PCI DSS - One-Stop Consulting, Certification and Implementation by SRC

SRC offers support and consultation in implementing the requirements of PCI DSS as well as the performance of the so called PCI Compliance Validation. SRC’s PCI DSS projects are based on a well-proven process, which typically includes the following five steps:

  1. Workshop: knowledge sharing on background and interpretation of the PCI DSS and project kick-off;
  2. Scope analysis: identification and definition of the scope of the PCI DSS;
  3. Gap analysis/Pre-audit: comparison of target and actual status to identify gaps on the way to implement the requirements of PCI DSS;
  4. Remediation: development of a short-, mid- and long-term project plan to address the identified gaps and their implementation in consideration of business environment and risk assessment
  5. Compliance validation: the compliance with the PCI DSS requirements is validated and reported

The workshop will provide the background necessary to move further in the PCI DSS implementation process aiming at the PCI DSS Compliance Validation, whose preparation includes the definition of the scope of the audit and the conduction of a gap analysis. Based on the results of the gap analysis, the remediating measures can be planned and implemented.

Step 1: PCI DSS Workshop

At the beginning of the PCI DSS certification process, a consultant of SRC will conduct a workshop on the basis of the requirements given in “PCI Data Security Standard - Requirements and Security Assessment Procedures”, and the respective requirements of the payment schemes.

The workshop has two main objectives including knowledge transfer from two sides:

  1. Introduction into the requirements of PCI DSS and their interpretations, in particular from an auditor’s perspective.
  2. SRC gains insight into the customer’s policies, business processes, applications and systems which will be in the scope of PCI DSS.

A comprehensive and mutual understanding is, according to the experiences of SRC, of critical importance for an efficient and effective implementation of the PCI DSS as well as a successful compliance validation process. Only by this, the scope of PCI DSS, its impact on the organisation, different options and implementation strategies can be assessed. The workshop is targeting the staff responsible for processes, applications and systems, in which card data is stored, processed or transmitted, i.e. product managers, process managers and system and network administrators.

Step 2: Scoping

The PCI DSS is applicable for all systems, applications and processes that store, process or transmit cardholder data. To define the scope of the assessment, SRC has developed a guideline, which supports you in the complete identification of the PCI DSS relevant systems and applications. SRC’s experiences show that regularly areas and applications are identified during the assessment which have not been classified as PCI DSS relevant before the scoping process.

Step 3: Gap-Analyse/Pre-Audit

To get an overview about the current status of a company with regards to the implementation of the requirements of the PCI DSS applied on the previously defined scope of assessment, a gap analysis/pre-audit will be performed. This process includes interview with the corresponding departments responsible for payment processing and the corresponding components as well as auditing of system configurations.

In doing so, SRC compares the already implemented organisational (access control), technical (including Firewalls, Clients, networks, IDS/IPS) and process oriented measures (e.g. User-Account Management) with the requirements as describes in the “PCI DSS Requirements and Security Assessment Procedures” document. The gap analysis/pre-audit is mainly based on a regular PCI DSS Security Audit and will identify those deviations which have to be eliminated for truly becoming PCI DSS compliant.

Step 4: Remediation

SRC supports you in planning the measures to implement the requirements of PCI DSS. The measures to be taken will be coordinated with the customer and will consider the short, mid and long term planning.

In close cooperation with the customer SRC will give an estimation for each single system, application and business process regarding the required resources, expenses and timeframe for the required implementation.

Step 5: PCI DSS Compliance Validation

The PCI DSS Compliance Validation will be performed according to the merchant/service provider level by:

Contact Persons

Thilo W. Pannen
Detlef Kraus

Telephone: +49(0)228 2806-166
Telefax: +49(0)228 2806-199

PCI DSS Newsletter

Since 1 July 2008 we offer the opportunity to subscribe to our free of charge newsletter. If you are interested, please send a mail message to  pci-news[at]src-gmbh.de with subject "subscribe".