PCI DSS Validation

Regardless if Servadus is the lead assessor or supporting cast, our processes and team are keen on the needs to obtain, maintain, and demonstrate Payment Card Industry Data Security Standards (PCI DSS) compliance.  Service Providers and Merchants approaching the time for the annual validations of the 400 plus security controls, need a balance of technology and people for a smooth process in determining all controls are in place. With Servadus all controls go though a four step process to ensure your team understands  the request for evidence, knows when the evidence went to the assessor, are able to determine when the evidence review is complete, and see if the evidence was accepted.

Pre-Assessment

Prior to the start of the assessment, your company will provide details to the Servadus team to:
  1. Confirm each compensating control completeness and approval by the appropriate authority.
  2. Validate the scope of the Card Data Environment (CDE) for segmented or unsegmented environments as presented to the assessor.
  3. Determine the network diagrams are current per CDE review.
  4. Confirm major events such as Penetration Testing is complete.
  5. Review any client recommendation alternatives for physical security visits.
  6. Determine the PCI DSS Validation Start date.
  7. Complete the physical and technical sample selection for the assessment.

Assessment

Once pre-assessment steps are complete, each PCI DSS assessment has six major milestones. Here are the assessment milestones.
  1. Servadus issues the request for the standard and sample evidence items.
  2. Evidence provided to Servadus on the client hub get a review for compliance based on the PCI DSS and the Company Policy.
  3. On site visit for in person interviews and physical security assessment.
  4. The client company completes the remediation of all controls not in place within 40 business days and provides new evidence items to Servadus for review.
  5. Upon successful review of evidence that determined all controls are in place, Servadus will Provide the Attestations of Compliance (AOC) for signature by the client and assessors.
  6. Start Compliance Oversight activities to maintain continued compliance.

Dashboards and Status

The Servadus Client Hub integrates Project Management, Daily workflow, and real time reporting. The Delivery Hub is available to Project Leads as well as Senior and Executive leads to see requested items, evidence provided and status of the assessor review. All comments and notes are within the hub for ease of access and coordination.

Deliverables


Top

PCI Readiness Assessment

There are many reason to determine the health of a company PCI Program. It could be preparations for an upcoming merger, changes made to recent aquations, post modernization implementation, a post breach action or changes in key security element, compliance or leaders or team members. The goal of the Readiness Assessment is to get a base line on security for internal use. A readiness or GAP assessment retains the core elements of a formal PCI DSS validation while providing flexibility on the approach to control not in place. It also allows Servadus to provide deliverables that support a new strategy plan. The same expert assessors follow the same major steps of a PCI DSS validation to determine if security controls are in place. In cases when the client does not have Pre-Assessment items, Servadus provides an optional consulting package to prepare Pre-Assessment evidence. The Readiness Assessment includes forty hours of remediation consulting in addition of optional consulting packages for post assessment work.

Pre-Assessment

All Pre-Assessment activities must be complete prior to conducting the assessment. To start of the Pre-Assessment, your company will provide details to the Servadus team to:
  1. Confirm each compensating control completeness and approval by the appropriate authority.
  2. Validate the scope of the Card Data Environment (CDE) for segmented or unsegmented environments as present to the assessor.
  3. Determine the network diagrams are current per CDE review.
  4. Confirm major events such as Penetration Testing is complete.
  5. Determine the Readiness Assessment start date.
  6. Complete the physical and technical sample selection for the assessment.

Assessment

Upon completion of the Pre-assessment Readiness checks, there are six major milestones for the Assessment. Here are the assessment milestones.
  1. Servadus issues the request for the standard and sample evidence items.
  2. Evidence provided to Servadus on the client hub get a review for compliance based on the PCI DSS and the Company Policy.
  3. On site visit for in person interviews and physical security assessment are optional for Readiness Assessments.
  4. Upon successful review of evidence provided within the predetermined timeframe, the assessor will prepare the Assessment Report.
  5. Assessor will prepare an Executive overview and recommendation.

