If you store, process, or transmit credit card data, your business is subject to the Payment Card Industry Data Security Standards (or PCI DSS), a set of security rules designed to curb costly breaches and thefts across the industry. As a certified PCI QSA, LBMC offers a full suite of payments-related data security services to help you attain and demonstrate compliance today.
We review compliance efforts performed to date, interview key staff and perform detailed testing procedures. This process will prepare you for a PCI audit and ensure that your PCI self-assessment questionnaire accurately represents your compliance status.
3 Steps to Readiness
1. Figure out where cardholder data is stored, processed, or transmitted in your environment.
Where in your business process is data captured, and how is it handled? An assessor will follow the flow of card data through your network, whether it travels to a database or a third-party site. They’ll also conduct a thorough search for card data in unexpected places: stored in a spreadsheet in your file-sharing system, or hanging out on your email system, for example.
2. Define the scope for PCI compliance.
Everywhere card data goes, PCI DSS is the rule of the land. But the opposite is also true: PCI doesn’t care about systems that don’t touch card data. So once you’ve followed the data, you can identify which systems are subject to DSS rules — and which ones you don’t need to worry about, at least as far as compliance is concerned.
3. Identify gaps between your scope and the requirements.
Once you know exactly which portion of your system is subject to PCI DSS, you can compare the rules to the reality. In a readiness assessment, this will typically mean a series of interviews, inspections, and process walkthroughs, validating that all the necessary rules are in place.
Because we know PCI compliance can be complicated, we will work with you and members of your team to help them better understand any non-compliant areas and outline what should be done to bring them into compliance. Our clients desire significant knowledge transfer and education occur as a part of the effort, and our delivery process is designed to ensure that such knowledge transfer occurs.
A readiness assessment may find that some PCI controls are ineffective or inconsistent with PCI DSS 3.2. Once the readiness assessment is complete, we can estimate the effort required to address remediation efforts. Remediation might include policies, software or hardware controls, or segmenting your network to reduce of PCI compliance cost.
Step 1: System Discovery and Enumeration
The first stage of LBMC’s network-level testing service is devoted to information gathering and discovery. This includes utilizing standard network utilities such as ping and traceroute, and the nmap port scanning and mapping tool. Once the host operating systems and services are mapped, available service banners are collected. The goal of this phase is to ensure that the target environment is completely identified and fully defined for the testing team so that a comprehensive analysis can be performed.
Step 2: Profile Targets Via Vulnerability Testing
LBMC’s methodology includes an analysis of the system configuration, running services, operating system vulnerabilities, authentication mechanisms, and other weaknesses. The tested hosts are grouped by operating system and by availability of web services. Hosts running common services such as FTP and open shares are also identified for additional manual testing. The information gathered during this phase represents the key data that indicates potential infrastructure weaknesses.
Step 3: Exploitation and Penetration Testing
During this stage of testing, LBMC evaluates the findings of step 2 and attempts to exploit vulnerabilities to gain access and/or perform unauthorized functions on vulnerable systems. It is during this step that LBMC also specifically assesses the “boundaries” of the cardholder data environment to evaluate the effectiveness of segmentation techniques in isolating and limiting access to the CDE, as required in PCI DSS 3.2 step 11.3.4.
Because of the manner in which the automated tools perform their probing, they sometimes incorrectly characterize a system configuration or weakness. During this phase of the engagement, the LBMC security team specifically reviews each suspected issue and performs additional procedures necessary to confirm the current state to ensure that any suspected issues and vulnerabilities are fully vetted and tested, and that full confidence in the results can be achieved.
Step 4: Comprehensive Vulnerability Assessment
In this phase, at client’s option, LBMC will obtain a set of network credentials from the client. LBMC’s methodology includes an analysis of the system configuration, running services, operating system vulnerabilities, authentication mechanisms, and other weaknesses. By utilizing authentication credentials, LBMC is able to capture all relevant information about a particular system and can highlight additional weaknesses that may not be readily evident during penetration testing. This process, unique to LBMC’s penetration testing methodology, ensures that our clients have a complete picture of the potential weaknesses in their IT infrastructure.
Step 5: Results Analysis and Reporting
During this phase, LBMC evaluates the results of the vulnerability and exploit testing against general industry best practices for network deployments of this type and in conjunction with current relevant security and compliance standards, including the PCI DSS 3.1 requirements. This process allows LBMC to provide the most relevant and actionable security report possible.
External Penetration Assessment
The objective of the External Penetration Assessment is to evaluate the client’s vulnerability to attacks by malicious external sources that only have access to systems that are exposed to the Internet. LBMC will identify active systems within the IP ranges provided by the client and will deep scan, probe, and evaluate each system as a part of the external penetration testing.
This assessment determines the security posture of the external network and provides recommendations to improve the existing security measures in place. LBMC performs the assessment “from the outside” using tools and techniques that an attacker would likely use to profile the network and attempt to gain information or identify weaknesses with no prior knowledge of the environment.
Wireless Network Penetration Testing
LBMC will perform a penetration test on the wireless networks at relevant client locations. As a part of the assessment, LBMC will first attempt to identify and probe the wireless network from both outside and inside the facility. Once wireless networks in range of the facility have been identified, LBMC will validate with the client that the identified network is their property.
