PCI-DSS Transformation Consulting and Certification Solution
Our client is an IT company that creates an ecosystem of new products and services, including developing of mobile apps, exploring artificial intelligence, and focusing on big data development. The company is part of a larger conglomerate, one of the world’s leading diversified mining and smelting groups with fully integrated mining, processing, energy production, and logistical and marketing operations.
Our client wanted to initiate a transformation of the compliance from its current state to a state required for successful PCI-DSS certification, and create a set of measures for an ongoing maintenance of the certification. Our client needed a partner who could deliver a consultation as well as an independent and impartial audit per the PCI Charter, the pre-requisite for PCI-DSS compliance certifications.
SoftServe was tasked with the project to deliver a comprehensive PCI-DSS Transformation and Certification Solution.
The project was divided into two phases:
- The Transformation Phase focused on transforming our client’s infrastructure and business processes and the status of the compliance on requirements of PCI
- The Certification Phase focused on the independent audit of compliance, per the PCI certification guidelines.
Each phase was divided into sub-phases which each had their respective objectives and deliverables.
Phase 1 was divided into five sub-phases - Discovery, Initial Assessment, Detailed Assessment, Remediation, and Maintenance. Each of these were further divided into sub-phases. During Phase 1, SoftServe conducted the following:
- Presented a brief overview of PCI-DSS to ensure consistent understanding
- Developed an understanding of the cardholder data environment and its scope
- Reviewed proposed network segmentation and ‘assessment sampling’, if applicable
- Reviewed the 12 PCI-DSS requirements in detail, to provide assurances that the best path would be taken to achieve compliance and to provide appropriate guidance if this was not the case
- Where appropriate, additional compensating controls were considered for implementation
- Helped to confirm priorities to achieve compliance as quickly as possible
- Reviewed the business process and technical architecture maps/designs
- Provided recommendations regarding remediation activity
On completion of Phase 1, all findings of the workshop and review were documented in a report. This report included confirmation of the proposed remediation plans being PCI compliant and highlighted any risks. The report contained additional recommendations around activities to be carried out during the compliance program provided as a roadmap that listed clear goals to achieve to meet required timescales for compliance.
Phase 2 was divided into three sub-phases - Audit Initiation, Pre-assessment Audit, and Certification assessment - each of which were further divided in to sub-phases leading to the PCI-DSS certification.
All sub-phases before the certification assessment were provided to ensure our client implemented all necessary recommendations and controls and was fully prepared for the certification audit.
Our client’s Digital’s PCI-DSS Transformation Roadmap was divided in three sub-phases:1. Audit Initiation
- Provision of Pre-requisites - Provided a list of pre-requisites required for the certification audit
- Cardholder Data Environment - Documented and provided evidence around the CDE and ensured that the needed segregation was in place
- Evidences and Documents - Developed a list of acceptable evidence of compliance and the required mandatory documents
2. Pre-Assessment Audit
- Pre-Requisite Review - Reviewed the status of the readiness of pre-requisites identified during first sub-phase, (Audit Initiation)
- Objective Evidence Review - Reviewed objective evidences of conformance to the requirements of the PCI-DSS to determine its appropriateness for certification
- Document Review - Reviewed mandatory documentation for its conformance to PCI-DSS requirements for certifications
- Non-Conformance Report – Developed a list of non-conformances identified during the initial reviews and recommend corrective action
- Recommendations - Provided recommendations for the remediation of non-conformances identified during the audit
3. Certification – SoftServe was involved as a consultant during this stage
- Mandatory Audit Readiness - QSA audit, per the mandatory periodic requirements for the PCI-DSS certification, as per regulation
- Periodic Scanning Readiness - ASV scanning, per mandatory periodic requirements for the PCI-DSS certification, as per regulation
SoftServe completed a PCI-DSS Security Assessment and prepared a Report on Compliance encompassed with all the necessary charters officially required by PCI-DSS.
SoftServe helped our client to perform all needed business transformations to achieve PCI-DSS certification:
- PCI-DSS certificate and compliance
- Detailed consulting for a smooth transition
- Provided measures and recommendations for ongoing maintenance of the certification