White Paper - Fintech and PCI DSS Certification

Does your company need to be PCI DSS compliant?

Financial companies operating in the technological space often tell us that they have a ‘trick’, a ‘loophole’ through which they can accept credit card payments without undergoing PCI DSS certification.

This is a common misconception, and in an industry coated in legislation and regulative requirements, it is a misconception that cannot go unresolved.?

The cost of incompliance to start-ups and large corporations alike is a risk that simply cannot be overstated.

Payment Card Industry Data Security Standard (PCI DSS) is applicable to all companies that accept, process, store or transmit credit card information. It ensures that cardholder data (CHD) that is processed through a cardholder data environment (CDE) is fully secure. The only way to ensure this is by the implementation of 12 domains (each with numerous sub-controls) which, if all are in place, guarantee the security of the CDE, and therefore the CHD. The roadmap to compliance differs according to the manner in which your business transmits, stores and processes payments, however for most businesses the following steps will be required:

·??Scoping and an initial gap analysis + work plan for gap mitigation. This can be conducted according to conclusions drawn from evaluation of network and data-flow diagrams, inventory lists and present information security maturity (with regards to formal policy).

·??Internal and external vulnerability scans (external must be conducted by an Approved Scanning Vendor (ASV))

·??Penetration testing - this must be conducted in a manner that tests both network and applications layers, internally and externally.

·??Code review – this is a requirement as dictated by PCI DSS (6.3.2) and is part of the system development life cycle. This cannot be conducted by the original code author and must be conducted by an individual with advanced knowledge of secure coding practices.

·??Completion of relevant documentation - AOC and ROC / SAQ (length varies significantly according to category of vendor/merchant)

·??Qualified security assessor (QSA) formal approval of compliance with all relevant PCI DSS requirements (mandatory for Level 1 Merchants / Service Providers).

·??Implementation of an employee training and awareness program, as to avoid future PCI DSS incompliance risks.

Does this all sound a little extreme and unnecessary for your business?

Well, by outsourcing your processing of payments in an intelligent manner, you significantly minimize the PCI DSS responsibilities that fall upon your business. However, dependent on how exactly you accept payments, you are still obligated to implement technical security controls in order to protect CHD. Furthermore, you are required to check these controls annually, and submit an attestation of compliance (AOC) along with a self-assessment questionnaire (SAQ), as to formally certify your compliance.

?With over a decade of experience in guiding financial business’ along the path to compliance from A-Z, Comsec is the trusted cyber-security consultancy firm of most of Israel’s leading financial establishments.

We have unparalleled experience in untangling the web that is PCI DSS and paving the most straight-forward, efficient path to compliance. In doing so, your business can rest-assured that financial, legal and reputational damage is not incurred as a result of a CHD breach. Furthermore, PCI-DSS compliance joins the likes of the ISO27K series and SOC 2 in demonstrating to your customers and partners that you take information security seriously, and have the certificates to prove it.

About Comsec

For over 32 years, Comsec?honored to be a trusted advisor to global leaders, delivering the world’s broadest portfolio of cybersecurity services. We’ve helped companies across a wide range of verticals secure their information and operational assets and stay compliant, ensuring that they achieve their business goals.

Our clients rely on us to meet regulatory demands, corporate goals and client demands. They also rely on us to protect the safety of their teams and customers, and free them to focus on core business activities.

As a result, our clients’ security and compliance operations grow more efficient and impactful over time, as Comsec Global advisors learn about clients’ specific needs and begin to anticipate them

Need a cybersecurity team you can trust ?

Contact us today, and we’ll make sure your organization is secure and compliant

Maya Shnaiderman

?

?

?

?

?