Versos PCI DSS Methodology

Versos has a well defined approach to assist clients to attain PCI DSS Compliance. Versos apply this approach successfully with a variety of clients. This six step methodology is detailed in following the figure:

Scope Cardholder Data Environment

It is very important to scope environments correctly within the network. Scoping involved identifying and pin pointing cardholder data. Versos will map all the business processes related to Credit / Debit Cards to define the data flow of sensitive card data within the systems.

Gap Assessment

Once the scope has been established Versos will conduct a Gap Assessment reference to the PCI DSS 1.2 standard to determine any areas needed for remediation.

The gap assessment will use an automated compliance scanner to perform assessments of vulnerability scan results, firewall rule-bases, and also conduct a data discovery on the various systems in the organization to find all instances of cardholder data.

Versos will then publish the current status of PCI within the PCI compliance management portal for stakeholders along with as needed executive dashboards and control details.

Remediation Versos prepare a detailed remediation plan for the client to mitigate the gaps to become PCI compliant. Versos will track the remediation efforts and provide monthly status dashboard to the client for the remediation steps. Consultants will also be available to attend onsite meetings to support remediation efforts as needed to provide expertise, to make sure that the remediation efforts fulfill the requirements of PCI DSS. Pre-Audit Versos will manage and conduct where appropriate all the required operation to make sure that an organization is ready for the final certification phase. All evidence documentation for compliant controls will be collected, all remediation activities will be completed by the client and evidence collected to be able to get in for a successful PCI Certification phase Certify (PCI Certification) Versos will deploy a PCI team of Qualified Security Assessors (QSA) to carry out an on-site security assessment. After going through internal quality procedures the client will be issued a Report on Compliance (ROC) and appropriate certification will be submitted to various credit card brands as needed.

Continuous Compliance

Versos PCI Compliance Manager combined with the compliance scanner and managed compliance services will streamline the process to assist the client in remaining compliant to PCI DSS on a continual basis. Following are some key items that assist a client in remaining compliant on a continual basis:

Continuous Monitoring: Using a combination of technology, process and people, Versos will keep a track of all PCI control points for clients and provide continuous PCI posture reports to the client throughout the year. During this time, client is will be notified to perform actions if their posture is falling out of compliance with the latest regulations. Examples of monitoring activities include:

• Quarterly notification and follow-up to appropriate personnel to perform PCI activities (such as log reviews, user signoffs, scans). These notification and follow-up would be a combination of portal generated and personnel generated follow-ups;
• Periodic questionnaires to collect compliance data;
• Periodic review of evidence throughout the year to identify any non-compliances and notification to client for remediation; and
• Monitoring of changes to client environment (through periodic online self assessments and questionnaires) and matching client environment against any changes to PCI standards on a continual basis.

Quarterly Network Scans and Annual Penetration Tests

Versos will perform a quarterly scans and annual network/application penetration tests to remain compliant to PCI DSS.

Annual onsite Assessment and Reporting

Versos will annually deploy a PCI audit team of qualified personnel to carry out an on-site security assessment. After going through internal quality procedures the client will be issued the Report on Compliance (ROC) and appropriate certification will be submitted to various credit card brands.