The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard mandated by payment brands - including Visa, MasterCard and American Express – to ensure merchants and service providers protect cardholder data. All systems that process, store and transmit cardholder data or sensitive authentication data are considered in scope of the standard.

Orthus are entirely product independent and as such are focused on providing innovative and effective controls, and compensating controls, rather than driving clients towards point product solutions. Orthus approach every PCI engagement with the goal of assisting organisations in achieving compliance quickly and cost effectively, with minimal impact to business processes and system or network architecture.  

Orthus provide a range of services that address the complete PCI DSS compliance lifecycle - from initial risk assessment and gap analysis through to certification. An important attribute of all services is the promotion of knowledge transfer to in-house staff responsible for meeting PCI requirements.

Annual re-assessment services are designed to ensure that PCI compliance is maintained – given the dynamic nature of applications and infrastructure involved in handling cardholder information as well as updates to the standard itself.

Gap Analysis

An initial assessment by Orthus qualified individuals identifies compliance gaps in order to establish priorities for remediation. A typical assessment includes:

• An on-site review of infrastructure, applications, policy, processes and procedures to determine both system components within scope and non-compliant areas.
• Vulnerability scanning and penetration testing of systems in scope.
• A formal detailed prioritised remediation roadmap.

Beyond the Gap Analysis

Based on the Risk Assessment and Gap Analysis Orthus can assist with all aspects of remediation activity providing resource if needed to complement the skills, experience and capacity of in-house teams.

Once remediation is complete an in-depth Pre-Certification Audit may be carried out prior to the formal certification audit by a PCI SSC accredited QSA.