ZenGRC

Simply Powerful GRC

Retail

What the Retail Industry Should Know About PCI Compliance

· ·

To grow your retail business, you need a product – and just as important, an easy way for customers to pay for your product.

And as ever more people use credit cards rather than cash, and more people shop online rather than in stores, that means retailers must implement payment processing solutions that make electronic transactions easier for the customer to execute.

It also means, however, that retailers must educate themselves on Payment Card Industry Data Security Standard (PCI DSS) compliance.

What are the Types of PCI Compliance Standards?

As identity theft threats rose in the early 2000s, the five major credit card companies (American Express, Discover Financial Services, JCB International, MasterCard, and Visa) banded together to create the Payment Card Industry Security Standards Council (PCI SSC).

The organization then created a set of information security standards governing how to process electronic payments – including how retailers should protect customers’ credit card data, as well as the retailers’ own systems.

The result was a PCI compliance guide of “best practices” for retail service providers to protect point-of-sale (POS) information and prevent data breaches.

Those PCI standards aren’t a one-size-fits-all set of requirements that apply to all retailers equally. So as a first step to comply with PCI standards, it’s essential to understand which type of PCI standard category your business falls into. Then you can move forward more easily with understanding your regulatory and compliance requirements.

The types of PCI standards are as follows:

  • PCI DSS (Data Security Standard): PCI DSS is the overall standard that a company must meet to call itself “PCI compliant.” PCI DSS assesses the retailer or organization’s policies, procedures, controls, and software.
  • PED (PIN Entry Device) standards: The PCI PED standards apply to companies that manufacture payment devices that accept PINs and sensitive credit card information.
  • PA-DSS (Payment Application Data Security Standard): The PA-DSS focuses on the storage and privacy of cardholder data. This standard ensures that the payment processor complies with PCI DSS.

Your Options for Achieving Retail PCI Compliance

The good thing about PCI DSS is that it takes company size into consideration. Using transaction volume over a 12-month period, PCI DSS requirements are split into four different levels to help ease some of the burdens on small businesses with lesser requirements for business needs.

PCI levels of compliance are defined as:

  • Level 1: Any merchant processing more than 6 million transactions of any type per year. Credit card companies also warn that if they believe a merchant poses a large risk, they may decide to classify that company as Level 1.
  • Level 2: Any merchant processing 1 million to 6 million transactions of any type per year.
  • Level 3: Any merchant processing 20,000 to 1 million e-commerce transactions per year.
  • Level 4: Any merchant processing fewer than 20,000 e-commerce transactions per year, or any merchant processing up to 1 million transactions per year of any type.

For most retailers, the important thing to keep in mind is that online retailers may be in a different tier from brick and mortar retailers, based on the above definitions.

To demonstrate PCI compliance, Level 1 businesses will need an on-site audit by a Qualified Security Assessor (QSA) or an Internal Security Assessor. If you pass the audit, the assessor will file a Report on Compliance (ROC) with your acquiring bank.

Mid-size and smaller enterprises (Levels 2, 3, and 4) may be able to forgo the audit, and instead complete a self-assessment questionnaire (SAQ) and file an Attestation of Compliance (AOC).

How a Retailer Becomes PCI Compliant

1. Determine your risks

Scrutinize all the PCI requirements and directives, and determine which pertain to your enterprise.

Doing this will take some time, but will pay off in the long run by saving you and your Qualified Security Assessor (QSA) or Internal Security Assessor work come audit time, or as you’re completing your self-assessment questionnaire (SAQ).

You can find these questionnaires on the PCI Security Standards Council website.

Requirements address the security of your customer data environment (CDE) from end to end. They cover access control, your information security policy and parameters, maintaining a secure network, your vulnerability management program, and more.

2. Create a mitigation plan to address each risk

Examine each item on your list of relevant directives and ask, “How well does my organization comply?”

Create a secure system for data protection, financial data, and sensitive information, especially for e-commerce transactions.

If your company collects debit cards or credit card information like MasterCard, Visa, American Express, or Discover, you need a highly secure system. The PCI Security Standards Council dictates retail transactions for retailers.

Not only do you need a secure system; you also need mechanisms that protect the perimeters of your payment processing system.

Make sure to install and maintain a firewall configuration to protect cardholder data and create secure strong passwords with a security system for only authorized users. Any card transactions need to withstand PCI DSS requirements.

