PCI DSS: the shield to protect against bank data leaks
XMCO supports you in your PCI DSS certification project by providing you with a set of tools and advice.
1 – Context taking
2 – Sensibilization
3 – Meeting
4 – Findings
The GRC team supports you in this challenge
The team monitors compliance actions on a daily basis and helps you draft the mandatory documents
Monitoring of compliance actions on a daily basis
XMCO can intervene throughout the compliance process to:
• Follow the evolution of construction sites
• Respond to structuring questions
• Popularize and explain certain requirements
• Guiding and validating technical and organizational developments
• Contact your bank to summarize the actions in progress
• Perform technical checks (PanBuster, configuration review, etc)…
Awareness and training of your teams
XMCO can also work with your teams to make them aware of the challenges of the PCI DSS standard and also to train developers in secure development methods. This training aims to give you the keys to secure development methods to meet the 6.5.x requirements of the standard (XSS, SQL Injection, error management, etc.).
Internal and external penetration tests
XMCO offers to carry out the external and internal penetration tests required by the PCI DSS standard (11.3.x requirements). These tests will be conducted in black box and gray box to simulate the different types of populations with access to the environment (unauthenticated attacker on the Internet, external client, internal employee, platform administrator).
The objective is to demonstrate the effectiveness of the isolation and filtering mechanism(s) put in place to separate the CDE (Cardholder Data Environment) equipment from other internal networks. We will carry out these tests according to different locations (outside the CDE, from the servers connected to the CDE, from the VLAN of the administrators, etc.).
We offer assistance in drafting the expected documentation so that it can be presented during the certification audit.
We perform intrusion tests and audits
External and internal technical audits
You will know which internal or external vulnerabilities and scenarios can put your customers’ card data at risk.
They will be used to demonstrate the effectiveness of the isolation and filtering mechanisms put in place to separate the Cardholder Data Environment equipment from other internal networks.
Monitoring of tests by a QSA consultant
The GRC Team offers you relevant advice and opinions relating to the context of the audited scope.
On to the last step: certification
Interviews, configuration statements and documentary analysis allowing you to best prepare for the certification audit.
Following the correction of points of non-compliance discovered during the pre-audit, the QSAs carry out the audit on all the requirements of the standard: Technical and physical security, organization/process and documentation.
Writing official documents
Finally, the QSAs will write the official documents (SAQ, ROC, AOC) validating your certification!
Our team uses its own tools to best support our customers.
Audit of network flows
Workflow for monitoring actions and non-conformities
Finding Card Number Leaks
Audit of system configurations (Linux, Windows, etc.)
You are in good hands
XMCO certifies over 45 companies every year
“Security should not be a brake but a business accelerator.”
What made the difference compared to other PCI players was the understanding of our business and its challenges, but also the technical knowledge of XMCO consultants. We have been able to establish a relationship of trust and we benefit from a personalized approach and a strong reactivity on their part.
Head of Operational Security Team – Monext
“This certification is an important strategic asset by reassuring our customers.”
We are very satisfied with the support, the audit, the risk-oriented approach and the practical recommendations. In addition, we work in a secure way: their portal is a real gain in time and readability. The bonus is being able to work with a French market player!
IT Compliance Manager – CDiscount
“Being PCI DSS certified is inherent to our business model”
With XMCO we have constructive dialogues, feedback from competent consultants. All recommendations and justifications are relevant. It’s quite pleasant!
Security Engineer and PCI DSS Manager – PayPlug
“PCI DSS by design!”
We have chosen, from the outset, to be accompanied by XMCO on the PCI DSS, the level of service is excellent and we always have relevant explanations.
Franck Mechineau, CEO and Co-founder and Christophe LeCoq, CISO
“As early as 2007, we identified the strategic dimension of PCI DSS certification”
XMCO employees supported us in transforming this issue into a decisive competitive advantage at the global level. They accompany our teams to satisfy the high level of certification of the standard. Their global vision of the protection of sensitive data, combined with their technical mastery, have acted as a catalyst for the energy of all our employees.
French Key Account
Any questions ?
What types of companies can you help?
Thanks to its expertise and pragmatic vision, XMCO has gained the trust of many players in all areas: Payment Service Providers (PSP), Hosting and outsourcing providers, E-payment gateways, Call centers, e-merchants, Online games, Retail, Travel operators, SaaS software, GDS
Can you help me define my scope?
Of course, through a scratch analysis, we will define the certification scope with you, and we will do our best to reduce it as much as possible.
Can’t find an answer?Make an appointment with an expert