A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
PCI DSS Compliance Management & Consulting Service PCI Consulting Expertise That Streamlines Compliance Efforts Compliance Guidance PCI DSS v4.0 Services Overview Customized Solutions Resources Contact Us What is The Difference Between PCI DSS Compliance & PCI DSS Certification? If your organization accepts, stores or transmits cardholder data (CHD), it must comply with the PCI DSS standard. This requires annual validation/proof by most merchant processors and is a way of demonstrating that your environment is secure. Based on the number of card transactions you complete annually, you’ll need a self-assessment questionnaire OR an independent onsite audit. As standards and requirements evolve, maintaining compliance and performing assessments can become a yearly struggle. PCI DSS Level 1 Merchant Requires a Report on Compliance (ROC), completed by a Qualified Security Assessor (QSA) after a PCI DSS audit PCI DSS Level 2 Merchant Requires a Report on Compliance (ROC) OR appropriate Self-Assessment Questionnaire (SAQ) – there are nine different versions; the way your business handles payment card data determines the one you need PCI DSS Level 3 Merchant Requires appropriate Self-Assessment Questionnaire (SAQ) Image What Does PCI DSS Certification Require? Depending on your organization’s merchant level status (1, 2 or 3), PCI DSS Certification may be required by the PCI Council. Organizations need compliance management teams with significant PCI experience but finding staff with the requisite expertise can be daunting. Proof that your organization is doing everything it can to protect CHD Requires proper firewalls and infrastructure Hardening standards and purpose built systems Latest in data encryption Restricted cardholder data access (electronic and physical) Multi-Factor Authentication Appropriate tracking and monitoring of network resources and data Security scans and tests of technologies and processes Up-to-date antivirus software Security IT governance and executive-level management PCI DSS v4.0 – What You Need to Know PCI Compliance is about to get even more complicated. Why? PCI DSS 4.0 brings even tighter controls, customized implementation, authentication, encryption and testing frequency. PCI DSS 4.0 Transition Dates End of March 2022 PCI DSS 4.0 goes live July 2022 QSAs can begin performing 4.0 assessments March 2024 PCI DSS v3.2.1 will be retired and no longer be compliance standard Q3 2022 - Q4 2024 Implementation windows for all “evolving” controls Q1 2025 All “evolving” controls become mandatory Key PCI DSS 4.0 Changes Documented Responsibility Requirements / RACI Effective immediately for all v4.0 attestations Targeted PCI Risk Assessment Requirement* Automated phishing detection required E-Commerce Changes* Web application firewalls enforcement Tamper protection on payment pages SIEM and Manual Reviews Insufficient* Automated reviews and alerts are required Internal Vulnerability Scanning* Authenticated scanning required Data Governance* Identify all stored, processed, or transmitted cardholder data (CHD) Data loss prevention (DLP) tools and incident response plans must identify CHD outside Cardholder Data Environment (CDE) Sensitive Authentication Data* Mandatory encryption before authorization Passwords* 12-character password enforcement (previously 7) SSO passwords must be rotated every 90 days Multi-Factor Authentication (MFA) is required for all user access into the CDE What Are The Challenges of Moving to PCI DSS v4.0? PCI DSS v4.0 introduces many industry-aligning requirements and new technical controls not seen in previous versions of the standard. Image Gap Identification Addressing the unknown by identification of missing or under-addressed controls Image Strategy Planning of scope reduction strategies and PCI compliance roadmaps Assistance with remediation planning and execution Image Compliance Reporting QSA experts to complete annual onsite assessments for SAQ, ROC and ROVs Go Beyond PCI DSS Compliance “Checklists” With Optiv Optiv is a Qualified Security Assessor (QSA) PCI DSS consulting services from Optiv can help minimize the cost and complexity of building, implementing and managing a PCI DSS program. We’re an extension of your onsite compliance team: pass critical and resource-intensive tasks to our team of PCI DSS experts. We’ll minimize the burden of PCI DSS compliance while aligning security requirements, technology and business goals to manage risk cost-effectively. PCI DSS