PCI DSS

PCI SSLC firms help organizations achieve and maintain compliance with:

• Initial preparation, including scoping out implementation
• Strategic oversight and program advisory for overall governance
• Implementation or mapping assistance, including remediation
• Assessment and reporting on compliance for validation
• Ongoing maintenance and troubleshooting support

There are four critical factors that should guide your search for a PCI ASV:

• Understanding why you should seek guidance and work with an ASV
• Knowing where to look for an ASV—namely, the PCI ASV list
• Identifying what qualities make an ASV the right fit for you
• Considering other elements of compliance and governance

There are four pillars to successful and efficient preparation for PCI SSF compliance:

• Understanding the scope of the SSF, including both component frameworks
• Meeting the requirements of the Secure Software Standard
• Implementing the Secure Software Lifecycle framework
• Conducting an assessment for validation with a PCI-listed assessor

Finding the right Secure SLC Assessor comes down to looking for four critical factors:

• Assessors must be qualified by the PCI SSC to validate your compliance
• Assessors should provide comprehensive knowledge & preparatory assistance
• Assessors should present other frameworks and regulations required for compliance
• Assessors must be flexible and accommodate your current IT deployment

If your organization was subject to PA-DSS compliance in years past, you may need to achieve PCI Secure SLC certification as soon as possible. The most efficient path begins with scoping before in-depth implementation and assessment—all of which an advisor can optimize further.

If your organization is seeking PCI certification, you’ll need to conduct PCI compliance scans using a PCI ASV. Officially certified scanning vendors are required for one specific part of the DSS, but advisor organizations offering ASV tools can optimize all elements of implementation.

The Summary of Changes from PCI DSS v3.2.1 to v4.0 is an excellent resource for organizations getting started on their journey toward compliance. Key takeaways include:

The PCI DSS 4.0 roles and responsibilities are a critical part of compliance with the new Customized Approach. To use this alternative measure, assessed entities must meet certain implementation responsibilities before assessors generate formal reports to validate compliance.