How To Write A Pca Dss Compliance Solution For Gameplan Group Ltd

Transcription

1 PCI Compliance reporting solution This document describes GamePlan s PCI DSS compliance solution and its ability to assist organisations to be compliant with the regulatory requirements of the Payment card industry s Data Security Standards (PCI DSS). We have developed a solution, which could be entirely hosted within a PCI Level 1 VISA accredited hosting facility, to provide any organisation with the ability to meet its PCI DSS compliance in a structured and easy to manage environment. Our PCI compliance solution and reporting tool is based on project experience gained over many years by our team of certified PCI DSS Experts. Our collective experience is gained from working with various QSAs, Acquiring Banks, Payment processing companies and clients across various industry sectors who need to build, implement and maintain PCI compliance. Our solution is designed to be the least intrusive and can run within our client s in-house IT topology, partially outsourced or even 100% outsourced including hosting, design, implementation and maintenance of PCI DSS compliance against an agreed strategy. Company Gameplan Group Ltd is a niche consultancy that specialises on integrating Solutions, Processes and People to ensure our clients remain agile, within tolerance of their business processes, compliant to external governing bodies and above all achieve a rapid ROI from our projects. In addition to providing consultancy services around financial compliance we have also built mobile security and data encryption solutions that ensure PCI data protection on intranet and extranet networks as well as remote or mobile devices for clients across industries. Gameplan Group Ltd works closely with its chosen partners (such as Netplan, a VISA PCI level 1 accredited hosting facility) in order to deliver world class solutions with sustained return on investment to its customers. Gameplan Group Ltd will always act as prime contractor and in turn assume all legal responsibilities for the complete implementation.

2 Solution Overview Our solution is based on consulting services and a web based PCI compliance solution for third party compliance monitoring. The proposed PCI self-assessment solution would enable our clients to perform the following: 1. Allow access to key information for key stakeholders such as Business Owners, PCI, Data Protection Officers and Information Security staff. 2. Enable 3rd party PCI compliance management and monitoring 3. Provide PCI Asset registers with named owners 4. PCI change management procedures 5. PCI risk register linked to PCI assets and change requests 6. Enable PCI Audits (External/Internal audit, Information Security and Data Protection Officer) 7. A central repository of all PCI policies and procedures with owner aid maintenance The task of maintaining compliance can be a very challenging and expensive if not properly managed, we have therefore structured our solution to address our client s operational needs by putting together features that takes away the operational headaches involved with PCI DSS compliance and using our Experts previous experience to ease the process of compliance for our clients.

3 Our PCI compliance reporting solution There are three main services we provide: 1. PCI compliance framework 2. Third Party Supplier compliance management 3. PCI compliance management operational service PCI compliance framework Our PCI compliance framework sets out the foundational structure of your PCI compliance and acts as the starting point of your PCI compliance scope as defined by your QSA, if one has been appointed. We convert the agreed PCI scope into our compliance reporting software and solidify the foundation of your compliance efforts to ensure all stakeholders are able to access the data that relates to their area of responsibility. PCI DSS requires that key stakeholders in the organisation are to be engaged in order to maintain compliance with the PCI requirements. The following will be the key stakeholders given access on the web based compliance tool enabling multiple stakeholders to have a role in the management of the compliance. a. Customer services To have overall responsibility for PCI estate. b. External auditors To provide QSA services and ensure we are complying with the PCI DSS requirements. c. Security Manager d. Internal auditors To provide periodic checks on our compliance efforts and identify areas of non-compliance during the course of the year. e. Information security To ensure information security principles that govern PCI DSS are adhered to and also to provide information security reviews on the PCI estate. f. PCI asset owners Primary responsibility for PCI compliance, they would be set a number of tasks to complete at set times or periodically during the year. g. Compliance (Data Protection Officer) To ensure data protection and privacy issues are adhered to operationally and strategically as well as also to ensure that all PCI DSS policies and procedures also comply with the ICO requirements for safeguarding confidential data, of which, card data is a subset.

4 Third Party Supplier compliance management PCI DSS requires organisations that outsource its card data functions to 3rd parties to ensure that each 3rd party complies with the PCI DSS requirements. This requires ensuring, from the point of engagement, that there is a requirement for PCI DSS and during the course of the contract that there is periodic reporting on their levels of compliance. Each 3rd party will be required to comply with PCI DSS and will do so by self-assessing their compliance as well as report their compliance quarterly. All 3rd party suppliers will be assessed against the agreed PCI DSS standard and measured according to their level of compliance. This feature means our clients would be able to adequately manage all 3rd parties that handle its card data from a single web based platform.

5 Above, is the snapshot of a 3rd party compliance report against the 12 requirements of PCI DSS. The 3rd party will be measured against each area and they will be required to complete it quarterly as well as provide evidence of compliance. The information provided will then be rated and if the organisation meets the minimum standard required, they will be deemed to have passed and be compliant for that quarter. The 3rd party will need to maintain the level of compliance throughout the duration of the contract. As result, our clients would only need to focus on 3rd parties that are not compliant.

6 PCI compliance management operational service Our PCI compliance management operation service is based on our PCI compliance managed service whereby we insource your PCI compliance requirements and provide operational support for your PCI compliance governance requirements. Some of the features of our managed service are detailed below. We implement the PCI DSS compliance solution as part of a standard implementation methodology and project plan. This plan is pre-agreed with our client in accordance with resources available. Milestones are agreed and monitored via regular review meetings between Gameplan and the client Program Manager. Please contact us for more information how we could assist you to remain within tolerance of your PCI compliance requirements.

7