MorganFranklin has extensive experience in supporting companies throughout the PCI DSS compliance process and is a PCI DSS Qualified Security Assessor (QSA). Based on experience with PCI DSS compliance audits and cybersecurity best practices, MorganFranklin has developed a five-phase strategy for helping companies achieve and maintain PCI DSS compliance with minimal disruption to the business and key personnel.
Phase 1: Scoping
MorganFranklin believes that scoping is the most important part of a PCI DSS compliance project. This phase includes two key steps:
- Performing scoping assessment: The scoping assessment identifies which systems and personnel have access to cardholder data and are part of the cardholder data environment (CDE) that is subject to PCI DSS requirements.
- Developing project standards: MorganFranklin will work with stakeholders to develop a project plan and identify required reporting templates for the PCI DSS compliance project.
Phase 2: Testing
Phase 1 identifies a company’s compliance requirements and the required PDI DSS report(s) needed for compliance. During Phase 2, MorganFranklin determines the company’s current compliance status by completing the following tasks:
- Perform a PCI DSS assessment: MorganFranklin’s QSAs will perform a full PCI DSS compliance audit to determine which required controls are in place and any areas where remediation is needed to be compliant with PCI DSS requirements that may need to be implemented.
- Status reporting: Throughout the testing process, MorganFranklin will provide regular reports on the status of the assessment and the current findings to date.
Phase 3: Remediation
At the conclusion of the assessment, MorganFranklin will provide a complete listing of deficient controls that were identified during the assessment. During this phase, MorganFranklin will assist in addressing these issues via the following tasks:
- Remediating gaps: MorganFranklin will provide the client with subject matter expertise on how to close any compliance gaps identified during the testing phase.
- Policies and procedures: MorganFranklin will advise the company regarding any policies and procedures required by PCI DSS that are lacking and assist in developing and implementing the missing policies.
Phase 4: PCI Validation Reporting
After the company has addressed any lacking security controls and passes a PCI DSS evaluation, MorganFranklin will perform the following steps to assist with compliance reporting:
- Preparing validation documentation: Based on the compliance audit, MorganFranklin will generate the reports that the company requires to demonstrate PCI DSS compliance, including a complete listing of audit findings and any required Attestations of Compliance (AOCs)
- Assisting with Archiving Artifacts: As a QSA, MorganFranklin is required to retain audit-related records for three years, which are organized and stored on a secure extranet site.
Phase 5: Sustainment and Ongoing Compliance
Compliance is not a one-time activity but a continuous process. MorganFranklin provides the following services to support clients with maintaining ongoing PCI DSS compliance:
- Advisory services: MorganFranklin advisors will provide ongoing advisory services to ensure that the company understands how best to maintain PCI DSS compliance throughout the year.
- Compliance management: MorganFranklin will periodically review evidence to ensure that the company maintains compliance with applicable PCI DSS requirements.