What We Do

What We Do

Benefits of PCI DSS compliance

As a merchant or a service provider

Decrease the risk of security breaches

Gain trust from your customers

Avoid costly penalty from the payment brands

Decrease the risk of security breaches

Gain trust from your customers

Avoid costly penalty from the PCI SSC

Do you need PCI DSS?

If your business transacts via payment card you must abide by PCI DSS. There are 12 requirements for compliance to address the growing threat to customer payment information. Organizations failed to comply with the standard may be fined between USD$5,000 – $100,000 along with other penalties.

PCI Qualified Security Assessors

MXC professionals are qualified by the PCI Security Standard Council as an assessor of the PCI DSS also known as PCI Qualified Security Assessors (QSA). As a QSA, we are able to assist merchants and service providers to comply PCI on Self-Assessment Questionnaire (SAQ) and Report on Compliance (ROC) with the Attestation of Compliance (AOC).

Why PCI-Certified Companies Are Being Breached

Why PCI-Certified Companies Are Being Breached

Is PCI-Certified Companies Are Secure?

One of the major misconceptions about PCI DSS compliance is PCI DSS-certified companies are secure or hacker-proof. This means that many businesses are checking the boxes for PCI DSS compliance off their list, or even just implementing compensating controls during the time of PCI QSA audit, and then forgetting about security protection is an ongoing and continual full-time exercise. The following list illustrates cases where a poor QSA methodology may lead to a flawed assessment:

  • QSAs who rely mostly on their interviewees’ statements to validate compliance
  • QSAs who solely rely on evidence provided by the organization
  • QSAs who spend little to no time for assessment, advisory and audit
  • QSAs who don’t take a representative sampling of system components
  • QSAs who are validating positives instead of negatives

The QSA Company / QSA employee’s level of proficiency & experience may also be a factor which may result in non-compliant organizations passing their assessments, for example:

  • QSAs who fail to identify the right compliance scope for an organization
  • QSAs who are not experts on specific in security products or technologies
  • QSAs who are not familiar with hacking techniques or attack vectors that hackers use to breach organizations

The PCI has established fines of up to $500,000 per incident for security breaches when merchants are not PCI compliant. In addition, it is required that all individuals whose information is believed to have been compromised must be notified in writing to be on alert for fraudulent charges. As such, the potential cost of a security breach can far exceed $500,000 when the cost of customer notification and recovery is calculated. And other potential additional cost for data breach are:

  • Increased audit requirements
  • Potential for campus wide shut down of credit card activity
  • Cost and time of resume to pre-incident stage
  • Cost of doing PR and Incident Management
  • Cost of staff time (payroll) during security recovery
  • Cost of lost business during register or store closures and processing time
  • Decreased sales due to marred public image and loss of customer confidence

Case Study

Tourism Data Hack Leads Greek Banks To Cancel Thousands Of Their Cards
All four of Greece’s main banking institutions enacted security protocols after a data breach, and consequently cancelled 15,000 consumer cards, according to a report. After consumer information was compromised on a tourist website, Alpha Bank, Piraeus Bank, Eurobank and the National Bank of Greece each cancelled their credit and debit cards for customers. The tourist website lets customers purchase transportation of all kinds, plus hotel reservations and insurance. Major credit card companies, such as Visa and Mastercard.
As a result, any banking card used on the travel portal was cancelled, and to be replaced.

Why choose MXC Security as your long term Information Security Advisor and Cyber Security Consultant?

  • 15+ years’ experience in information security advisory and ISO 27001 ISMS consultation for many MNCs and FSIs; this can definitely provide fit-for-purpose advice and control recommendation to fulfill not just PCI DSS checklist / template but other industrial best practices such as ISO 27001 ISMS, NIST and regulatory compliance experiences;
  • PCI DSS compliance assessment is not just a checklist based assessment exercise. It requires an experienced auditor to manage the audit and achieve the win-win situation. MXC QSA are IRCA ISMS Principal Auditor and experienced IS auditor with 15+ years audit experience who know how to manage the rhythm of the audit and maximize the results
  • Local Vietnamese Security Consultant acts as support and coordinator to facilitate the timely and effective coordination. Local Vietnam information security and IT culture can also be considered an important key success factor and harmonized in this assessment
  • Local / Regional full-time Professionals will be allocated for this project
  • Highly Qualified Penetration Testing Professionals with 6 x CREST certified penetration tester/ OSCP (Note *A)
  • CREST Accredited Company – Penetration Testing
  • Penetration Testing service provider for 16 years+
  • Professional team members in Vietnam and both Vietnamese / English speaking

Note *A: Risks in poor penetration testing / vulnerability assessment services:
Tools-driven/ Automated penetration testing is not a true penetration testing
There are so many penetration testing service running tools (mainly freeware, a few commercial tools) as the core of the testing. However, it is not a truly qualified penetration test. Tools are not key success factor of hacking, it is the skills of the assessors who discover the vulnerabilities. We have some many examples that Critical and High risk vulnerabilities are only discoverable by manual testing, not automated tools. If you obtained the report with mainly tools generated result, you are exposed to the risk of being attacked by a real hacker, and even an average hacker can discover vulnerabilities that are not found by tools.

Client Results

Our Approach

Our unique methodology for PCI DSS Advisory

Phase 0 – Project Initiation and Consultation

Our PCI DSS QSA Team will launches the project through a kick-off meeting and the details of the project schedule and commitment will be defined.

Phase I – Discovery

In this phase, PCI DSS Quality Security Assessor (QSA) Team will collect documentation for confirmation of scope and initial checking.

Phase II – PCI DSS Requirement Testing

In this phase, QSA Team will perform PCI DSS Readiness Check and PCI DSS Requirement Testing to evaluate the compliance status against PCI DSS requirements. PCI DSS Readiness Check serves as a preliminary testing before the official requirement testing.

Phase III – Remediation Consultation Service

Based on the testing results, Maximus provides all necessary consultancy support and assistance for customer to remediate and comply with the PCI DSS requirement. Maximus will draft all PCI DSS related management system procedures and assist customer to review and finalize those procedures. This can minimize the effort of customer to establish the policies and procedures from the ground.

Phase IV – Final Deliverable

QSA will conduct analysis on the collected evidence from PCI DSS Requirement Testing and prepare the final report.

Phase V – Quality Assurance

Prior delivery of final report, QSA Quality Assurance (QA) Team will perform internal review to ensure the report meet the internal QA criteria. Once review of the ROC is complete, QA Team will finalize the ROC and AOC for delivery to customer.

Phase VI – Closeout

A Closeout meeting will be arranged with customer stakeholders to deliver the report and present the testing results.