PCI DSS

PCI DSS is a set of requirements for payment account data security and is vital if you handle any sort of credit card data within your company in Hong Kong. It’s important to note that changes have recently been made surrounding PCI DSS. It’s important that you reevaluate your current processes to ensure you’re still a PCI DSS compliant vendor. Our blog below can help you understand more about the changes. If you have any questions or are interested in PCI DSS security services, then contact us today.

Our range of experience, accreditations and customer testimonials demonstrate why we stand out from the crowd. LRQA Nettitude is one of the most experienced organisations in the world for PCI Compliance consulting, auditing and pragmatic security solutions. We are an Approved Scanning Vendor (ASV) as determined by PCI Security Standards Council, and have the software to determine if vendors in Hong Kong are compliant with PCI DSS and successfully pass the vulnerability scans.



General Enquiry.

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an internationally recognised information security standard designed specifically to apply to organisations that handle credit card data.

The PCI DSS was created with one simple goal – to ensure that businesses can process credit and debit card payments securely, protecting businesses and consumers and reducing the likelihood of card fraud.
PCI QSAs (Qualified Security Assessors) are individuals that are certified to assess merchants and service providers against the standard and provide a formal report on compliance (ROC).

Who Should Comply With PCI DSS?

Any organisation that processes card data must comply with PCI DSS. Merchants are usually businesses taking payment for a service they sell, such as a retailer or call centre.

Depending on how a merchant processes card payments, and how many transactions they process per year, requirements for demonstrating compliance with PCI DSS will vary.

PCI DSS can also apply to organisations that provide services to Hong Kong companies that handle credit card data, such as data centres and managed service providers.

This is true even if the service provider itself does not process card payments, nor have access to credit card information. As well as supporting their own customer’s PCI DSS compliance, companies that are service providers or vendors can differentiate themselves from their competition in Hong Kong by becoming compliant with PCI DSS.

Why is PCI Compliance Important?

According to UK Finance, an organisation that represents more than 250 firms across the industry, 56% of all financial fraud in 2018 related to payment card fraud, with losses totalling over £670 million in the UK alone. Complying with the PCI DSS allows your organisation to demonstrate your commitment to maintaining a secure environment to your bank and your customers.

Your organisation can reduce the risk of a breach of credit card data by:

Implementing PCI DSS controls appropriate to how you store, process, and transmit cardholder data.
Engaging a QSA to independently validate your compliance.
Maintaining PCI DSS requirements as “business as usual”.

What Are The Penalties For Non-compliance With The PCI DSS?

Any organisation that handles credit card data but fails to comply with PCI DSS is at risk of a number of financial and reputational consequences.

Non-compliance fees – a regular fine from your bank for failing to be compliant.
Reputational damage in the event of a breach.
Inability to process payments.
GDPR and DPA related fines in the event of a breach.
Fines from your bank in the event of a breach.

To help reduce risk and avoid penalties as a result of a breach or non-compliance, organisations must understand how they store, process, and transmit credit card data, and ensure that all applicable requirements of PCI DSS are in place.

PCI DSS Requirements

The PCI DSS requirements are divided into 12 sections, each containing a series of specific requirements. In total there are over 300 individual requirements, and depending on how you process card payments, some or all of these will apply to your organisation.

Build and Maintain a Secure Network and Systems	Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters
Control objectives	Requirements
Protect Cardholder Data	Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Programme	Protect all systems against malware and regularly update anti-virus software or programmes Develop and maintain secure systems and applications
Implement Strong Access Control Measures	Restrict access to cardholder data by business need to know Identify and authenticate access to system components Restrict physical access to cardholder data
Regularly Monitor and Test Networks	Track and monitor all access to network resources and cardholder data Regularly test security systems and processes
Maintain Information Security Policy	Maintain a policy that addresses information security for all personnel

The Challenge Of PCI DSS Compliance

PCI DSS can be seen as complex and overwhelming, and just another compliance regime that must be followed, but that’s not how we view it here at LRQA Nettitude. Many merchants view PCI DSS compliance as burdensome and convoluted and struggle to interpret the 300+ requirements and understand how they must be implemented. The world of PCI DSS is full of acronyms, opinions, and myths – and getting a straight answer to a simple question often feels like an uphill struggle.

The Solution

LRQA Nettitude does not just want to be your QSA, we want to be your PCI DSS partner. We want to create security solutions for you so you can serve your customers better. We take a refreshing approach to PCI DSS compliance, going beyond simply auditing your organisation. We’re consultants, we hate complexity, and we strive to simplify and deliver pragmatic solutions. What does this mean? This means a LRQA Nettitude consultant will work with you to understand your organisation, focussing on why you take payments in the first place, and ensuring your PCI DSS strategy supports the business.

We’ll take you on a journey to become compliant, and can support you at every step along the way, starting with a gap analysis to understand your current position and scope. LRQA Nettitude is also an approved PCI DSS scanning vendor in Hong Kong and we have successfully met all PCI Security Standards Council requirements in order to perform data security scanning.

We have more than 10 years experience of helping our customers reduce their PCI DSS scope and simplifying what remains, and because we don’t take a yes/no “tick box” approach to compliance, we’ll help find the right solution for your organisation.

Frequently Asked Questions About PCI DSS

How can a company become PCI DSS compliant?

The ultimate aim is, of course, to become compliant, and be able to report your compliance status, but how? It’s easiest to think about the how and the what as two independent factors. Requirements for demonstrating compliance with PCI DSS vary depending on how you process card payments, and how many transactions are processed per year. Your transaction volume determines how you report your status, and the methods used for processing payments define what you need to comply with in the first place.

