Twitter

PCI Scoping and Readiness Review Services

Overview and Services

As a Qualified Security Assessor (QSA), SAS 70 Solution provides a wide variety of advisory services designed to help clients obtain and sustain Payment Card Industry (PCI) Data Security Standard (DSS) compliance.

PCI Cardholder Environment Scoping Assessment

For organizations that are trying to determine the scope of their cardholder data environment, SAS 70 Solutions can perform a scoping assessment.  PCI onsite validation specifically targets the client’s network components, servers, or applications connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. This scope extends to third party business partners as well. Generally speaking, clients should work to segment networks sufficiently to limit the nature and extent of the cardholder data environment.

In order to understand the extent of its cardholder environment, an organization must understand how data is collected, moved through the organization’s environment (as well as what is shared with third parties) and how it is stored. For merchants, this includes examining data flow from retail outlets to centralized processing centers and any services providers that may be included. The details of what is defined as “in scope” can be very granular and new technologies such as tokenization have been developed that limit the transmission and storage of certain cardholder data elements when used in a prescribed manner.

In a scoping assessment, SAS 70 Solutions will conduct interviews, review network documentation, and review configuration information from systems, applications, and databases to determine where credit card data may exist in a client's environment. 

PCI Readiness Assessment

For organizations that not gone through a PCI validation assessment before or have undergone major changes to their environment since a prior validation (e.g. mergers/acquisitions, network redesigns, new payment application deployments, etc.), a readiness assessment can be a valuable resource. The readiness assessment will perform a high-level review of controls in place and identify gaps accordingly.

Deliverables

Deliverables will vary by project and generally include:

  • Detailed project plan
  • Comprehensive information request list allowing the organization’s personnel to gather documentation in advance of fieldwork
  • Assessment findings reports
Who Should Consider a PCI Scoping and Readiness Reviews?

The following are characteristics of the ideal candidate for PCI scoping and readiness reviews:

  • Service providers and merchants that are uncertain as to the nature and extent of their cardholder environment
  • Service providers and merchants that are uncertain as to their compliance with the PCI DSS requirements
Back to Top