3. Test your controls

Your security controls then need validation. You must ensure that each of your remediation controls adequately mitigates each associated risk.

Furthermore, testing should be routine and done on an ongoing basis to ensure that controls are still doing their job and to make updates as needed.

4. Document your risk assessment, control plans, and testing results

Having documentation of your compliance efforts will save your auditor time and work, and save your enterprise money.

What Are The Penalties for Non-Compliance?

If you find yourself asking, “Do I need to be PCI compliant?” – the short answer is that regardless of your size or industry, any organization that accepts, transmits, or stores cardholder data must maintain PCI compliance.

Since PCI DSS is considered a “standard” rather than a regulation, many merchants incorrectly assume compliance is optional. While noncompliance may not lead to jail time, it does come with consequences that could lead to unnecessary expense or even business failure.

Some of the penalties include fines (potentially quite onerous), extra remediation costs, or even losing access to the credit card payment system. Businesses that aren’t PCI-compliant may be vulnerable to legal implications as well – say, other regulators imposing sanctions because your non-compliance caused a privacy breach; or consumers themselves filing litigation against your business.

Card brands and acquiring banks can, at their discretion, fine non-compliant merchants anywhere from $5,000 to $100,000 per month for a violation. For a small retailer, these fines can end business operations. While large organizations can handle the fees, their bottom lines still suffer.

How ZenGRC can ease the burden of PCI DSS compliance for retailers

People typically associate governance, risk, and compliance (GRC) programs with an organization’s cybersecurity. The retail industry, however, is particularly obliged to meet PCI compliance standards.

The need for reliable GRC software is crucial to protecting your bottom line, your business integrity, and most importantly, the privacy and confidentiality of your customers who trust your business to protect against security breaches.

With ZenGRC, organizations can rapidly deploy a governance system that provides easy-to-read insights. For example, our PCI DSS compliance dashboard allows organizations to review control health at a glance, while also listing critical issues facing the organization.

ZenGRC’s ongoing monitoring abilities provide updated, in-the-moment insights enabling organizations to continually respond to changing threats and vulnerabilities in a continuously evolving threat environment.

Moreover, organizations can store their penetration test and audit findings on the ZenGRC platform to help enable better cross-enterprise outcomes.

With ZenGRC, you can stay compliant with retail PCI requirements with complete views of control environments, easy access to sensitive information, keep with PCI SSC regulations, and continual compliance for the benefit of your retail business and your customers.

To learn more about how ZenGRC can assist your business’ PCI requirements contact us for your free consultation and demo.

PCI Penetration Testing: Understanding the Objectives, Components, & Methodology

· ·

Organizations that process credit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS) to protect cardholder data—and while PCI DSS requirements include many prescriptive elements, one that often confounds businesses is penetration testing. To achieve PCI DSS compliance, businesses have to find penetration testing methods that prove the organization’s security controls protect the cardholder data environment.

What Is PCI Penetration Testing?

A penetration test (commonly known as a “pen test”) is an exercise where a security professional attempts to exploit vulnerabilities and gain unauthorized access to your critical systems. These contractors are also known as “ethical hackers,” since they use techniques similar to real phishing schemes or cyber-attacks. The only difference is they are acting with your permission, to discover areas in your network where information security should be tightened. 

Three types of pen testing exist for PCI DSS:

  • Black-box assessments, where the client company provides no information to the tester before the pen test starts;
  • White-box assessments, where the client provides network and application details to the pen tester; and 
  • Grey-box assessments, which provide some information about target security systems, but not all.

White-box or grey-box assessments offer organizations better insight into their environments. That preliminary information the client company provides also streamlines the testing process, which means less cost and fewer demands on resources and time.

How Do I Pass a PCI Compliance Scan?

The Payment Card Industry Security Standards Council (PCI SSC) was created by the major credit card service providers to establish security standards (that is, PCI DSS) for all companies that process credit card information. The standards stress the need for frequent compliance scans to identify and remedy any potential vulnerabilities.

Depending on a company’s merchant level, however, it might not need a penetration test to be compliant. Some categories of self-assessment questionnaire (SAQ) don’t require a pen test, so be sure to understand which PCI security standards apply to your business before you begin your risk assessment.

The official requirement for organizations that do need penetration testing is a passing scan every 90 days. A business must also submit to additional testing if there are any changes to its cardholder data environment (CDE). Passing these scans indicates that your IT controls work and that the security protections you have in place satisfy the standards required of your particular organization.

