Is PCI DSS as a Service possible?
Jan 31st, 2012 by Jesper Kråkhede
Starting your own company is always an interesting challenge, especially when you have ideas that are not so common in the industry. Our core service is PCI DSS as a service, sounds simple enough? Quite a few clients have been intrigued what it actually means and how to implement it.
PCI DSS as a service is in essence a concept where we use our PCI DSS reference architecture to map where the client currently is in the compliance process and how well the requirements are fulfilled. The GAP analysis, that is the outcome, gives us the information needed to provide a roadmap how to minimise the PCI DSS scope and what kind of services that is needed to become PCI DSS compliant. A couple of the services are log management, incident response, CIAAS (compliant infrastructure as a service) to name a few. The goal for us is to help the client to become compliant with as little effort as possible without compromising the overall security.
So PCI DSS as a service is mainly a tightly controlled infrastructure paired with all the services needed to fulfil all PCI DSS requirements. This could be delivered either as a cloud service that we provide, as an in-house service if the client wants to have control over the infrastructure or as a concept for those that wants to run it by themselves but would like to have a streamlined and secure setup that is easy to maintain.