PCI Scope Redefinition and ROC Reporting for Global Services Organisation
The UK operation of an international services organisation, that provides home emergency insurance cover and repairs covering heating, drainage, plumbing and electrics.
We were engaged to review the scope the client’s payment services against the PCI DSS Standard as the client was changing their environment and wanted to have a Report on Compliance (ROC)
prepared, instead of a Self-Assessment Questionnaire (SAQ ), to give them added comfort that they had been independently assessed by a Qualified Security Assessor (QSA).
The work was planned to undertake a scoping exercise to determine their Card Data Environment (CDE) for the new environment being implemented which would be followed by undertaking a formal assessment and ROC report.
How we helped
Having reviewed the CDE environment we identified that its scope was broader than the client had understood and we recommended accelerating planned outsourcing to third-parties to reduce the touchpoints where card payments were processed. These changes were
implemented in time for their annual assessment and enabled a compliant ROC to be prepared.
Our knowledge of the PCI DSS standard, combined with options to reduce the scope of the CDE, and use third-party suppliers to assist, allowed the client to streamline their processes, simplify their scope and ease the effort in achieving and maintaining PCI compliance.