If a company doesn’t pass its pen testing, the business must correct the failure as quickly as possible and run another scan to prove compliance.

Non-compliance with PCI DSS can carry serious consequences, including the loss of your credit card processing privileges. So it’s critical that you resolve any security issues a pen test might uncover. Passing a penetration test means the tester was unable to exploit any aspects of your system.

How Do a Penetration Test and a Vulnerability Scan Differ?

Vulnerability scans are meant to identify, rank, and report security vulnerabilities that can compromise a system. Traditionally, organizations must engage in vulnerability scans every quarter or after making significant changes to the data environment. Most often, vulnerability scans use automated tools followed up with manual verification of issues.

Penetration testing, however, purposefully seeks to exploit vulnerabilities in security controls by seeking out gaps in security features. Pen testing is an active process of trying to break a system, while vulnerability scanning passively reviews a landscape for potential problems. The manual nature of pen testing takes more time, provides a more comprehensive resource, and therefore, only needs to occur annually rather than quarterly.

Penetration testing’s depth and cost also mean that organizations must limit the time spent on the task while meeting PCI DSS requirements. Meanwhile, vulnerability scanning limits a company’s insights to the point in time during which the scan was run.

What Are the Qualifications of a Good Penetration Tester?

According to PCI guidance, pen tests can be run by either a qualified internal assessor or an outside contractor. Some certifications for pen testers do exist; examples include the CEH (Certified Ethical Hacker) or the OSCP (Offensive Security Certified Professional). Beyond these certifications, the PCI DSS also offers a list of penetration testing requirements and necessary qualifications for penetration testers.

When hiring a penetration tester, ask for examples of their previous work. You will want someone who has experience testing your particular industry and software. Discuss what parts of your environment should be tested, and what your tester should do if a vulnerability is found. You’ll also want your tester to be in touch with you regularly throughout the process.

Finally, you’ll want to make sure that security testing will not interrupt your organization’s day-to-day operations. Make sure that the tester’s efforts will not cause any damage to your system components or inconvenience your customers.

ZenGRC’s monitoring abilities provide updated, in-the-moment insights that let an organization respond to changing threats and vulnerabilities in a constantly evolving threat environment. Moreover, organizations can store their penetration test and audit findings on the ZenGRC platform to drive better cross-enterprise outcomes.

For more information about how ZenGRC can help ease the pain of PCI DSS penetration testing, schedule a demo today.

Inherent Risk in the Retail Industry: What You Should Know

· ·

The retail industry is undergoing an incredible transformation as emerging technologies, omnichannel shopping, as well as digital and social media, compel organizations to figure out how to operate more efficiently and better accommodate customers. 

Leaders of companies in the retail industry understand the importance of the digital forces at work in the sector and are looking more closely at the inherent risks these digital forces present. 

Every business comes with inherent risks, and running an e-commerce website or retail store isn’t any different. As more consumers shop online, e-commerce crimes are increasing and retailers are becoming more vulnerable.

Consequently, as organizations in the retail industry develop innovative ways to meet consumer demand, they also have to find better approaches for managing this inherent risk.

The following are just some of the inherent risks that affect companies in the retail industry:

Cybercrimes

Digital cybercriminals can target companies in the retail industry in several ways. For example, a hacker could launch a sophisticated phishing scam and convince your unwitting customers and/or employees to give up personal information, such as their credit card data. 

A distributed denial of service attack can take down your company’s servers, preventing customers from purchasing products. Cyber thieves can also target brick-and-mortar retailers by hacking into their point-of-sale (POS) systems. Hackers can also infect a retailer’s systems with ransomware and malware.

Companies in the retail industry can manage these inherent risks by replacing legacy POS equipment and having a cybersecurity specialist audit their systems and software.

Reputation Risk Factors

Organizations in the retail industry are impacted by direct contact with consumers. The fact is that with the growth of social media, companies no longer control their own messaging. 

Just one negative Facebook post, blog entry, tweet, or YouTube video can spell disaster for your company. Considering a large number of customer touchpoints, the chances that your brand’s reputation—and your revenue—will be negatively affected is pretty high.

To ensure your customers are happy, you should conduct consumer satisfaction surveys periodically to identify customer needs and expectations. You can also implement a customer relationship management system to deal with any complaints and reply to any questions. It’s also important to establish a policy to deal with social media so you can quickly respond to customers who leave negative comments about your company or products.

