Versos PCI DSS Methodology
Versos has a well defined approach to assist clients to attain PCI DSS
Compliance. Versos apply this approach successfully with a variety of
clients. This six step methodology is detailed in following the figure:
Scope Cardholder Data Environment
It is very important to scope environments correctly within the network.
Scoping involved identifying and pin pointing cardholder data. Versos will
map all the business processes related to Credit / Debit Cards to define the
data flow of sensitive card data within the systems.
Once the scope has been established Versos will conduct a Gap Assessment
reference to the PCI DSS 1.2 standard to determine any areas needed for
The gap assessment will use an automated compliance scanner to perform
assessments of vulnerability scan results, firewall rule-bases, and also
conduct a data discovery on the various systems in the organization to find
all instances of cardholder data.
Versos will then publish the current status of PCI within the PCI
compliance management portal for stakeholders along with as needed executive
dashboards and control details.
Versos prepare a
detailed remediation plan for the client to mitigate the gaps to become
PCI compliant. Versos will track the remediation efforts and provide
monthly status dashboard to the client for the remediation steps.
Consultants will also be available to attend onsite meetings to support
remediation efforts as needed to provide expertise, to make sure that
the remediation efforts fulfill the requirements of PCI DSS.
Versos will manage and conduct where appropriate all the required
operation to make sure that an organization is ready for the final
certification phase. All evidence documentation for compliant controls will
be collected, all remediation activities will be completed by the client and
evidence collected to be able to get in for a successful PCI Certification
Certify (PCI Certification)
Versos will deploy a PCI team of Qualified Security Assessors (QSA) to
carry out an on-site security assessment. After going through internal
quality procedures the client will be issued a Report on Compliance (ROC)
and appropriate certification will be submitted to various credit card
brands as needed.
Versos PCI Compliance Manager combined with the compliance scanner and
managed compliance services will streamline the process to assist the client
in remaining compliant to PCI DSS on a continual basis. Following are some
key items that assist a client in remaining compliant on a continual basis:
Continuous Monitoring: Using a combination of technology, process and
people, Versos will keep a track of all PCI control points for clients and
provide continuous PCI posture reports to the client throughout the year.
During this time, client is will be notified to perform actions if their
posture is falling out of compliance with the latest regulations. Examples
of monitoring activities include:
- Quarterly notification and follow-up to appropriate personnel to
perform PCI activities (such as log reviews, user signoffs, scans). These
notification and follow-up would be a combination of portal generated and
personnel generated follow-ups;
- Periodic questionnaires to collect compliance data;
- Periodic review of evidence throughout the year to identify any
non-compliances and notification to client for remediation; and
- Monitoring of changes to client environment (through periodic online
self assessments and questionnaires) and matching client environment
against any changes to PCI standards on a continual basis.
Quarterly Network Scans and Annual Penetration Tests
Versos will perform
a quarterly scans and annual network/application penetration tests to remain
compliant to PCI DSS.
Annual On-site Assessment and Reporting
Versos will annually deploy a PCI
audit team of qualified personnel to carry out an on-site security
assessment. After going through internal quality procedures the client will
be issued the Report on Compliance (ROC) and appropriate certification will
be submitted to various credit card brands.