PCI On-Site Survey Service

Security audit by a Qualified Security Assessor (QSA)

The PCI On-Site Audit Service uses the Payment Card Industry Data Security Standard (PCI DSS) as a standard to audit the storage and usage of credit card information by companies that hold credit card information such as merchants.

What is Payment Card Industry Data Security Standard?

The Payment Card Industry Data Security Standard ("PCI DSS") is an international unified security standard for the effective protection of credit card information, jointly developed by five international card brands ( VISA, MasterCard, AmericanExpress, Discover, and JCB).

The ISMS standard, a well-known security standard, covers policies and standards related to management and overall business operations, including the establishment of security policies. On the other hand, PCI DSS is a more practical and specific standard that clearly defines procedures for ensuring the safety of card information and method to implement the necessary systems.

Pyramid diagram of ISMS and PCIDSS domains

The PCI DSS consists of 12 requirements and defines minimum security standards to be followed.

The certification process consists of three stages, depending on the size of the target company: self-interview, vulnerability scan, and on-site survey. Except for the self-interview, all other activities will be conducted by the assessor QSA/ASV(*).

12 Requirements of the PCI DSS

Building and maintaining a secure network

Requirement 1
Deploy firewall to protect data and maintain optimal settings.
Requirement 2
Do not use the system or software factory default settings (security-related settings) as they are.

Protecting card-holder information

Requirement 3
Secure the stored data.
Requirement 4
Encrypt card-holder and sensitive information when sent over public networks.

Maintaining a program to manage vulnerabilities

Requirement 5
Use anti-virus software and update software regularly.
Requirement 6
Develop and maintain highly secure systems and applications.

Implementing robust access control method

Requirement 7
Restrict the data access within the scope of business needs.
Requirement 8
Assign the identification ID to each user when accessing a computer.
Requirement 9
Restrict physical access to card-holder information.

Regular network monitoring and testing

Requirement 10
Track and monitor all access to network resources and card-holder information.
Requirement 11
Regularly test security systems and control procedures.

Preparing information security policy

Requirement 12
Prepare a policy on information security.
Companies subject to PCI DSS
  • Card merchants
    Internet e-commerce shopping sites, distribution retail (department stores/supermarkets/electric appliance stores), transportation energy (gas stations/highways/railways/airlines), telecommunications (ISP/mobile carriers), service industry (hotels/restaurants), etc.
  • Settlement agents
  • Service providers

*QSA/ASV: A security assessment organization accredited by the PCI Security Standards Council (PCI SSC), a PCI DSS council jointly operated by five international card brands.

Overview of PCI On-Site Survey Service

The on-site survey service conducts a comprehensive survey of internal rules, operations, system configuration, etc. of the customer to ensure that they correctly reflect the requirements set forth in the PCI DSS in accordance with PCI DSS-based audit procedure.

1. Interview
We interview each person in charge about status of security measures, operational status, and information handling, and check the current status.
2. Document research
We check documents such as security policies, standards, procedures, and records as an audit trail to verify that operations are being carried out as indicated in these documents.
3. Observation
We enter areas where credit card information and payment information is used in the course of business and check the implementation status of physical security measures.
4. Checking settings
We check if adequate security design is implemented for computer and network equipment.

Benefits of PCI On-Site Survey Service

■ Objective evaluation is done by experts
■ The current situation is assessed and problem areas are identified
■ Certificate of compliance with PCI DSS is issued

■ Security level is identified accurately
■ Appropriate and efficient security measures can be taken
■ It is effective for external PR

*Please contact us separately for issuing the certificate, as there are other conditions.

Flow of PCI On-Site Survey Service

Preliminary survey/
Hold a meeting and collect information
On-site survey Report writing Briefing Certificate issued
We will confirm the scope of the review and the method of investigation. QSA (auditor) will visit the site and verify compliance with PCI DSS. We will compile the results of the investigation and prepare a report as prescribed by the PCI SSC. We will issue the signed certificate of compliance (AOC). We will report the results of the survey on compliance with PCI DSS requirements. In addition to the Certificate of Compliance (AOC), we issue our own certification logo mark and certificate if certain conditions are met.

* These products or services are only available in Japan.

PCI On-Site Survey Service