), performs a detailed assessment, provides a PCI report on compliance (ROC) and a PCI attestation of compliance (AOC). Auditwerx is not a checkbox, one time a year assessor. Auditwerx is looking to establish long-term partnerships with continued interaction throughout the year to ensure you are kept apprised of new developments so that there are few if any surprises during the assessment. Our goal is to reduce the risk and liability to both organizations and to create efficiencies. This allows information security to be the primary focus, while making compliance a byproduct.
For organizations new to PCI or trying to navigate new business processes as it relates to PCI, a readiness assessment will provide the needed guidance to ensure compliance prior to an assessment. The process identifies any gaps in PCI compliance and allows you to address those gaps before going through your assessment. This can provide efficiencies to the ultimate assessment process and help save time, cost, and avoid unanticipated gaps or expansion of scope. A gauge of your current environment, policies, procedures, and controls against the requirements of the PCI DSS will be performed along with defined scoping guidance.
If you would like to learn more about the PCI process, please contact us.