Long-Term PCI Data Security Standards Support

在本期播客中, LBMC’s Bill Dean and John Dorling discuss some of the tools available to help merchants who are trying to achieve PCI compliance.

As a certified PCI Qualified Security Assessor (QSA), LBMC offers expert guidance to help clients navigate PCI regulations and maintain compliance. We provide practical solutions and emphasize long-term partnerships. Our low turnover rate ensures you work with the same QSA each year.

PCI 审计 and Report on 合规 (ROC)

• 概述: Only Level 1 merchants and service providers are mandated to submit a QSA-led ROC, though acquirers may require it regardless of company size.
• 过程: Our team guides you from scoping and segmentation through the audit process to issuing the final ROC and Attestation of 合规 (AOC). We also offer an “audit once, report many” approach for multiple frameworks.

PCI差距分析

• 目的: Evaluate current PCI compliance efforts and identify areas for improvement.
• 过程: We provide guidance on scope reduction, interview key staff, perform testing procedures, and deliver an actionable list of remediation steps to prepare for a PCI audit or self-assessment questionnaire.

ASV Quarterly Scanning

• 要求: PCI Requirement 11.2.1 mandates quarterly vulnerability scans by an Approved Scanning Vendor (ASV).
• 服务: Our ASV service includes unlimited scans for one year using an industry-leading scanning engine, a secure portal for the self-assessment questionnaire, scan scheduling and administration, and electronic filing with acquiring banks.

Self-Assessment Questionnaire Version D (SAQ-D) Completion

• 支持: We conduct interviews and walkthroughs to assist with the PCI DSS SAQ-D.
• 结果: Ensure proper identification of the cardholder data environment and complete the SAQ-D form.

PCI Flash Assessment

• 摘要目的: Provide a quick assessment to guide your PCI compliance strategy.
• 专注: Determine PCI scope and segmentation.

PCI Consulting (Virtual QSA)

• 服务: Receive expert advice on PCI compliance through education from a senior-level PCI QSA.
• 好处: Get timely answers and solutions to current projects impacting PCI compliance, only paying for the time you need.

Penetration Testing

• 摘要目的: Ensure compliance with PCI DSS Requirement 11.3.
• 方法: Our testing processes align with PCI DSS requirements, including CDE boundary validation. 这 helps assess your susceptibility to security attacks.

Web Application Security Assessments

• 摘要目的: Evaluate the security of web applications to ensure compliance with PCI DSS Requirement 6.6.
• 方法: We conduct “gray box” assessments (no access to source code) to identify vulnerabilities that could be exploited by attackers.

Card Data Discovery

• 摘要目的: Identify all stored card data to meet PCI requirements.
• 方法: We scan files and data stores, with the option to expand discovery to PII and ePHI.

PCI Training and Education

• 摘要目的: Improve your organization’s security posture and reduce risk to cardholder data.
• 方法: We provide education and training to enhance employee awareness of PCI Security and general security practices, reducing susceptibility to people-based attacks.

In this episode Bill Dean and 斯图尔特 异常兴奋的 discuss penetration testing for PCI compliance. Learn about the differences between penetration testing and vulnerability assessments, and what is needed to meet requirements for PCI compliance.

Organizations subject to PCI DSS must demonstrate annual compliance and conduct regular security tests, including penetration tests. 的se tests can be self-administered or conducted by a third party during a PCI compliance audit. A penetration test simulates network attacks to expose vulnerabilities, offering insights into PCI DSS effectiveness.

What is a Penetration Test?

A penetration test is an intentional network attack performed by your organization or a third-party security partner to identify potential vulnerabilities. 这 test simulates various attacks, from malicious software to human hacking, to assess your system’s defenses. PCI requires annual penetration tests, which can be done internally, but many organizations prefer using a third-party partner for an unbiased, expert perspective.

好处 of Third-Party Testing

Third-party testers provide an objective view and bring specialized expertise in common attack techniques, offering a realistic perspective of your system’s susceptibility. 的y lack extensive knowledge of your network, ensuring an authentic intruder’s perspective. 这 approach avoids the pitfalls of unreliable DIY tools and ensures thorough testing.