LBMC will attempt to gain access to the wireless networks and, if successful, attempt to gain further access to network resources and data. We will conduct its reconnaissance activities first from a location near the client’s facility to determine how much information can be gathered from outside the facility and to identify the strength of range and signal data transmissions. Perimeter sweeps will also be performed to establish the maximum range at which wireless networks can be accessed.
An important component of any security assessment is the evaluation of the security awareness of employees. With breach notification provisions now specifying that a company acknowledge when sensitive data could have been mishandled or accessed inappropriately, awareness and vigilance are more important than ever.
As a part of this task, LBMC will use social engineering techniques to attempt to access restricted areas of facilities, as well as to gain access to computers where sensitive data may be stored, processed, or transmitted. The objective of the social engineering assessment is to evaluate vulnerability to attacks by malicious persons who attempt to trick users into providing sensitive information or user credentials.
Web Application Security Assessment
The objective of the web application security assessment is to evaluate the security of the in-scope web-based applications. This assessment determines the security posture of an Internet facing application and provides recommendations to improve the existing security measures in place.
Dynamic Web Application Security Assessment
During this portion of the engagement, LBMC will evaluate the security of the client’s web application by “interacting” with it across the network. During this phase, manual and automated testing is performed against the web sites and web application, using commercial and/or Open Source web application scanners.
LBMC will also evaluate the use of secure coding standards in the development of the application. We will grade the web application security posture using the Open Web Application Security Project (OWASP) standards as the benchmark. Optionally, we can evaluate software code to determine weaknesses in the web application.
As far as the PCI Security Standards are concerned, only Level 1 merchants (typically big-name chain retailers) have to submit their Report on Compliance. But many acquirers require an RoC regardless of your size and the decision is up to them. After leading you through the audit process and completing the documentation needed to comply with PCI DSS, we issue the final Report on Compliance to the appropriate parties.
3 Steps to RoC Success
Typically, a successful RoC process consists of three basic steps:
1. Identify a collaborative QSA
For the process to be as efficient as possible, it needs to be a collaborative process. Try to identify and partner with a QSA that demonstrates a solid understanding of your business environment. The QSA should also be able to explain its fieldwork protocol clearly.
2. Get the documents in order
A Report on Compliance requires documentation for every control — which adds up to quite a lot of documentation indeed. Look for your QSA to give you plenty of time to get the documents together. Four to six weeks is an appropriate amount of lead time.
3. Talk ahead of time
A QSA should schedule interviews with your key personnel a few weeks before they come on-site, so they can be conscious of your people’s time while gathering the data they need. Regular communication is fundamental, so when the QSA identifies areas of non-compliance, you can address it as quickly as possible. As long as an issue is addressed before the QSA writes its report, you should get credit for compliance. Make certain that you have a key internal contact regularly managing potential issues and handling requests for artifacts or documentation from your QSA so nothing falls through the cracks.
What you don’t want in a partner is a QSA that flies out an assessor who spends a few days onsite (or no time at all), never speaking to you before or after. Find a partner who can educate you throughout the process and that is willing to transfer knowledge to your internal team so you can stay on top of PCI in the future.
Remember the spirit of PCI DSS is to instill best security practices in your company and help ensure that they become a permanent part of your operations. A good partner can help you strengthen your security and your confidence.
PCI requirement 11.2.1 requires quarterly vulnerability scans by an Approved Scanning Vendor (ASV). LBMC’s ASV service includes unlimited scans for one year, a secure portal for completing the relevant self-assessment questionnaire, scheduling/administering your scans, and electronic filing with acquiring banks if desired. The client can use the ASV system on demand at any time.
Understanding PCI 11.2.1 (especially part 11.2.1b!)
PCI control 11.2.1 states, “Perform quarterly internal vulnerability scans.”
Though some may fail to perform quarterly scans at all (as specified in 11.2.1.a), it is far more common that the company fails to perform or document rescanning after remediation. Obviously, this presents a problem for achieving compliance with the PCI requirement. To ensure compliance with this control, it is imperative to remember to conduct quarterly scanning and, should vulnerabilities be found in the initial scan, remediation and rescanning must also occur in the same quarter.
This is the second edition of our popular, 34 page PCI compliance guide. It has been thoroughly updated for the 3.2 version of the PCI DSS standard that became official in May of 2016.
PCI compliance is critical for businesses that rely on credit card payments. PCI Compliance Guidelines gives organizations critical information and best practices to meet their PCI compliance deadline in a timely, efficient manner.
Download your copy of PCI Compliance Guidelines Explained
Do you need to know the cost of PCI security and compliance services for budgeting? Are you ready to move forward and need a quote? Our automated system will prompt you for the information we need to begin assessing your PCI compliance posture.
Request a PCI Services Quote
We are a nationally-recognized, award-winning IT security and compliance firm with more than 20 years of experience.
We offer the full spectrum of penetration testing, security architecture, risk assessment, and IT compliance services.
PCI compliance isn't easy, but it doesn't have to be hard. To begin your path to credit card security and compliance, contact us, call 1-844-526-2732, or request a callback for a time of your convenience.