PCI DSS Remediation and Continual Improvement

What is PCI remediation?

PCI DSS remediation is an essential phase for organisations wishing to comply with the Standard. Although implementing these changes can be costly both in time and resources, an expert-driven remediation plan can significantly streamline compliance efforts.

An engagement to implement and improve PCI compliance will normally start an assessment of any gap analysis work that has been done. If items are discovered not to be in place in the organisation, the consultant will formulate a project plan to document the required remediation, including detailed tasks, suggested timeframes, and prioritisation and resourcing requirements.

On conclusion of the assessment, a final report will be produced detailing the compliance status and a business case for executive sponsorship and funding.

Did you know?

Many organisations are overly reliant on external validation assessments for protection and compliance. While a PCI DSS assessment is a point in time event, adhering to the PCI DSS and maintaining PCI compliance is an ongoing process. An annual review can leave an organisation exposed to weaknesses, as controls fail to adapt to changes in the environment. Which is why the recent 2018 Payment Security report identified that:

Two thirds (67%) of organisations approach and manage their PCI DSS compliance as an ongoing program with a formal structure, defined objectives, scope and supporting projects.
Only one third (33%) of organisations are still treating PCI compliance as an annual project.

The benefits of PCI remediation and continual improvement

A PCI remediation and improvement plan can help your organisation to:

Receive help to manage your team’s PCI DSS remediation efforts.

Gain clear, implementable recommendations to bring you back in line.

Obtain accurate estimates and forecasts to gain required budget and sponsorship.

Implement and maintain the appropriate processes and procedures.

Gain support for any necessary policy and procedure documentation.

Clearly define your and service provider responsibilities.

Achieve an improved ongoing state of operations.

Is a PCI remediation service right for you?

If you are responsible for implementing the PCI DSS in your organisation, you should ask yourself:

Has an assessment or gap analysis identified necessary changes;
Has there been a change to the PCI DSS or the interpretation of the PCI DSS;
Has there been a change in your cardholder data environment that was not implemented with PCI controls in mind;
Is there a process or policy that needs refinement;
Have there been personnel changes; and
Has the scope of your assessment changed?

Our engagement process

The service typically involves several days on-site for our consultants to meet with the managers who oversee the PCI DSS programme; key staff involved in network administration and cardholder systems; and the individuals responsible for company procedures and policies.

Talk to us about PCI DSS implementation and continual improvement

Pre-assessment information gathering

During this step, we will review all the remediation recommendations that have been identified by a previous gap analysis or other exercise or source.

Assessment and analysis

Our consultants will then conduct an assessment to reducing the PCI compliance burden and assess your own and your service providers’ responsibilities.

Post-assessment

We will provide a management report outlining the findings of the assessment, along with a detailed project plan to fulfil remediation activities. Where required, we can provide ongoing guidance and consultative support to achieve your compliance goals.

How GRC Solutions can help you

Our PCI QSA services are provided by IT Governance, a GRC Solutions company