PCI, PCI-DSS and Requirement 6.6 Readiness Consulting

To help you better understand the steps you need to take to be compliant, we offer several PCI Audit pre-assessment services where you'll receive specific remediation recommendations so that you have an opportunity to fix them prior to your official audit.

PCI Readiness Consulting

	Before the readiness assessment begins, our PCI Team will discuss what your specific requirements are, conduct the necessary system and policy analysis, and generate a deficiency report and mitigation checklist so you can prepare your systems for actual PCI certification testing.

Site Assessment
Site assessment involves discovery of all the items that are considered relevant by PCI/DSS v1.1 and documenting them in preparation for scoping and audit execution. Site assessment may be executed partially off-site through telephone interviews and policy reviews, and partially on-site via physical inspections and verification of data collected during off-site reviews.

Readiness Analysis
After the site assessment, our QSA's continue with their “mock audit,” executing the complete PCI Certification Audit process including the development of a PCI deficiency report.  The application layer requirements of PCI/DSS v1.1 can be particularly confusing for organizations and we can help you understand where you may fall short of compliance.

Remediation and Validation
Whether we have conducted a mock audit or you’ve executed the self-assessment, we can help you build a roadmap toward compliance with PCI remediation recommendations that will unblock the compliance issues in each area.. Certain groups within your organization may require technical training  - others may have interest in security assessments for mission-critical applications. These education and assessment services are available to you as additional value-added solutions. 

Certification Reporting
Should your organization pass the readiness mock audit, you may choose to have us complete the PCI 1.1 certification process by developing and filing the necessary reports with the PCI Security Council. In addition, a complete set of credit card vendor-specific documents will be generated including letters for Visa, MasterCard, American Express and Discover.  

PCI-DSS Readiness Workshop

To help you devise a PCI-DSS compliance strategy, Security Innovation offers a unique solution that combines PCI consulting expertise provided by our strategic partner VigiTrust, with best of breed application security and PCI audit capabilities of Security Innovation.

The 5-day, hands-on workshop is conducted at your facility and tailored to your  requirements. Initial assessment, scans, and research are completed off-site and reviewed with you. The final deliverable is a detailed compliance readiness report and plan.  Contact us for a free consultation.

Pre-assessment
Questionnaires and initial analysis are conducted. As an Authorized Security Vendor (ASV), our experts perform a security and Web application vulnerability scan, and the on-site workshop program is finalized and communicated to you.

On-site PCI DSS brainstorming workshop
This interactive workshop helps us better understand your environment and which elements are “in scope” for PCI-DSS; we’ll review the results of the initial security scans and discuss how to minimize the scope of PCI applicability, reducing your overall costs.

On-site security assessment
PCI and application security consultants from VigiTrust and Security Innovation will examine existing policies, controls, and software development practices, and interview “in-scope” staff to ascertain security awareness levels as required by PCI-DSS. We will also help you construct a staff skills matrix (IT, HR, Fraud, Operations).

Creation and presentation of compliance report and roadmap
Based on assessment findings, our experts will produce a readiness report that highlights compliance gaps, and a planning report that describes what steps need to be taken to pass your audit. This report includes comprises a technical roadmap, a policies and procedures roadmap, and a skills transfer plan.

Complete PCI-DSS preparedness for your enterprise
Upon completion of the PCI Workshop, you will have gained full visibility into your current compliance levels against the PCI-DSS, be able to provide official auditors with an accurate report on compliance, and be in a position to align your policies and procedures with PCI-DSS requirements and security best practices.

PCI Requirement 6.6 Readiness

The goal of the PCI standard is to make cardholder data more secure, but being compliant does not necessarily mean the underlying application is secure - as many organizations who have been breached can attest. The fact is, software applications are the source of most security breaches (source: Gartner) and the PCI requirements set only a minimum level of security - leaving confidential data greatly exposed.

Flexible, Secure Solutions
The core of PCI Requirement 6.6 states that all web-facing applications need to be protected against known attacks by conducting a source code review or implementing a web application firewall.
Our program offers several cost effective and value-added solutions to help your organization achieve PCI compliance and gain additional security benefits, including:

• Outsourced Web Vulnerability Scan
  Have Security Innovation conduct an automated discovery of common web vulnerabilities augmented by expert analysis; or a deep penetration test, conducted by our security engineers, that employs sophisticated and proprietary techniques and uncovers elusive security defects.

• Outsourced Code Review
  We offer an automated source code scan that is augmented by expert analysis; or, our security assessment team can employ a combination of “expert eyes” on review and automated scanning to uncover the highest number of vulnerabilities possible (including business logic flaws that technology can’t detect).

• Internal Code Review
  For organizations that have adequate in-house expertise and resources to conduct the scans and interpret the results, CxSuite, a next generation source code analysis tool, is available for purchase.

WEB APPLICATION FIREWALL
Security Innovation has deep experience assessing web application firewalls, and will analyze your organization’s systems and infrastructure and recommend three web application firewalls that best suit your needs and budget.

Our experienced Application Security and PCI Teams can walk you through short- and long-term benefits of each option and help determine which is the most appropriate and cost- effective. Contact us for a free consultation.