Using PCI Management
The PCI Management use case supports the following processes.
On this page
PCI Management Process Diagram
The following diagram shows the process that the Archer PCI Management use case is built to support. PCI Management use case supports Version 3.2.1 and 4.0 of PCI DSS.
Note: The PCI DSS 3.2.1 retires in 2024.
The following image shows the PCI Management Process v3.2.1:
The following image shows the PCI Management Process v4.0:
Creating Primary Controls
User: Compliance Manager
The Primary Controls application serves as a central repository for controls, baselines, and activities that are mapped to corporate control standards, which establishes the foundation for enterprise-wide risk monitoring and compliance measurement.
You can define primary controls across the organization that meet the requirements for relevant regulations and standards. In PCI Management use case, Primary Controls application is used to document PCI defined controls and assessment procedures for PCI Control, Custom Controls, and assessment procedures for custom controls.
Note: Primary Controls were referred to as Master Controls prior to Archer Version 6.12.
Creating Control Procedures
User: Compliance Manager
The Control Procedures application allows you to create control procedures and link them to previously created Primary Controls. There are 2 types of control procedures: Technical and Process. Based on the selected control type, different pieces of information are captured and different testing options are available.
Document Cardholder Data Environments
Users: PCI Project Team Members
Prior to creating a compliance project, PCI Project Team Members should create Cardholder Data Environment (CDE) records to identify each area of the business that processes sensitive data. This enables you to easily link to the applicable CDE when you create your compliance project.
Create a Compliance Project
Users: PCI Project Team Members
When creating a Compliance Project, PCI Project Team Members link to all CDEs that they want to assess, identify stakeholders, and define the validation type for their self-assessment questionnaire. Information captured here, such as the identified CDEs, is included in the Report on Compliance mail merge template. A Compliance Project record can store multiple SAQ assessments, but only generates 1 ROC. You can conduct assessments either on Version 3.2.1 or Version 4.0 of the PCI DSS, using Compliance Project application.
Complete the Self-Assessment Questionnaire
Users: PCI Project Team Members and PCI Internal Stakeholders
Complete the Self-Assessment Questionnaire to determine your overall compliance with the standard PCI requirements. By self-assessing regularly, you can identify areas of vulnerability and remediate any generated findings. After the SAQ is completed, the Auto-Link Findings To PCI Controls data feed links findings for any incorrectly answered questions to the corresponding control procedure. Self-Assessment Questionnaires for both PCI 3.2.1 and 4.0 are available.
Generate your Controls
Users: PCI Project Team Members
Archer provides out-of-the-box controls that you can generate for your Compliance Project. Depending on your level of compliance, you may add any combination of the PCI controls to your compliance project or add Custom Controls meeting the objective of PCI requirements. Controls are generated either manually or by a data feed.
Complete a Control Assessment
Users: PCI Project Team Members
After selecting the controls for the PCI Compliance Project, you must complete a control assessment for each control. It is important to assess each control selected in the compliance project to ensure the control guidelines are successfully being implemented. If the control is not compliant, you must remediate any open findings before implementing the control. You can conduct Control Assessments on both PCI Controls and Custom Controls. Before assessing Custom Controls, the entity being assessed should provide pre-assessment details documenting the effectiveness of custom controls.
Manage your Findings
Users: PCI Internal Stakeholders
A finding is auto-generated by the system for each incorrectly answered question in the Self-Assessment Questionnaire and for each control assessed as Not in Place, In Place with Remediation, or In Place with CCW.
The Archer Issues Management use case (Audit solution) allows you to manage the remediation process for any issues that are logged for remediation. Issues are logged as records in the Findings application, in which you document the remediation performed and track the issue to closure.