LBMC 网络安全 can review compliance efforts, conduct penetration tests to ensure compliance, and help develop an action plan for remediation.

Importance of a Readiness Assessment

Even if you’ve completed a self-assessment questionnaire and believe you are compliant, having security experts perform a readiness assessment is wise. 这 verifies that you’ve correctly interpreted PCI DSS rules and that your assumptions are well-founded. Merchants often misinterpret PCI compliance guidelines and mistakenly indicate compliance.

What is a Readiness Assessment?

A readiness assessment helps you self-evaluate more confidently in the future and understand how and why your security measures work. It reveals opportunities to manage your security more robustly and cost-effectively.

Three Steps of a Readiness Assessment

1. Identify Cardholder Data 位置

• Determine where cardholder data is stored, processed, or transmitted in your environment.
• An assessor will follow the flow of card data through your network, including unexpected places like spreadsheets or email systems.

2. Define PCI 合规 Scope

• Identify which systems are subject to PCI DSS rules by tracking where card data goes.
• Systems not touching card data are outside the scope, helping you save time and money by focusing only on relevant systems.

3. Identify and Address Gaps

• Compare the scope to PCI DSS requirements through interviews, inspections, and process walkthroughs.
• Common pitfalls include quarterly internal vulnerability assessments, 缺失的补丁, 默认密码, and inadequate documentation.

Common Pitfalls and 解决方案

Quarterly Internal Vulnerability Assessments:

• Regularly scan for 缺失的补丁 and other vulnerabilities.
• Review and remediate high-risk results, then run another scan to confirm the problem is resolved.

文档:

• Ensure documentation for every PCI rule (or “control”) to be considered compliant.
• Review past scans and documentation to accurately complete the self-assessment questionnaire.

LBMC 网络安全 can review your compliance efforts, 确保遵从性, and help your team develop an action plan for remediation. For more information or assistance, please contact us.

As a Qualified Security Assessor, we’ve identified a handful of steps that make a PCI compliance audit run as smoothly as possible for merchants.

3 Steps to a Successful PCI 合规 审计

1. Identify a Collaborative QSA.

• For the process to be as efficient as possible, it needs to be a collaborative process. Try to identify and partner with a QSA that demonstrates a solid understanding of your business environment. 的 QSA should also be able to explain its fieldwork protocol clearly.

2. Get the Documents in Order.

• A Report on 合规 requires documentation for every control – which adds up to quite a lot of documentation indeed. Look for your QSA to give you plenty of time to get the documents together. Six weeks is an appropriate amount of lead time.

3. 提前谈话.

• A QSA should schedule interviews with key personnel weeks before the on-site visit to respect their time and gather necessary data. Regular communication is crucial to quickly address noncompliance issues before the QSA’s report. Ensure a key internal contact manages potential issues and handles documentation requests.

Avoid QSAs who don’t communicate before or after the assessment; find a partner who educates you throughout the process, enhancing your security and confidence.

Glossary of Payment and Security Terms

Understanding terminology is crucial for filling out the self-assessment or communicating with your QSA. 的 PCI Security Council offers a glossary with easy-to-understand explanations of technical terms used in payment security. 这 resource is free on the PCI Security Council’s website.

Common Payment Systems

For small or first-time merchants, the Common Payment Systems resource on the PCI Security Council’s website is invaluable. It provides real-life visuals to help identify payment systems, 相关的风险, and protective actions. 这 tool covers 15 common types of payment card implementations and their risk profiles. 这 有价值的工具 is available on the PCI Security Council’s website.

Guide to Safe Payments

的 Guide to Safe Payments  explains core concepts, risks, terminology, and protection strategies. It also serves as a hub for other useful PCI documents and tools. 这 guide is free on the PCI Security Council’s website.

Questions to Ask Your Vendors

To manage service providers and vendors effectively, the PCI Security Council provides Questions to Ask Your Vendors . 这 resource includes specific questions to ensure vendors protect customer credit card data. It is free and available on the PCI Security Council’s website.

Focus on what matters while we handle your PCI compliance. 联系 us today for a quote or to discuss your needs. Call us at (844) 526-2732 or fill out the form below.