Not complying with laws and industry regulations

Companies that don’t adhere to government regulations as well as maintain the validity of their agreements and licenses, such as lease agreements, business licenses, advertising licenses, etc., may go out of business, suffer financial losses, or pay penalties. All of which could ruin a company’s reputation.

As such, you should ensure that your company:

  • Adopts procedures to identify and comply with any changes in government and/or industry regulations.
  • Implement processes to follow up on the terms of agreements and licenses.
  • Establishes a time period to begin the action that’s necessary to renew agreements and licenses before they expire.

Supply chain risks

Over the last decade, supply chain risk management has emerged as a challenge for companies in the retail industry. Customers want to receive their products whenever and wherever they want them. So to meet customer demand and remain competitive, you have to transform your supply chain or risk losing out to your rivals. 

Consequently, it’s imperative that you implement digitally enabled supply networks to enable cross-channel shopping with multiple delivery options and an easy return process. In addition, you have to assure customers that you have their items in stock and can deliver them when you say you will, as well as offer them a way to communicate with you in real-time.

Establishing a Digital Risk Framework

All your sensitive corporate data, automation, connectivity—all things digital—are inherently at risk because they are entry points for hackers. And the potential damage from just one cybersecurity incident is amplified because your digital systems are so embedded in your daily operations.

Companies in the retail industry that properly manage inherent risks become more competitive. Senior management should look to risk management to help them make better decisions about the company’s investments and its sustainability.

Digital risk management comprises numerous layers of risk defense, each linked via specific roles and responsibilities. However, it’s senior management who is responsible for setting the vision and assigning and coordinating these lines of defense. This helps them identify and correct redundancies in their organization’s risk management structure and prioritize how to control risks. 

Generally, your business units should be the first line of defense in terms of dealing with digital inherent risk. They should work with your information technology department to incorporate risk-informed decision-making into your company’s daily operations.

In addition, they should figure out the level of risk they’re willing to accept, mitigate risks as appropriate, and escalate problems when the risks are more than the company is able to tolerate.

The second line of defense is the risk management function that establishes governance and oversight procedures, sets risk baselines, and implements risk management tools and processes.

The audit function is the third line of defense. Your internal auditors verify how effective your digital risk management process is and assures leadership and the board of directors that this process is working properly. 

Additionally, your internal auditors let your company’s executives know if they have to make any improvements in the risk management process that can help the company to achieve its objectives. 

Developing a digital risk management framework also helps your auditors evaluate the established controls you have in place to adequately address such risks.

Typically, an organization maintains multiple digital assets across a number of digital channels. The organization owns and controls some of these digital channels, including mobile apps, e-commerce websites, and IT infrastructure. Others are outside of the company’s direct control, such as what people say about the organization or its digital assets in the digital space.

Implementing a digital risk management framework can help companies in the retail industry expose potential risks. Doing this allows you to establish controls and repeatable processes as well as streamline your responses to these risks. A digital risk framework enables management to begin evaluating how well your company can sense and respond to digital risk.

This ongoing “sense and respond” approach to digital risk management crosses silos and affects all stakeholders. The building blocks for this method make up a comprehensive lifecycle process to help you do as much as you can to protect against these inherent risks—with the greatest competitive benefits. 

There are a number of actions executives in companies in the retail industry can take to manage risk, including:

  • Frame and benchmark the current risk management strategy. Then take an inventory of the supporting processes, policies, controls, and metrics, particularly as they apply to your digital assets and channels.
  • Establish a digital governance structure as well as risk mitigation and response plans. Develop policies and procedures for the new digital age and implement risk management processes to support those policies and procedures.
  • Launch an integrated risk management program, including assurance programs, frameworks, and activities, to business units and other relevant areas, such as your internal audit department and IT.
  • Put business and digital risk management strategies in place. Test your risk processes and internal controls. For example, conduct escalation and response scenario testing. Also, implement reporting and performance management.

With a comprehensive risk framework, your company leaders can better manage risk. And by implementing a retail risk management strategy, you can nullify many threats before they happen. In addition, this risk framework allows executives to consider the level of risk the company is willing to take on while pursuing innovation and potentially profitable new ideas. 

Increasingly, digital is becoming the center of the shopping experience. Therefore, it’s imperative that companies in the retail industry meet their customers’ growing demands while avoiding the inherent risks that may surface along the way.

