Back to Service Library
Service Catalog / Strategic Advisory & Professional Services / Compliance Readiness / Payment Card Industry (PCI) Assessment
157PCIA Base

Payment Card Industry (PCI) Assessment

On this page

    Service Overview

    Credit card processing has become a vital function for most businesses. As technology advances and becomes more sophisticated, so too do the methods for which credit card payments can be processed quickly, ensuring revenue is generated and recognized as quickly as possible. These same advancements, however, have introduced new compliance risks and challenges.

    A PCI assessment is the first step and a critical function for any business required to demonstrate PCI compliance to their acquiring bank. This PCI Assessment will provide a comprehensive foundation for PCI compliance.

    Objectives

    The objectives of this initiative are as follows:

    • Conduct an independent third-party assessment to understand Payment Card Industry (PCI) scope
    • Identify business practices that can be modified to reduce the scope and applicability of PCI controls
    • Identify compliance gaps in accordance with the Payment Card Industry Data Security Standards (PCI-DSS), based on scope
    • Develop a prioritized, actionable plan for mitigating compliance gaps

    Methodology

    This PCI Assessment is based on: Payment Card Industry Data Security Standards (PCIDSS) 4.0.1

    This PCI Assessment consists of the following phases:

    • INITIALIZATION MEETING - DeepSeas will host an initialization meeting to conduct introductions and familiarize Client with the initiative. This meeting will be no longer than sixty (60) minutes and it is intended to review the objectives, methodology, scope and deliverables in the Statement of Work.
    • PLANNING - Preparation necessary to conduct an effective assessment, including:
      • SCOPE DEFINITION - Identifying the assets that will be the focus of the assessment, including people, process and technology;
      • SCHEDULE DEVELOPMENT - Scheduling, project plan creation and resource identification.
    • ASSESSMENT - Evaluation of security controls applied to the assets defined in the Planning phase, including:
      • INTERVIEWS - Interviews with Subject Matter Experts, business leaders and other parties with knowledge of credit card handling processes;
      • GAP ASSESSMENT - Assessment of the in-scope controls of the PCI-DSS 4.0.1
    • DOCUMENTATION - Documentation of all deliverables, including payment channel inventory, summary assessment findings, and prioritized approach.
    • REPORTING - If determined to be PCI compliant at assessment end, assist with the documentation of the Self-Assessment Questionnaire required for PCI compliance.
    • PRESENTATION - Presentation of findings to Client.
    • TRANSITION MEETING - DeepSeas will host a transition meeting to assist Client with next steps.

    Deliverables

    DeepSeas will produce the following deliverables:

    1. SUMMARY FINDINGS - DeepSeas will deliver a report summarizing the recommendations for remediating compliance gaps.
    2. PRIORITIZED APPROACH - DeepSeas will deliver the prioritized approach that was used to determine compliance stance during the assessment.
    3. LIST OF GAPS (RISK REGISTER) -  DeepSeas will document gaps identified during the engagement in a Risk Register that can then be used by the Client to conduct risk management. The Risk Register is not managed by DeepSeas as part of this project, unless vCISO Strategy & Governance is included in this proposal.
    4. DATA FLOW DIAGRAM - DeepSeas will deliver a data flow diagram for one (1) of Client's in-scope payment channels.
    5. SELF ASSESSMENT QUESTIONNAIRE (IF COMPLIANT AT ASSESSMENT END) - DeepSeas will assist in the documentation of the Self-Assessment Questionnaire attesting to Client's compliance with in-scope requirements.
    6. FINDINGS PRESENTATION - DeepSeas will deliver an onsite, in-person presentation to review the results of the initiative.

    Service Assumptions

    PROJECT-SPECIFIC ASSUMPTIONS

    1. Assessment interviews require participation from all client business units processing, storing, and/or transmitting cardholder data. Controls assessment requires participation from key stakeholders as determined by in-scope controls.
    2. DeepSeas will provide a project memo template (not customized) for use at the discretion of the client detailing high-level objectives of the PCI Assessment.
    3. The client will include the DeepSeas delivery team on scheduled invites leveraging the Client's video conferencing platform.
    4. All finding reports will be reflective of the point in time assessment, delivered in draft form, and finalized after one finding review meeting with the client.
    5. DeepSeas cannot conduct a PCI assessment for clients using Payment Applications to store, process, and transmit cardholder data (CHD). Clients that leverage a Payment Application must be assessed for compliance by Payment Application Qualified Assessors using PA-DSS.
    6. Additional merchant IDs beyond the seven (7) listed in scope are subject to a change order.
    7. DeepSeas is not a Qualified Security Assessor (QSA) organization.

    Client Responsibilities

    The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan.

    1. Client to assign a point of contact (POC) responsible for client coordination and logistics.
    2. The client is responsible for scheduling and coordination of internal client resources for all project work.
    3. Client to return completed interview schedule within two (2) weeks of initialization meeting.