Email Support info@echoinc.ca
Call Support 416.816.5467
Hours of Operation Mon - Fri 0900 - 1700

Compliance

Payment Card Industry (PCI) Services

Like most compliance regulations, PCI Data Security Standard (DSS) can be overwhelming and confusing. The PCI Security Standards Council states that any business that stores, processes, or transmits cardholder data (CHD) is required to be PCI compliant.

Our consultants will leverage their industry and compliance expertise to help your organization fully understand its current PCI-compliance responsobilities. Whether you are a small merchant or a payment processor, we offer PCI services to assist you with getting started, but we also provide you with recognized methodologies for Threat and Risk Assessments and Penetration Testing (see our services for more information).

Why PCI Compliance?

Protect Card Holder Data
Maintain a Secure Network
Implement Strong Access Control
Vulnerability Management Program
Regularly Monitor & Validate Network
Maintain Information Security Policies

PCI Discovery

At Echo Inc, we have the experience and knowledge to assist our clients with proper scope determination of cardholder data environments (CDE). This is achieved through interviews with your organization’s subject matter experts (SME).

PCI Gap Analysis

After the initial CDE discovery is completed, a “mock” audit will be performed against the applicable PCI requirements. we will identify all requirements found to be deficient and will document these shortcomings in a Gap Analysis report, along with recommendations for possible solutions.

Planning for PCI DSS 3.2

Here are some key dates to be aware of for 2016:

April 2016

  • PCI DSS 3.2 is scheduled for publication at the end of April. Publication will include a summary-of-changes document and webinar that provides an overview of 3.2 and the timeline and resources for putting it into place.
  • PCI DSS 3.2 supporting documents including Self-Assessment Questionnaires (SAQ), Attestation of Compliance (AOC) forms, Report on Compliance (ROC) templates, Frequently Asked Questions (FAQ), and Glossary, will also be available at the end of the month.

May 2016

  • PA-DSS 3.2 will be published at the end of May. The changes in PA-DSS 3.2 align with the changes made in PCI DSS 3.2. Information will be provided to PA-DSS application vendors and assessors on how this update impacts their programs.
  • PA-DSS 3.2 supporting documents including Report on Validation (ROV) and Attestation of Validation (AOV) forms, as well as Frequently Asked Questions (FAQ) will also be available at the end of the month.
  • A transition period will be provided to support completion of PA-DSS 3.1 validations already in progress.

October 2016

  • PCI DSS 3.1 will retire six months after the release of PCI DSS 3.2, and at this time all assessments will need to use version 3.2.

For a complete list of current dates, please visit the PCI SSC blog here.

Date Change for Migrating From SSL and Early TLS

The PCI Security Standards Council (SSC) is extending the migration completion date (known as the sunset date) from June 30, 2016 to June 30, 2018.

This extra time will allow organizations to put into place a proper strategy for upgrading to a minimum of TLS 1.1.

Fore more information please see the PCI SSC’s blog post here.

PCI Requirement 11.3

The new standards require organizations to perform penetration testing to ensure the Cardholder Data Environment (CDE) and its perimeter is properly segmented and isolated from other networks as well as specific ports and services in use.

This requirement focuses on providing evidence that manual manipulation was attempted during the penetration test for confirmation.

Contact us to learn more.