PCI GRC tool
Introduction GP history Visa level 1 approved hosting facility Niche product for a specific problem Reduce BAU cost and cost of PCI compliance Reduce cost in managing 3rd parties PCI stakeholder engagement Metering PCI compliance all year long Less dependency on QSA as the baseline is set and agreed
Key USP s Multiple PCI level GRC tool Based on the compliance reporting as expected by the QSA and the Acquiring Banks Every item included in the solution is based on key audit points that will be required to show their activities over a period of time Integration and Management of 3 rd Parties Complete visibility into 3 rd parties risks, assets, policies and projects Online registration and data entry Merchant has complete control over 3 rd party PCI compliance Complete System of Record for PCI DSS 3.1 Backbone to PCI DSS 3.1 Governance, Reporting and Compliance Continuously evolves as PCI requirement changes Complete audit trail across many periods Fully hosted and accessible from anywhere Perfect tool for operations to use on an ongoing basis to ensure compliance
Target audience Level 1 processing over 6M Visa transactions per year. Level 2 processing 1M to 6M Visa transactions per year. Level 3 QSA required No QSA required 20,000 to 1M Visa e-commerce transactions per year Level 4 20,000 Visa e-commerce transactions per year, and all other merchants
What is PCI GRC? A new concept to the PCI sector Allows merchants to be organised and structured in the management on their PCI obligations Puts the merchant in control of its PCI estate Reduces OPEX on PCI compliance Breaks down all the PCI reporting compliance into manageable task distributed across your organisation with consolidated reporting Online based self reporting that can be expanded nationwide Reduces the need to have multiple Auditors with the self assessment capabilities PCI GRC Acquiring Banks PCI scope PCI stakeholders PCI non compliance PCI compliance status Policy management Policy change management PCI 3 rd parties Merchant ID Payment channels Business units Notification & escalation Compliance dashboard Policy owners & review dates Business demand for MIDs Payment systems Project managers Risk assessment of changes Compliance assessment SAQs Incident reporting Remediation & approval Incident notification Online Self reporting Policy enforcement Non compliance reporting Service catalogue
A consolidated system of records for PCI PCI Locations Centralised self reporting PCI Policies PCI service catalogue PCI GRC PCI Projects PCI non tech risks PCI 3 rd parties Merchant IDs
Merchant ID
MID lifecycle MID request Business units complete online form They select options from the form PCI scope alignment Business units selects from a Service catalogue in the PCI scope PCI compliance PCI team assesses the request for PCI compliance Treasury approval Treasury receive a PCI compliant request ready for Acquiring Bank submission Acquiring Bank MID assignment PCI compliance reporting per MID
Integration with multiple payment processors
Linking Merchant IDs into your PCI scope
PCI request register/form 1. PCI request form completed 2. Request is sent to PCI POC for review and approval 3. Once POC approves, it is sent to Treasury for treasury approval 4. Request approver approves and it is sent to supplier 5. Supplier gets the form and enters confirmation number and confirmation is sent to all the parties 6. Request is archived and added to the PCI scope 7. Update to existing a. New role called Treasury b. PCI location linked to business departments c. MID to be associated to each payment channel d. Business units to reflect payment scope e. Business department to include address, f. Acquiring bank to include user accounts 8. Permission can be set
MID Request - General
MID Request Card Readers
MID Request ecommerce
Managing multiple PCI locations & Business units
PCI merchant ID System of record from Merchant ID to risks The foundation of the PCI compliance starts from your Merchant ID. Every activity you carry is based on the decision of whether or not the activity is in scope (within the Merchant ID or out of scope (not within the Merchant ID.
PCI Asset register
PCI GRC approach to Asset management Projects Assets PCI projects PCI changes PCI systems PCI devices (Telephone) Technical Assets PCI firewalls PCI routers PCI devices PCI GRC 3 rd party Assets 3 rd PCI systems 3 rd PCI devices 3 rd PCI locations PCI physical locations Merchant owned locations 3 rd party owned locations
System of record PCI reporting range Merchant ID Acquiring Bank Business units Business projects Risk assessment Payment channels E-commerce Cardholder present Cardholder not present Payment apps Risk assessment PCI 3 rd party suppliers E-commerce redirect PCI products & services 3 rd party procurement PCI service catalogue Risk assessment PCI change management Software development lifecycle Business acquisitions New sales projects New suppliers Due diligence PCI BAU activities PCI policies & procedures PCI QSA & ASV reports PCI risk management Prioritized approach reporting PCI SAQs PCI Assets & network elements Network monitoring solutions
PCI Asset management PCI Assets linked to risks, Policies and projects Automated PCI Asset network monitoring Integration with PCI Asset monitoring tools
PCI 3 rd parties
What is the contractual expectation of Acquiring Banks in relation to 3 rd parties The Merchant must notify Acquiring Banks of all third parties who have access to Cardholder data on behalf of the Merchant (i.e., store, process or otherwise transmit Cardholder data). The Merchant acknowledges such third parties are required by the Card Schemes to be registered, and the Merchant shall cooperate with Acquiring Banks in completing such registration and be responsible for all fees imposed by the Card Schemes in connection therewith. The Merchant shall notify Acquiring Bank immediately if it becomes aware of or suspects any security breach relating to Transaction Data and shall also (and without prejudice to any other remedy Acquiring Bank have in respect thereof) immediately identify and resolve the cause of such security breach and take any steps that Acquiring Bank may require of the Merchant to do so, including as reasonably necessary the procurement (at the Merchant s cost) of forensic reports from third parties recommended by Acquiring Bank.
The MasterCard service provider compliance list
PCI compliant PCI service providers are maintained with automatic notification
Your PCI service providers: Products and services
Visa & MasterCard approved suppliers Validation date
Managing external providers and their obligations
QSAs and their deliverables QSA
PCI prioritized approach
PCI service catalogue PCI products and service view
PCI products and services placed with merchants
PCI risks with resolution links to suppliers
PCI risk reporting
Records kept to show PCI risk mitigation efforts lesson learnt can be shared group wide PCI Risk reporting PCI risk register PCI Asset register Business units Suspicious activities PCI policy register PCI 3 rd parties Customer complaints Anomaly reporting PCI BAU team notification PCI policy register PCI project register Contact centres Banned cards PCI risk assessment Online tool available to Manager level or regional level contact
PCI Risk reporting from business units
PCI reporting
PCI prioritized approach
PCI prioritized approach summary
The End info@pci-selfassessment.com