Payment Card Industry

View this page in: Français

Helping you comply with the Payment Card Industry Data Security Standard (PCI DSS)

Any company that accepts credit cards for payment must comply with the Payment Card Industry Data Security Standard (PCI DSS). Failure to do so could mean substantial fines and penalties for the organization. Additionally, a security breach where credit card data is exposed can damage a company's image and reputation. Despite these realities, many merchants and service providers are still not PCI-compliant due to the following reasons:

  • A lack of understanding of the standard and timelines for compliance
  • An underestimation of the complexity and cost of remediation efforts
  • Compliance fatigue resulting from a range of other programs that take away from doing "real work"

How PricewaterhouseCoopers can help

There are many ways to achieve compliance with the PCI DSS. We believe that a very effective approach is to view it not as another compliance requirement but rather as a real opportunity to reduce information risk. Organizations that focus solely on stand-alone compliance efforts can have a false sense of security as getting compliant is easier than staying compliant.

A risk-based, integrated approach can create a more secure and efficient — as well as compliant — organization. PwC has developed a five-phase approach that enables PCI compliance through the identification and remediation of risk associated with payment card data.

Phase 1: Data flow analysis
The first phase in becoming PCI-compliant involves identifying and documenting the entire merchant-payment environment. This includes:

  • All processes (electronic and non-electronic) that involve PCI-related data
  • Payment card data entry and exit points
  • All systems, applications, data stores, and supporting infrastructure involved in the processing, storage, and transmission of payment card data

Phase 2: Compliance gap analysis
Here, our practitioners perform an analysis to identify the gaps between the controls mandated by the PCI DSS and those within the in-scope payment environment. The objective is to identify areas where controls are missing or not up to standard and to quantify these deficiencies within the broader context of risk to the organization. It is essential to focus on business process controls as well as technology controls and how they fit together within the payment processing environment.

Phase 3: PCI remediation planning
In planning PCI remediation, our practitioners can help your organization focus on the payment environment rather than on the entire company. For a large organization, this can substantially reduce the time, effort and cost required to achieve PCI DSS compliance.

Phase 4: Remediation
With a sound plan from PwC in place, your organization can begin tactical and strategic remediation. The details of PCI remediation projects will vary by organization, but in every case a program management office with support from executive leadership is a critical factor for success.

Phase 5: Operational compliance
PCI responsibilities do not cease once an organization becomes PCI compliant. Merchants are required to maintain their PCI compliance as a continuous state, as opposed to a point in time when the compliance validation and reporting occurs on an annual basis.

Contact us to find out how we can help your company become PCI compliant.