All companies that store, process or transmit cardholder data are required by the card brands (Visa, MasterCard, American Express, Dinners, Discover and JCB) to be PCI DSS compliant in accordance with the standard issued by the PCI Council. Merchants are required to self-assess or engage a Qualified Security Assessor (QSA) to demonstrate their compliance to their merchant acquiring bank.

Service providers who process cards on behalf of merchants are also required to use the services of a QSA.

Banks who are licensed to issue and acquire card transactions also have to be compliant but are not required to demonstrate that to any organisation. The reason for this is that banks play a pivotal role in the financial word and due to the nature of their credit card acquiring and issuing activities do not always meet all the criteria of the PCI standard.

The challenge:

A large UK bank wanted to understand its PCI obligations and potential issues from a risk perspective. Engaging a QSA was impractical as they are constrained by the PCI process into producing fixed format style reports based on the standard. What was needed was a carefully considered scoping activity followed by the report that differentiated between the risks of non-compliance from the perspective of the standard as written and the actual risks based on the security in place to protect the activities of the bank.

The solution:

Barclay Simpson Solutions deployed a team of ex-QSAs and security experts with experience in banking and financial organisations to scope and investigate the bank’s activities in both the issuing and acquiring space. This was done over several phases with interim reports delivered at the end of the phases to allow the bank to see the progress being made and educate itself on the types of issues that were being found. This later activity allowed adjustment to the process as the phases progressed with more bank activities and teams being included.

The phase reports identified:

  1. Personnel and departments involved in card holder issuing and acquiring
  2. Card data flows and interactions within the organisation
  3. Determining the PCI criteria that were applicable to the bank’s activities and also determining the overall scope of the assessment, bringing all the earlier steps into play.

The outcome:

With this phased approach, Barclay Simpson Solutions delivered to the bank a workable final report that gave then a clear distinction between the PCI standard and any actual security issues that needed their attention.

The bank did not need to spend resources on performing activities that would meet the PCI standard but would do little to enhance their security posture. Instead, resources can be focused on real security improvements.

The end result? The bank now fully understands the difference between security activities that enhance its security posture and activities that only result in a tick in the box for the compliance standard.

Empower change through Barclay Simpson Solutions’ bespoke delivery model

Your vision for change and improvement shouldn’t be compromised by blueprint consultancy delivery models. Barclay Simpson Solutions creates bespoke, tailor-made and adaptable solutions to suit the individual needs of your organisation and your project. Get in touch today to discuss your needs:

Tel: 020 7936 8999

Looking for more?

Contact us

What we think

  • Meet the team: Chris Wilkinson, director at BSS
  • Understanding the Minimum Viable Company, Important Business Services and Minimum Viable Service Concepts for Cyber Recovery
  • Continuity of Important Business Services – Recovery from Cyber Attack