PSC's unique service offering in this area focuses on managing sustaining compliance activities to reduce deviations and exceptions; establishes transition plan and compliance activities to meet new security standards; reduces annual PCI DSS assessment time and overall effort by managing continual compliance demonstration; and, increases compliance by elimination of compensating controls and monitoring of important security activities. Maintaining PCI-DSS compliance between assessments is an extremely challenging proposition, it cannot be considered a once a year event.
Maintaining PCI-DSS compliance can be difficult throughout the year and then the entity is faced with the yearly assessment, remediation and a race to achieve compliance before the anniversary date. Constant maintenance and continued vigilance is required to promote best practices across the organization and to prevent a security breach or data compromise.
PSC can implement a yearly program to spread the assessment challenge over the entire year, with monthly check in calls and quarterly onsite visits by a QSA to assist in maintaining compliance.
Each quarterly visit covers a selection of PCI-DSS requirements; reviews the prior quarters evidence gathering and establishes that the activities that should take place on a regular basis been performed.
These activities include review of firewall rules if these have changed; updates to software and patches; updates to configuration standards; development code reviews; new employee background checks; media inventories; quarterly wireless scans; external quarterly ASV scans; internal scans; penetration testing; training of staff (awareness, secure development and incident response) and monitoring service providers PCI status, etc.
The advantage of quarterly PCI-DSS reviews: