Active Audit Agency

т: +38(044) 228-15-88

e-mail: info@auditagency.com.ua

plastic card

INFORMATION SYSTEMS AUDIT TO COMPLY PCI DSS

What is it?

Payment Card Industry Data Security Standard (PCI DSS) - is intended for secure processing, storage and exchange of the payment card holders data in the international IT systems of electronic payments supported by Visa, MasterCard, American Express, JCB, Discover.

PCI DSS – is a set of formalized requirements for information systems, which process and store data about payment cards, and for the systems connected to them.

The clauses of the standard describe the following:

  • Building and supporting secure network for data processing;
  • Cardholders' data protection;
  • Vulnerability management;
  • Implementation of strict access control measures;
  • Regular network testing and monitoring;
  • Information security policy development.
pci dss

Why do you need this?

PCI DSS requirements are mandate for all banks on the territory of Ukraine,В and cover all companies, processing, storing or exchanging payment card holders' data. For example, it is a trade-service enterprises (such as retail stores, e-commerce ssytems), and service providers, which process, keep or send payment cards data (processing centers, payments gateways, call-crnters, backup copies repositories, personalisation authorities (companies which personalise cards, etc.)

If your company stores, processes or send an information about at least one card transaction during a year or about card owner, than it is a subject of PCI DSS compliance. International payment systems may apply fines for the organizations, which have to pass PCI DSS compliance audit annually, but doesn't stick to this statement.

As a result of the audit for PCI DSS compliance you will:

  • Comply to international payment systems requirements;
  • Form public relations as honest brand with a strong position on the market, and, as a result, increase customers' confidence;
  • Get the customers' base growth, which help to grow the whole business itself;
  • Avoid and/or reduce IT risks significantly;
  • Reduce risks of confidential information leakage;
  • Increase information security awareness for you personnell.

How does audit to comply PCI DSS conducted?

pci ssc

In order to recieve PCI DSS certificate your company has to prepare information system (or systems), which process and stores payment cardholders' data to comply PCI DSS requirements and conduct an audit by certified company.

PCI DSS compliance certification audit can be conducted by companies,which has a QSA (Qualified Security Assessor) status. Official list of the QSA companies is on the official PCI SSC site.

Certification process can be divided on the two stages:

  • Preliminary audit, and as a result you will get all inconsisteccies and vulnerabilities as well as recommendations to remove them. Additionally there is a vulnerability scanning (test) has to be conducted in order to comply PSI DSS.
  • When all identified vulnerabilities are eliminated you may conduct a certification audit. After this audit you'll recieve a PCI DSS certificate.

We propose:

Active Audit Agency is able to conduct preliminary PCI DSS audit, before you start certification process. And consulting in order to sucessfully complete this task. It allows you to identify disadvantages and recieve nesessary recommendations to remove them, to analyse risks and be sure in positive certification in the future.

Active audit agency performs the following tasks during PSI DSS preliminary audit:

  • IT infrastructure audit for PCI DSS compliance;
  • Penetration test to IT systems;
  • Prepare business and technical requirements for iT and IT security projects;
  • Project documentation development;
  • Process implementation;
  • Technological solutions implementation.