The Payment Card Industry Data Security Standard (PCI DSS) requires any business handling credit card information to maintain a secure environment. But when an organisation is undergoing major change, knowing which areas of the future business will fall within the scope of the standard can be difficult. This was the challenge that faced our client, a major national organisation moving from public ownership into the private sector.
We began by identifying all the business areas, locations, staff and systems involved in processing credit card payments. This allowed us to confirm which business processes and IT infrastructure would be in scope and establish how planned projects could reduce this. Next, we conducted a gap analysis to identify gaps in compliance against the latest PCI DSS standard and recommend improvements, focusing attention only on areas that needed to be compliant.
We also provided support for de-scoping projects, including conducting an extensive card data discovery exercise. Here, we used 7Safe’s 7seec data discovery software to identify previously unknown card data storage locations on workstations, servers and in e-mail. This enabled the client to remove the data and, if necessary, change the business processes that had caused the data to be stored.
Our client now has a structured approach to de-scope large areas of activity from PCI DSS and to bring the remainder into compliance. This allows the organisation to satisfy the acquirer and the banks that it is making real progress on data security and removing the threat of fines for non-compliance.
If your business handles credit card data and you are interested in benefiting from our payment card scanning service, speak to one of our PCI Qualified Assessors now.