Dashboards and Status

The Servadus Client Hub integrates Project Management, daily workflow, and real time reporting. The Delivery Hub is available to Project Leads as well as Senior and Executive leads to see requested items, evidence provided and status of the assessor review. All comments and notes are within the hub for ease of access and coordination.

Deliverables


Top

Project Consulting

Business, like life itself, has many seasons. There are times of exceptional growth, mergers, and modernization. In each case it is up to the business to change business processes and IT systems. The changes require update or implementation of security features. During the changes, your organization needs the capability and capacity to focus on the business needs and risk while providing a positive experience for the users. The Servadus staff is available to provide the resources to give your organization the capacity and capability it needs to implement security modernization from one month to one year. This virtual Chief Information Security Officer (vCISO) support is available to serve as the CISO or to provide assistance to the current CISO to ensure cybersecurity and compliance programs are best in class.

Project Consulting Approach

Depending on the your needs the Servadus team can lead the project with an online project plan and optional secure document exchange. The Servadus team will support remotely or onsite as agreed in a Letter of Engagement.

Deliverables


Top

Consulting Retainer

There doesn't need to an incident to get the right help. It is never too early to plan for unplanned changes and challenges. Unlike an incident response retainer, this service is for proactive cybersecurity activities. The Consulting Retainer is available for immediate use or for when you need a helping hand. This offering is available for shorter engagements starting with a one week package. When you need a second opinion, help with implementation, added capacity, or general advice this is the package for you.

Consulting Retainer Approach

Services are available remotely or onsite as needed and coordinated. Consultants are available to operate as an external vendor or integrated with your business processes. Time can be impromptu as outlined in a Letter of Engagement.

Deliverables

Top

SWIFT CSP Assessment and Consulting

The Society for Worldwide Interbank Financial Telecommunication or SWIFT is a Global messaging network used by banks and other financial institutions with the intent to quickly, accurately, and securely send and receive information, such as money transfer instructions. To ensure security of the messages, SWIFT established the Customer Security Controls Framework (CSCF). The CSCF has a mix of mandatory and advisory security controls. The three objectives of the controls are to secure the SWIFT environment, to know and limit access and to detect and respond to threats. Organization members of SWIFT have the responsibility to implement the controls and attest to the status on an annual basis. Following the attestation, SWIFT members must complete an assessment of the security controls by an independent assessor. Servadus SWIFT package provides support to prepare the KYC-Security Attestation application (KYC-SA), complete the "Community Standard Assessment", and support in determining cybersecurity gaps and risk.

Pre-Assessment Attestation

Prior to the start of the assessment will be the completion of the KYC-Security Attestation application. Specific tasks are:
  1. Reviewing the Attestation application for Business Identity Connection (BIC)
  2. Determining the Advisory controls to assess
  3. Determining the assessment start date
  4. Submitting the KYC-Security Attestation
  5. Conducting Remediation of high risk items

Community Standard Assessment

Once Preassessment steps are complete, each SWIFT BIC assessment has six major milestones. The SWIFT Assessment milestones are:

  1. Servadus issues the request for the standard and sample evidence items.
  2. Evidence provided to Servadus on the client hub get a review for compliance based on the SWIFT CSCF.
  3. On site visit for in person interviews and physical security assessment.
  4. The client company completes any remediation of controls by 15 November and provides new evidence items to Servadus for review.
  5. Upon successful review of evidence Servadus will provide the Community Standard Assessment report.
  6. Start Compliance Oversight activities to continue compliance.

Dashboards and Status

The Servadus Client Hub integrates Project Management, Daily workflow, and real time reporting. The Delivery Hub is available to Project Leads as well as Senior and Executive leads to see requested items, evidence provided and status of the assessor review. All comments and notes are within the hub for ease of access and coordination.

Deliverables


Top