COMPLIANCE SERVICES

Security Compliance Management Services are designed to help companies to ensure they are compliant to various frameworks and/or regulamentations, in order to insure the implementation of the best internal security processes.

PCI-DSS Compliance

PCI-DSS Brief History:
The Payment Card Industry Data Security Standard (PCI-DSS) is the standard for the security and protection of cardholder data globally. In the early 2000s, Visa, the leading brand in the industry, led the way in defining a Cardholder Information Security Program, which became a de facto standard for other card brands.
By 2004, the major card brands agreed on a common set of security standards that were based on the Visa program. And in 2006, they created the Payment Card Industry Security Standard Council (PCI SSC), an independent governing board comprised of five major card brands: Visa, MasterCard, American Express, Discover Financia Services, and JCB International. The Council issues and updates the PCI DSS and publishes other standards associated with the payment card/payment acceptance industry.

Who must be compliant?
The major credit card brands require PCI DSS compliance by all businesses that are involved in the transmission, processing, or storage of payment card data, including merchants and third-party service providers that may impact the security of the data. Merchants - Any entity that accepts payment cards from any of the five PCI SSC members as payment for goods and/or services.
Merchants include traditional brick and mortar establishments, e-commerce vendors, and other services such as mobile payment systems, taxi cabs, hotels, flea market vendors, and corporate e-stores. In short, any organization that accepts credit cards is subject to PCI. The number of vendors is staggering; the number of merchants using Visa is up to 6 million and growing every day. Compliance is monitored by the merchant’s acquiring bank.
Service Provider – A business entity that is not a payment brand but that is directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.
These companies are typically in between merchants and banks and may not even realize that they are involved in security of the cardholder data environment (CDE). For example, this includes companies providing “redirect” payment services, such as PayPal Pro and CyberSource.
Compliance is monitored by the card brands. These businesses must demonstrate that compliance on an annual basis.

How to be compliant?
Large companies – both merchants and service providers – must validate compliance by having an independent assessment performed either by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The assessor uses the Report on Compliance Reporting Template to document and validate the compliance assessment.
Every other company (small merchants) that is subject to PCI DSS compliance is required to self-assess using the appropriate Self-Assessment Questionnaire. For the majority of companies that must do self-assessment questionnaires, they are left on their own to interpret the requirements and to complete the questionnaire with guidance only from the PCI DSS standards. Consequently, an attitude may develop that thinks of PCI compliance as just another audit; after completing one audit, that information is fine for the next audit. This attitude reflects a desire to reduce the burden of PCI DSS compliance. But that’s missing the point; the overarching principle is that you have to secure your environment and your data, not just fulfill PCI compliance with minimal effort.

Qualified Assessors
The Council manages programs that will help facilitate the assessment of compliance with PCI DSS: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are approved by the Council to assess compliance with the PCI DSS. ASVs are approved by the Council to validate adherence to the PCI DSS scan requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.
Additional details can be found on PCI SSC Web site.

Self-Assessment Questionnaire
The Self-Assessment Questionnaire (SAQ) is a validation tool for eligible organizations who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC). Different SAQs are available for various business environments; more details can be found on the PCI Security Standards Council website.
An organization’s acquiring financial institution or payment brand can also determine if you should complete a SAQ.

GDPR

What is it?
The GDPR (General Data Protection Regulation) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. The regulation was adopted on 27 April 2016, and will be enforceable by law from May 25th 2018.
The GDPR specifies the roles, processes and technologies organizations must have in place to ensure the personal data of EU residents is secure, accessible, is used appropriately and with consent. Its articles and principles set out a number of obligations you may need to address, including:

  
  • Data protection by design: Protect personal data against misuse at every stage of its lifecycle
  • Data minimization: Collect and keep as little personal data as possible
  • Right to be forgotten: Delete all of an individual's personal data on request
  • Data transfer and portability: Move an individual's personal data to another provider on request
  • Managing consent: Define specific uses cases when obtaining consent, retain proof of consent and delete data once the use case has ended
  • Seventy-two (72) hour breach notification: Determine the extent of a breach and notify the affected users
  • Integrity and availability: Restore access to personal data quickly following an outage or failure
  • Accountability: Log and provide audit trails for all data consents, requests and remedial actions

If you can't meet these requirements, you'll face stiff financial penalties, jeopardize your reputation and lose customers.
The GDPR has far-reaching implications for organizations around the world, not just those in the European Union. Every organization that collects or processes the personal data of EU residents is subject to the GDPR and must comply, no matter where they're located. This includes companies in post-Brexit United Kingdom, the United States, Arab Emirates, and elsewhere.
Hacktive Security can help your organization in achieving GDPR compliance, supporting you at each step of the implementation process.

Enterprise Risk Management

Organizations nowadays face an increasingly complex set of risks. As a result, key internal and external stakeholders have increased their expectations for risk management, raising significant questions around risk and how it is addressed. Enterprise Risk Management (ERM) provides a framework to understand and respond to business uncertainties and opportunities with relevant risk insight delivered through common, integrated risk identification, analysis and management disciplines. ERM enhances organizational resiliency by improving decision making, strengthening governance and supporting the development and diffusion of a risk intelligent culture. Relying on our experience in risk evaluation, assessment and management you can:

  • Identify and assess risk connected to the achievement of your business objectives
  • Assess the efficiency and effectiveness of current risk responses against strategic, operational, financial and compliance risks
  • Reduce cost and improve effectiveness of governance, risk and compliance activities
  • Evaluate the effectiveness of your risk culture
  • Align risk strategy with performance
  • Support development of risk transfer strategies
  • Assess, design, or implement enterprise risk management capabilities.