Consulting with Optiv Turn your compliance efforts into a competitive advantage, improve decision-making, enhance agility and leverage business insights. Our PCI DSS consulting services are part of our broader enterprise risk and compliance offerings that include services for standards and frameworks such as HIPAA, CCPA, GDPR, Sarbanes-Oxley, NIST CSF, ISO27001/2, cloud security compliance and more. Image Advise Through executive workshops, readiness reviews and a PCI risk assessment we will help your team be prepared for PCI compliance attestations certification. Deploy Implementing remediation plans or PCI compliance strategies can take time. Clients often find it challenging to navigate through change windows, resource time and having the right tool to ensure compliance. PCI IT governance programs aid in compliance policies, procedures and maintenance schedules to ensure PCI compliance throughout the year and preparation for compliance assessments. Operate A robust program with reporting necessary for PCI annual compliance assessments, ASV scanning, application assessments and PCI penetration testing, and staff augmentation with expert QSAs. Learn More About Optiv’s PCI DSS Advisory Services Keeping pace with Payment Card Industry Data Security Standard (PCI DSS) compliance will require clients to follow daily, weekly, monthly, quarterly, semi-annual and annual maintenance procedures. PCI DSS has approximately 500 controls which the client will need to prove they meet each year. Optiv offers several services to help our customers meet their PCI compliance challenges. Readiness Assessment PCI Risk Assessment PCI Gap Assessment Approved Scanning Vendor (ASV) Scanning Service PCI and Segmentation Penetration Testing PCI QSA Retainer Solution Implementation QSA-Provided SAQ Guidance QSA Completed SAQ Report on Compliance (ROC) PCI Compliance as-a-Service Secure Software Assessment Designated Entities Supplemental Validation (DESV) or PCI Program PCI DSS Compliance Success Stories Finding Gaps and Identifying Steps to PCI Compliance An online service’s website needed a thorough review of its overall security environment to help ensure that it was compliant with PCI standards in preparation for future audits. See how the company worked with Optiv to review its current environment, help identify gaps and deficiencies and provide recommendations for remediation in this infographic. Learn more. Previous Next Achieving PCI Compliance and Protecting Customer Data A restaurant chain collecting customer data with point-of-sale (POS) systems at more than 200 locations experienced a breach and needed to remediate for PCI compliance. Though their connection to the primary data center was secure, several POS systems were compromised with data-stealing malware. Read about how the company worked with Optiv to protect its network. Learn more. Previous Next Get Customized PCI DSS Advisory Services PCI DSS is complicated. With Optiv’s PCI DSS Advisory Services, you’ll get the expertise and the confidence to: Accelerate the rollout and improvements of compliance programs. Bring compliance efforts to the next level, moving from a checklist approach to a business-aligned strategy. Enhance efforts to address risk more effectively and advance business goals. Image PCI Compliance eBook How’s your PCI program running? Is your PCI DSS compliance a yearly struggle? Go beyond checking boxes. Get some best practices for remediation, environment assessments, reporting and ongoing management. Image PCI Compliance Checklist With the security and regulatory landscape constantly changing, your organization could lack visibility into your PCI environment, leading to inaccurate scope and unidentified risk. Are you moving to the cloud or increasing reliance on third parties with limited staff experience? Constant regulatory changes contribute to gaps in PCI compliance management. Get a checklist of things to consider when reviewing or looking to implement a PCI program. Image Secure Payment Lifecycle White Paper Optiv encourages you to think beyond a PCI checklist and embrace a unique, holistic secure payment approach. Leveraging existing PCI compliance foundations and technology investments while incorporating leading cybersecurity best practices enables you to build a secure payment lifecycle. In addition to innately gaining compliance, SecurePayment@Optiv enables merchants to address consumer experience, data privacy and business-wide data protection challenges. Speak to an Optiv PCI Compliance Expert