 |
| Generally speaking, PCI DSS must be complied with in full within the deadlines that PBS lays down. In practice, this takes place either through an audit being conducted by a qualified security assessor such as FortConsult in order to qualify for PCI DSS validation or by completing a self-assessment questionnaire. FortConsult can provide advice and assistance in both cases. |
| |
| Gap analysis from FortConsult |
| FortConsult recommends that you first of all consider having a gap analysis carried out in order to identify areas in which you do not comply with PCI DSS. You will then be ready to have a PCI DSS audit conducted in the quickest and most straightforward manner - without running the risk of being rejected by the credit card companies. |
|
| |
| The gap analysis will help clarify what PCI DSS is all about and where the biggest security issues are to be found. It will also provide answers as to how you best can remedy the areas in which you do not already comply with PCI DSS. The gap analysis results in a description of where you do not comply in relation to the formal technical requirements of PCI DSS and serves to give you an overview of the areas in which focus must be applied - in prioritised order - in order to enhance your security such that you are able to qualify for PCI DSS validation. |
|
| |
| When the gap analysis has been completed, you are then able to assess whether to continue and have an audit performed or whether you simply wish to develop secure applications on the basis of the new security knowledge you have acquired (provided that there is no requirement from the credit card companies that an audit be carried out). |
|
| |
| If you are uncertain as to whether you wish to have a gap analysis carried out, you are welcome to call us for a non-binding discussion about the standard in relation to your enterprise. We also have the opportunity to offer you a workshop where we will be able to throw some light on how close you are in overall terms to being able to pass a PCI DSS audit - in the event that an actual gap analysis is excessively complicated for your needs. |
| |
| PCI DSS audit from FortConsult |
| A PCI DSS audit is designed to security test your bank and have the test report approved by the credit card companies. FortConsult is the only Danish enterprise - and one out of a few in Scandinavia - that is qualified to audit businesses in accordance with PCI DSS on behalf of the credit card companies and their organisation, the PCI Council. |
|
| |
| When we conduct a PCI DSS audit, we examine your IT security with focus on and around the systems that handle and store credit card numbers, i.e. servers, development environments, backup systems, workstations, networks, branches, ATMs and manual processes. |
|
| |
In this review we look at the following areas:
- The location and configuration of the firewall
- Password policy and password on network units
- The security of saved data, including deletion, masking of data, access to data, encryption and backup
- Encryption of data sent via the Internet, by email and wireless network
- Working procedures for patching and updating of antivirus
- Procedure for secure development and testing
- Restrictions on employees' access to card data
- Restrictions and monitoring of physical access
- Physical destruction of information on all types of media
- Monitoring of events on equipment and network
- Advanced IT and IT security policy
- Existence of an acceptable IT contingency plan
|
|
| |
| Finally, we draw up a report of the audit and its results. |
| |
| Experienced PCI DSS consultants |
| Regardless of whether you choose to have a gap analysis or a PCI DSS audit conducted by FortConsult, we will put our experienced PCI DSS consultants at your disposal who will be able to guide you through the process and at the same time make sure that you acquire as much knowledge as possible of the PCI DSS area. Our PCI DSS consultants are Danish, Swedish and/or English-speaking, and are among only a handful in Scandinavia that are certified by the credit card companies to provide consultancy services and to verify that enterprises meet the requirements of PCI DSS. By using our consultants, you are assured of access to the best possible advice and sparring. |
|
| |
| Over the years, our PCI consultants have conducted a large number of gap analyses and audits for Scandinavian enterprises. Apart from their skill in quickly being able to understand the "credit card universe" of our various customers, they are experienced project managers that are able to ensure that major PCI DSS projects enjoy a successful outcome. |
|
| |
| In addition to gap analyses and audits we can provide assistance with regard to performing PCI DSS scanning, as well as both internal and external PCI DSS penetration testing. Please contact us if you wish to hear more. |
|
| |
In the following, you can read more about PCI DSS itself and what it means for European banks:
|
