News top

In the second decade of the 21st century usage of bankcards has become a part of everyday life. Online payment systems are getting accepted and mobile payment solutions are before dramatic evolution. Occasionally theft of consumer financial data can be easy due to the defective information security measures of payment card transactions and processing systems operated by merchants, service providers, issuer and acquirer banks.

Since cardholder data is still the main target of cyber criminals adequate protection of such data must be of top priority for every stakeholder in the payment card transaction processes.

In 2006 the leading  payment card brands formed PCI SSC (Payment Card Industry Security Standards Council) with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard (PCI DSS) and spreading the key information-security requirements to mitigate bankcard fraud risks.

The six main objectives of PCI DSS standard:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy


The standard itself universally applies to every stakeholder in the payment card transactions. However it defines different criteria for merchants, service providers, issuer and acquirer banks. Orientation in the different requirement systems is not an easy task it might require the help of independent external experts.

AAM Consulting Ltd. offers complete PCI DSS services for every affected market player ranging from creation of PCI DSS strategy for the organization to obtain and maintain PCI DSS certification.

Services

PCI DSS organization development

AAM analyzes the relevant processes through the course of interviews with the involved departments. We support the creation of the necessary organizational conditions by assigning the requirements of the standard to the responsibles within the organization. We support the creation of a PCI DSS strategy for the organization and the coordination with card schemes (VISA, MasterCard)

PCI DSS scoping, gap analysis

With the help of our experiences in bank card processes and PCI DSS preparation projects we can identify the processes, policies, departments and systems in scope of the standard. We support our clients in the creation of the tasks necessary for the gap analysis (creation of dataflow diagrams, network diagrams, mapping of existing regulations, policies to PCI DSS requirements). During the gap analysis conducted together with our QSA partner (Trustwave), we identify the gaps between the current processes, infrastructure and the requirements of the PCI DSS standard.

PCI DSS remediation planning

As a first step, together with the IT and Business departments we analyze the possibilities for the reduction of the scope. We define the systems and processes from where the cardholder data can be removed. With this step, the costs of PCI DSS can be significantly reduced! For the systems still in scope – working together with the client – we define the most efficient remediation solution (or compensating controls if necessary).

PCI DSS remediation support

During the remediation phase AAM offers program management support and professional quality assurance. We can actively participate in the remediation projects if required by the client.

PCI DSS certification

The PCI DSS certification is done by our partner Trustwave, the market leader QSA company. To date, Trustwave has submitted over 5,000 Report on Compliance (or equivalent) documents to acquirers and card schemes. The vulnerability scans and penetration tests are performed by Trustwave and supported by AAM.

Merchant compliance

The PCI certification requirements of merchants depend on the size and type of the merchant. For the smallest retail companies we provide an integrated PCI solution and for large companies we provide full scale PCI DSS services.

Website last updated: 2019.03.08