PCI Scope and ROC Reporting for Global Services Organisation

Case Study

PCI Scope Redefinition and ROC Reporting for Global Services Organisation

The client

The UK operation of an international services organisation, that provides home emergency insurance cover and repairs covering heating, drainage, plumbing and electrics.

The work

We were engaged to review the scope the client’s payment services against the PCI DSS Standard as the client was changing their environment and wanted to have a Report on Compliance (ROC) prepared, instead of a Self-Assessment Questionnaire (SAQ ), to give them added comfort that they had been independently assessed by a Qualified Security Assessor (QSA). The work was planned to undertake a scoping exercise to determine their Card Data Environment (CDE) for the new environment being implemented which would be followed by undertaking a formal assessment and ROC report.

How we helped

Having reviewed the CDE environment we identified that its scope was broader than the client had understood and we recommended accelerating planned outsourcing to third-parties to reduce the touchpoints where card payments were processed. These changes were implemented in time for their annual assessment and enabled a compliant ROC to be prepared.

Value added

Our knowledge of the PCI DSS standard, combined with options to reduce the scope of the CDE, and use third-party suppliers to assist, allowed the client to streamline their processes, simplify their scope and ease the effort in achieving and maintaining PCI compliance.

Industry and sector:

Services

Solutions and service area:

What our clients say

"Xcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what we’re trying to do. "

Getac Technology Corp, Legal Affairs Center

"Xcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what we’re trying to do."

ParkMobileUK, Managing Director

"Xcina Consulting performed an annual review of our card data environment, and ensured that we are compliant with the PCI-DSS. We continue to work with their experienced QSAs, leveraging their guidance and best practices so we have the highest possible level of security controls in place."

DKB Brands, Data Protection Officer

"Xcina really helped us to kick start our data protection compliance process. They took the time to speak to all departments of the business and outlined our highest risk to lowest risk areas. The insight and guidance they provided was essential for our business to become GDPR compliant."

Portman Settled Estates Limited, Estate Secretary

"Xcina’s ongoing support has ensured that our employees feel confident when dealing with data protection matters, with best practice knowledge and expertise from consultants who have taken the time to get to know our business and our industry."

National Bank of Kuwait, Compliance Officer

"Xcina worked with us on a number of data protection matters, including subject access requests and gave helpful, practical advice which reflected their understanding of technology issues as well as legal matters."

Your World Recruitment, Group IT Director

"We have worked with with Xcina successfully for two years, initially on internal GDPR GAP analysis. We now have them engaged as our ‘Virtual DPO’ provider and regularly receive useful, pragmatic and, more importantly, actionable advice on all areas of Data Protection."

Quadrangle Research, Group Chief Operating Officer

Discover how we have supported businesses like yours >>

We’d love to hear from you

We have a strong track record in providing risk advisory services with a focus on governance, regulatory compliance, conduct and culture, data protection, and third-party assurance. We help organisations successfully address governance, risk management and compliance challenges.

To discuss how the areas highlighted in this case study, or any other aspect of risk management, information governance or compliance impact your business, speak with our team, tell us what matters to you and find out how we can help you navigate complex issues to help you deliver long term value.

If you have any questions or comments, or if there’s anything you would like to see covered, please get in touch by emailing Xcina Consulting at info@xcinaconsulting.com. We’d love to hear from you.

Lindsey Domingo

Senior Director

Speak to me directly by Email, or
Telephone: +44 (0)203 745 7826