What: The PCI DSS has 300+ requirements, but the good news is that they might not all apply to your organisation. In fact, part of the scope reduction process that LRQA Nettitude can take you through is to try and minimise the number of requirements that are applicable to you. A LRQA Nettitude QSA will help you to determine what your scope is, and which requirements are applicable – we’re even happy to help you discuss this with your acquiring bank.

How: There are three main ways of demonstrating your compliance with PCI DSS.

	On-site assessment and report on compliance (ROC)	Validated self-Assessment	Self-Assessment
What you get	On-site QSA assessment Detailed report on compliance Attestation of compliance	On-site QSA review Self-assessment questionnaire (SAQ) and attestation of compliance counter-signed by a QSA	No QSA sign-off Organisation completes self-assessment questionnaire (SAQ) and attestation of compliance
Why this approach?	Mandated by your bank if processing >6 million transactions Experienced a breach Requested by bank Service provider demonstrating compliance to their clients High level of independent assurance	Full assessment not mandated by a bank if processing <6 million transactions Moderate level of independent assurance	Low transaction volume No independent assurance

The table above provides a brief overview of how an organisation can demonstrate their compliance with PCI DSS. Your QSA can help you to determine what your mandated reporting requirements are, but it is important to note that any organisation can opt to complete an on-site assessment regardless of its transaction volume.

When: Compliance with PCI DSS is not a new requirement, and so if your organisation processes credit card transactions then you need to be compliant right now. In reality, the push for achieving compliance is often triggered by a request from an acquiring bank (for a merchant), or a customer (for a service provider). Banks will often set deadlines, which you should discuss with your QSA during the gap analysis process.

When a ROC or SAQ is completed, whether by a QSA or a self-assessment, it is valid for one year. The assessment must be repeated before the expiry date to ensure there’s no lapse in compliance. Maintaining compliance between the two assessments is crucial, and LRQA Nettitude offers a business as usual support package to assist with this. If a significant change occurs at any point between assessments, it may also be necessary to assess immediately, even if the full year has not passed. Again, a LRQA Nettitude QSA can help you determine if a change is likely to require this.

What are the things to look out for when finding a PCI DSS compliance partner?

The challenges faced during a PCI DSS audit can be nothing short of overwhelming. With so many potential pitfalls, choosing the right partner from among numerous PCIS DSS service providers is crucial to ensure compliance with the PCI DSS and efficient acquiring of customers. In addition to providing the assessment itself, the right PCI partner is able to show you how you can be compliant and help you better design your cardholder data environment, effectively helping you to both comply and compete. The ideal PCI partner will display substantial experience, business insight, and technical security know-how, all of which will amount to an excellent reputation and a tangible certification by way of proof.

LRQA Nettitude has been a registered QSA company for over 10 years. Our QSA’s (Qualified Security Assessors – responsible for assessing your compliance) have extensive experience working with clients across many sectors, from retail to construction, and from finance to transportation.

Our team of QSAs are so much more than just auditors and provide cybersecurity consultancy to our customers across a number of disciplines including PCI DSS. We have a rich technical background, and so can help your organisation bridge the gap between technology, business, and compliance. We have a reputation with our clients in Hong Kong for taking a pragmatic and realistic approach to PCI DSS, and our history of delivering PCI DSS assessments for some of the UK’s largest retailers and service providers means we have likely faced many of the challenges your organisation must overcome before.

Our team of QSAs can help you with every step of the journey, including:

Conducting a PCI DSS Gap Analysis
PCI DSS Workshops & Support
Reviewing and creating PCI DSS Policies & Procedures
Completing your PCI DSS ASV Services
Conducting PCI DSS Assessments/Audits
Helping support your ongoing PCI DSS Maintenance

My organisation is already PCI DSS compliant, what’s next?

If your organisation is, or has previously been, compliant with PCI DSS then we can still help you. As well as helping our clients achieve their initial compliance, we offer ongoing business as usual support. Organisations invest significant time, effort, and money into achieving compliance – and maintaining a close relationship with a QSA partner helps to protect that investment.

If you’re thinking about partnering with a new QSA company for your next assessment, get in touch, and someone from our team can discuss in more detail about how we can help.

Frequently Asked Questions about Data Privacy Security

What is an incident response policy?

An Incident response plan or policy is a process you create before you experience a cyberattack. This is so that your team has a procedure to follow when you do experience a data breach. LRQA Nettitude follows the CREST Cybersecurity Incident Response process which is broken down into 3 phases: preparation, response, and follow up. Having a breach plan gives you the confidence to quickly nullify any threat to your data privacy security.

Why is data privacy security important?

Although it has always been important, the implications and need for higher security are coming into play now that technology is indispensable to everyday life. Using apps, browsing websites, and shopping online are all examples of how your data will be stored and managed online. For organisations today, the threat of cyber theft is a pertinent one. Having comprehensive data privacy plans in place can reduce and mitigate the risks of such events.

Does LRQA Nettitude practice sustainability?

As a company with a global footprint, sustainability is an area of importance to us. We are a registered ‘Investor in People’ organisation. Taking a cue from ISO 14001, we have strong sustainability practices put in place. Our organisation also hires fairly and equally, across gender and race. By working with us, you can rest assured that we implement data privacy security measures with ethics at the core of our mission.

Get in touch via the form below and get a free quote from us for our Red Team Security Testing services.

General Enquiry