Menu Close

Case Study

PCI Scope Redefinition and ROC Reporting for Global Services Organisation

Service:

Payment Card Services

Sector:

Services

The client

The UK operation of an international services organisation, that provides home emergency insurance cover and repairs covering heating, drainage, plumbing and electrics.

The work

We were engaged to review the scope Ā the clientā€™s payment services against the PCI DSS Standard as the client was changing their environment and wanted to have a Report on Compliance (ROC)
prepared, instead of a Self-Assessment Questionnaire (SAQ ), to give them added comfort that they had been independently assessed by a Qualified Security Assessor (QSA).

The work was planned to undertake a scoping exercise to determine their Card Data Environment (CDE) for the new environment being implemented which would be followed by undertaking a formal assessment and ROC report.

How we helped

Having reviewed the CDE environment we identified that its scope was broader than the client had understood and we recommended accelerating planned outsourcing to third-parties to reduce the touchpoints where card payments were processed. These changes were
implemented in time for their annual assessment and enabled a compliant ROC to be prepared.

Value added

Our knowledge of the PCI DSS standard, combined with options to reduce the scope of the CDE, and use third-party suppliers to assist, allowed the client to streamline their processes, simplify their scope and ease the effort in achieving and maintaining PCI compliance.

Customer reviews

What our clients say

"Xcina have helped us navigate the complicated world of data protection and their vDPO service has been great for a business like ours, which is too small to have our own internal full time resource but requires a high level of corporate and technical expertise when needed."
Quadrangle Research Group
Quadrangle Research GroupChief Operating Officer
ā€œWe have worked with with Xcina successfully for two years, initially on internal GDPR GAP analysis. We now have them engaged as our 'Virtual DPO' provider and regularly receive useful, pragmatic and, more importantly, actionable advice on all areas of Data Protection.ā€
Your World Recruitment
Your World RecruitmentGroup IT Director
ā€œXcina worked with us on a number of data protection matters, including subject access requests and gave helpful, practical advice which reflected their understanding of technology issues as well as legal matters.ā€
National Bank of Kuwait
National Bank of KuwaitCompliance Officer
"Xcinaā€™s ongoing support has ensured that our employees feel confident when dealing with data protection matters, with best practice knowledge and expertise from consultants who have taken the time to get to know our business and our industry."
Portman Settled Estates Limited
Portman Settled Estates LimitedEstate Secretary
ā€œXcina really helped us to kick start our data protection compliance process. They took the time to speak to all departments of the business and outlined our highest risk to lowest risk areas. The insight and guidance they provided was essential for our business to become GDPR compliant.ā€
DKB Brands
DKB BrandsData Protection Officer
"Xcina Consulting performed an annual review of our card data environment, and ensured that we are compliant with the PCI-DSS. We continue to work with their experienced QSAs, leveraging their guidance and best practices so we have the highest possible level of security controls in place.ā€
ParkMobile
ParkMobileUK Managing Director
ā€œXcina is always responsive to any question we have during the time we are implementing data protection remediation activities, they keep us informed and understand what we need and what weā€™re trying to do.ā€
Getac Technology Corp
Getac Technology CorpLegal Affairs Center

Get in touch

If you would like to talk about your risk management requirements, submit your details and one of our consultants will be in touch.