The Best Ways to Maintain PCI Compliance

· ·

Congratulations, you have achieved PCI compliance

Now comes the hard part, staying compliant. Remember, it was a great deal of work to get your environment where it needed to be for the Payment Card Industry Data Security Standard (PCI DSS). Organizations spend a fair amount of money getting systems, networks, and people exactly where they need to be for cardholder data protection. 

The PCI Data Security Standard is not something that you complete once and you’re good forever. Instead, maintaining PCI compliance takes an ongoing commitment of people, process and technology. There are three things that organizations can do to stay compliant: dedicate the necessary resources to keep the information security program current, assess/test the information security environment perpetually, and invest in ongoing vulnerability management. It is only with the continued dedication that a PCI environment will stay in compliance and prevent data breaches.

Dedicate the necessary resources to the program perpetually

In order to continue to meet PCI DSS requirements, an organization needs to invest in information security. Resources leveraged for information security are typically comprised of either people, processes, and technology. A perpetual PCI compliant information security program invests in its people by making sure they have the most up to date training to maintain and enhance an environment. 

Processes are essentially playbooks on how to install, maintain, troubleshoot, and execute tasks within an environment. As time goes on, processes need to be updated to account for changes in systems. Technology changes rapidly when it comes to information technology and information security. The trajectory of artificial intelligence and machine learning has information technology changing exponentially. Plan on refreshing and updating technology every few years, which will directly impact existing people and processes with new training and fine-tuning required.

Assess and test the information security environment

Many ask the question, “How do we know if our security environment and controls are working?” 

The best answer is to assess and test your environment both from an internal perspective and an external perspective. Organizations that are truly ahead of the game leverage red teams (that acts like a hacker), blue teams (that defends against attacks), and purple teams (a blend of both red and blue teams). There are several important ways to assess and test the environment:

  • Penetration testing 
  • Internal and external scanning
  • Security awareness training
  • Compliance review
  • Risk assessment

Ongoing vulnerability management

The importance of ongoing vulnerability management cannot be overstated in an organization looking to maintain PCI compliance. Most of the breaches that have occurred in the last several years have one alarming similarity: The companies lacked mature vulnerability management programs. 

The data breaches share several vectors like unpatched systems, weak passwords, and excessive access. Most of the data breaches of the past could have been prevented with basic vulnerability management and vulnerability scans, which focus on:

  • Patching and patch management
  • Firewall and router configurations
  • Application security
  • Data integrity assessment
  • Review logs, alerts, and access permissions

PCI DSS compliance is focused on protecting the cardholder, payment card data, and both onsite and e-commerce transactions. While not the only data that needs to be protected, card data like Visa, Mastercard, American Express, Discover, and JCB is a primary focus of PCI. 

The Self-Assessment Questionnaires are used by lower-level merchants (with fewer transactions) to perform a self-assessment of their compliance. There are multiple SAQs available, with the specific SAQ being used determined by how customers perform credit card transactions (i.e., card not present vs. card present, fully outsourced authorizations vs. partially outsourced authorizations). There are continuous annual requirements for organizations that qualify for the SAQ.

Maintaining compliance should include quarterly vulnerability scans where applicable and annual assessments like those conducted by a Qualified Security Assessor (QSA). An internal mock assessment is a great way to provide fine-tuning to the PCI requirement area that your organization may need to work on. Maintaining a compliant cardholder data environment takes work. The good news is that PCI DSS contains the best practices and testing procedures your organization needs to obtain and maintain PCI compliance on an ongoing basis.

eBook: PCI DSS Guide to Scoping

· ·

For merchants who process payment cards, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory for doing business. While PCI DSS establishes prescriptive requirements for protecting data, many companies struggle with understanding how to determine what networks and systems fall within the PCI DSS scope. For many merchants, the most frustrating and confusing part of maintaining compliance with the PCI Security Standards is determining what networks and system components need to be protected under the rigorous standard.

Understanding PCI DSS

What is the Payment Card Industry Data Security Standard?

The five major payment card companies, American Express, Discover Financial Services, JCB International, MasterCard, and Visa, Inc. banded together to create the Payment Card Industry Security Standards Council (PCI SSC) to establish best practices for protecting cardholder data. The organization wanted to create a series of standards for how to process payments – to protect their customers as well as themselves. These became the Payment Card Data Security Standard.

What is cardholder data (CHD)?

