COMPLIANCE

Conducting a PCI DSS assessment is not only helpful, but it’s a compliance requirement for PCI DSS 3.2. According to the PCI Security Standards Council, PCI DSS 3.2 requires organizations to establish an annual process that identifies threats and vulnerabilities and results in a formal risk assessment. It will help your organization to identify what type of information is stored, how it is transmitted and accessed, and determine what risks pose possible threats to the information.

The Council states that “a risk assessment enables an organization to identify threats and the associated vulnerabilities which have the potential to negatively impact their business. Resources can then be effectively allocated to implement controls that reduce the likelihood and/or the potential impact of the threats being realized. Performing risk assessments at least annually allows organizations to keep up to date with business changes and provides a mechanism to evaluate those changes against the evolving threat landscape, emerging trends, and new technologies.”

At STN, we can help you conduct a PCI DSS assessment and check off your PCI DSS requirements checklist, including completing PCI DSS Self-Assessment Questionnaires (SAQs), providing Approved Scanning Vendor (ASV) scanning, validations, and attestations of compliance, conducting Penetration Testing, conducting CDE Scoping, and preparing Reports on Compliance (ROCs).

A PCI DSS assessment is a good first step to take a pulse on your threats and vulnerabilities. The risk assessment enables you to identify hazards and risk factors that could cause harm, analyze and evaluate these hazards and determine the best course of action to mitigate the harms and risk. Among the factors considered are:

• Threats
• Vulnerabilities
• Likelihood
• Business impact
• Residual risk
• Effectiveness of controls protecting assets