The client
A UK based travel company providing day trips around London and sightseeing tours to attractions in the South of England.
The work
The company had been taking payment cards to make bookings over the internet and via an internal booking system. The internal booking system was used for telephone bookings and for bookings made via hotel concierges.
Following a breach in security, the company had been subject to payment card data theft and subsequent misuse. As a result, the exposure was immediately mitigated and then, with PCI Qualified Security Assessor (QSA) support, the Card Data Environment (CDE) was assessed in line with the Payment Card Industry Data Security Standard (PCI DSS) and compliance formally demonstrated to the card payment brands.
How we helped
The firm processing the company’s card payments insisted that the company become PCI DSS compliant with the support of a QSA. The payment brand defined the company’s reporting level.
As a QSA company we undertook a review of the CDE and identified options to reduce its scope, which in turn reduced the PCI DSS reporting overhead. We conducted a gap analysis against the PCI DSS requirements, oversaw the remedial activity and assessed the effectiveness and adequacy of the mitigating actions against the PCI DSS controls.
Throughout the process we maintained regular contact with the company’s card transaction processor to report progress and discuss matters arising. Once the remedial activity was satisfactorily completed, we provided the company with a final analysis report.
Value added
We provided the client with PCI DSS
knowledge and support to assist them
in recovering from a position of security
breach to operating as a PCI DSS compliant
company.