The standard defines CHD as any personally identifiable information (PII) that can link an individual to their a credit or debit card. This card data includes the primary account number (PAN) in combination with either the cardholder name, expiration date, or service code.

What is the cardholder data environment (CDE)?

Under the standard, any computer or networked system that processes, stores, or transmits this CHD needs to be protected using the specified controls listed in the PCI DSS requirements. The CDH includes system components such as network devices, servers, computing devices, and applications. These can be security services, virtual components, network components, server types, applications, or anything connected to CDE.

The standard defines “system components” as network devices, servers, computing devices, and all applications, providing six specific examples:

  1. Security services, segmentation services, or services impacting security
  2. Virtual components including machines, switches/routers/appliances, applications/desktops, and hypervisors
  3. Network components
  4. Server types
  5. Internal and external applications
  6. Anything connected to CDE

What is network segmentation?

Under the PCI standard, your CDE needs to be separated from any other systems, software, and networks used within your enterprise.  Any unprotected connection to the CDE, internal or external, places your organization at risk for fines.

What is PCI DSS scope?

PCI compliance starts with determining your CDE. Determine what systems, networks, devices, and applications store CHD, and therefore are part of your CDE, is the process of deciding your PCI scope. All these systems, devices, networks, and applications that need to be separated from the rest of your IT infrastructure and protected by the prescriptive requirements.

Why do I need to create a data flow?

Understanding your IT infrastructure not only requires you to focus on the individual system components that store, process, and transmit data, but also the way the data moves between them. For example, if CHD travels across a network and that network also transmits data for an application that does not impact CHD, the app is also connected to your CDE.

Therefore, you need to apply the PCI controls to that application as well to ensure the security of the CDE. If you don’t protect that application, a malicious actor can use it to obtain unauthorized access to your network which ultimately puts cardholder data at risk. Understanding the way data flows not only within your CDE but across your entire infrastructure allows you to ensure stronger threat mitigation.

What is an SAQ?

To ease the burden on merchants using vendors to enable PCI compliance, the PCI Security Standards Council created a Self-Assessment Questionnaire that allows you to review your technologies to see if they meet the data security requirements. For businesses that use PCI SSC approved point-to-point encryption (P2PE) hardware, this streamlines the requirements by more clearly defining, and limiting, the CDE.
A P2PE is a device used in brick-and-mortar (card present) and mail/telephone order merchants. To qualify for this lower standard, the merchant must attest that they

  • only process payments using a P2PE device approved by the PCI SSC
  • the only devices that interact with P2PE device are supported Point of Interaction (POI) devices approved  for use with it
  • have no other electronic storage, transmission, or collection locations for cardholder data
  • do not store legacy information electronically
  • have implemented all the controls required by the P2PE solution.

In this case, the merchants limit their PCI scope to just these devices and their technologies.

What is a Qualified Security Assessor (QSA)?

Your QSA is the external party certified by PCI SSC who oversees your PCI compliance. In short, they act as external auditors who go through PCI specific training.

As such, the first thing they will look at when they review your PCI compliance is whether you have appropriately scoped your CDE. If you haven’t correctly defined your compliance scope, then you won’t be able to set related controls in compliance with the requirements. Thus, before they review any other controls, they will determine whether you’ve located all the right system components.

What about service providers?

As merchants increasingly use Software-as-a-Service (SaaS) platforms to make payment processing easier, those suppliers are also in-scope systems for PCI compliance if they transmit, store, or process CHD.

Your service level agreement (SLA)  should clearly outline the PCI-DSS requirements covered by you and the services provider.

To prove its compliance, your vendor needs to provide documentation assuring:

  1. Annual assessment done independently and provided to their users.
  2. Multiple on-demand assessments at the request of each client.

If the service provider chooses to do its own annual assessment, the customers need to make sure that it covers their compliance needs and is part of the contract.

How to Use ZenGRC for PCI Compliance

ZenGRC acts as a single source of information for PCI compliance. With ZenGRC’s built in PCI mapping capabilities, you can easily align your current controls to the standard’s requirements.

Moreover, ZenGRC’s dashboard provides real-time insights into your organization’s control effectiveness providing you with continuous monitoring capabilities as required by PCI.

The workflow management and risk management capabilities within the ZenGRC platform offer merchants a way to communicate with internal stakeholders to ensure that you manage high priority risks first.

For more information about how to determine your PCI scope and protect your CDE, download our ebook “PCI DSS: Steps to Successful Scoping.”