Internal PCI DSS Reviews
Fulfill requirement 12.4.2 of the PCI DSS
Requirement 12.4.2 of the PCI DSS defines the obligation for service providers to conduct internal reviews at least quarterly. The purpose of the requirement is to support service providers in maintaining their PCI DSS compliance and to ensure that their employees adhere to relevant policies and processes. In addition, Internal PCI DSS Reviews are a solid preparation for upcoming PCI DSS audits.
Ahmad Najim Quarishi
Managing Consultant
"We know how challenging it can be to allocate the required resources for the quarterly internal reviews while maintaining the up-to-date expertise that is needed to do so. As an accredited Qualified Security Assessor Company, we are happy to assist you with your internal reviews and enable you to focus on your core business."
How do we conduct an internal PCI DSS review?
Kick-Off & Preparation
The preparation of each review takes place during a kick-off meeting by phone or web conference. We inform you about our procedure for the implementation and coordinate the framework conditions with you.
Optional: During the preparation process before the internal review for pre-validation, you will receive a checklist and a "Collect Script" from us to support you in providing the required evidence in a complete and structured manner.
Implementation
The reviews are conducted in the form of on-site workshops or telephone and web conferences by our Qualified Security Assessors. In the process, we check compliance with the following processes:
- Conducting daily log reviews and firewall rule-set reviews
- Applying configuration standards to new systems
- Responding to security alerts
- Adhering to change management processes
The validation of the processes takes place through interviews with your responsible employees, document analysis and examination of relevant IT systems.
Optional: Our Qualified Security Assessor helps you assess whether your scope of testing can be expanded to include additional processes that fall within the PCI DSS scope. In this case, the assessor will perform these additional audits on your premises.
Remediation
We document any deviations from the PCI DSS for you. Based on these recommendations, you undertake to remediate the identified vulnerabilities.
Optional: You receive a detailed catalog of measures and extensive documentation of all identified deviations in our Audit Connect tool, which is a platform we specifically developed for the management of consulting and certification projects.
Our Qualified Security Assessor is available to answer any questions you may have about the identified deviations and advise you on how to remedy them efficiently.
Re-Testing & Reporting
If required, we perform re-tests to confirm the effectiveness of any measures you have taken.
For each review, you will receive a final comprehensive report confirming compliance with PCI DSS Requirement 12.4.2. Using this report, you can then efficiently prove compliance with the requirement in the annual PCI DSS audit.
Your personal PCI Officer
Do you need an expert in charge of PCI in your company? As a Qualified Security Assessor Company, we will be happy to supply you with one of our experienced experts as your PCI Officer.
