PCI Compliance is crucial to card data processors and other service providers, who have card data at the core of their business. An assessment is conducted once yearly, but the security level must be consistent throughout the year. If your business is not compliant at all times throughout the year, it may fail to achieve compliance at the next audit.
The PCI Standard demands compliance throughout the year. A breach of a single PCI sub-requirement throughout the year can lead to non-compliance. This cannot be changed retrospectively and can cause significant damage to a business.
Some typical reasons for failing an assessment that we often see in the field are:
- Procedures are not followed throughout the year, i.e. reviews, scan and patching
- Systems suddenly fail, i.e. automatic log collection, time synchronisation
- Non-compliant changes to configurations
- New manual processes
- Changes in the PCI Standard or PCI Support Documents
We help our clients avoid these scenarios by conducting a midyear assessment of the important areas throughout the year, while there still is time to remediate critical problems. During the midyear assessment, we find time to discuss specific trends within IT Security and PCI changes. It is also the best way to discuss secure design in the implementation of new systems and structures.
FortConsult QSAs have a deep and broad experience as IT security consultants – and are able to give you a nuanced picture of your situation rather than merely tick boxes. They are equipped with tools to help you move beyond compliance (read: minimum requirements) and on to a higher IT security maturity.