If you store, process, or transmit credit card data, your business is subject to the Payment Card Industry Data Security Standards (or PCI DSS), a set of security rules designed to curb costly breaches and thefts across the industry. As a certified PCI QSA, LBMC offers a full suite of payments-related data security services to help you attain and demonstrate compliance today.
We review compliance efforts performed to date, interview key staff and perform detailed testing procedures. This process will prepare you for a PCI audit and ensure that your PCI self-assessment questionnaire accurately represents your compliance status.
A readiness assessment may find that some PCI controls are ineffective or inconsistent with PCI DSS 3.2. Once the readiness assessment is complete, we can estimate the effort required to address remediation efforts. Remediation might include policies, software or hardware controls, or segmenting your network to reduce of PCI compliance cost.
Testing to assure compliance with PCI DSS Section 11.3. Internal and external testing of the application layer, network layer, wireless networks, and social engineering. The methodology, scoping, and reporting processes align with the PCI DSS 3.1 requirements for penetration testing, including the CDE boundary validation requirements in PCI DSS 11.3.4.
Step 1: System Discovery and Enumeration
The first stage of LBMC's network-level testing service is devoted to information gathering and discovery. This includes utilizing standard network utilities such as ping and traceroute, and the nmap port scanning and mapping tool. Once the host operating systems and services are mapped, available service banners are collected. The goal of this phase is to ensure that the target environment is completely identified and fully defined for the testing team so that a comprehensive analysis can be performed.
Step 2: Profile Targets Via Vulnerability Testing
LBMC's methodology includes an analysis of the system configuration, running services, operating system vulnerabilities, authentication mechanisms, and other weaknesses. The tested hosts are grouped by operating system and by availability of web services. Hosts running common services such as FTP and open shares are also identified for additional manual testing. The information gathered during this phase represents the key data that indicates potential infrastructure weaknesses.
Step 3: Exploitation and Penetration Testing
During this stage of testing, LBMC evaluates the findings of step 2 and attempts to exploit vulnerabilities to gain access and/or perform unauthorized functions on vulnerable systems. It is during this step that LBMC also specifically assesses the "boundaries" of the cardholder data environment to evaluate the effectiveness of segmentation techniques in isolating and limiting access to the CDE, as required in PCI DSS 3.2 step 11.3.4.
Because of the manner in which the automated tools perform their probing, they sometimes incorrectly characterize a system configuration or weakness. During this phase of the engagement, the LBMC security team specifically reviews each suspected issue and performs additional procedures necessary to confirm the current state to ensure that any suspected issues and vulnerabilities are fully vetted and tested, and that full confidence in the results can be achieved.
Step 4: Comprehensive Vulnerability Assessment
In this phase, at client's option, LBMC will obtain a set of network credentials from the client. LBMC's methodology includes an analysis of the system configuration, running services, operating system vulnerabilities, authentication mechanisms, and other weaknesses. By utilizing authentication credentials, LBMC is able to capture all relevant information about a particular system and can highlight additional weaknesses that may not be readily evident during penetration testing. This process, unique to LBMC's penetration testing methodology, ensures that our clients have a complete picture of the potential weaknesses in their IT infrastructure.
Step 5: Results Analysis and Reporting
During this phase, LBMC evaluates the results of the vulnerability and exploit testing against general industry best practices for network deployments of this type and in conjunction with current relevant security and compliance standards, including the PCI DSS 3.1 requirements. This process allows LBMC to provide the most relevant and actionable security report possible.
External Penetration Assessment
The objective of the External Penetration Assessment is to evaluate the client's vulnerability to attacks by malicious external sources that only have access to systems that are exposed to the Internet. LBMC will identify active systems within the IP ranges provided by the client and will deep scan, probe, and evaluate each system as a part of the external penetration testing.
This assessment determines the security posture of the external network and provides recommendations to improve the existing security measures in place. LBMC performs the assessment "from the outside" using tools and techniques that an attacker would likely use to profile the network and attempt to gain information or identify weaknesses with no prior knowledge of the environment.
Wireless Network Penetration Testing
LBMC will perform a penetration test on the wireless networks at relevant client locations. As a part of the assessment, LBMC will first attempt to identify and probe the wireless network from both outside and inside the facility. Once wireless networks in range of the facility have been identified, LBMC will validate with the client that the identified network is their property.
LBMC will attempt to gain access to the wireless networks and, if successful, attempt to gain further access to network resources and data. We will conduct its reconnaissance activities first from a location near the client's facility to determine how much information can be gathered from outside the facility and to identify the strength of range and signal data transmissions. Perimeter sweeps will also be performed to establish the maximum range at which wireless networks can be accessed.
An important component of any security assessment is the evaluation of the security awareness of employees. With breach notification provisions now specifying that a company acknowledge when sensitive data could have been mishandled or accessed inappropriately, awareness and vigilance are more important than ever.
As a part of this task, LBMC will use social engineering techniques to attempt to access restricted areas of facilities, as well as to gain access to computers where sensitive data may be stored, processed, or transmitted. The objective of the social engineering assessment is to evaluate vulnerability to attacks by malicious persons who attempt to trick users into providing sensitive information or user credentials.
Web Application Security Assessment
The objective of the web application security assessment is to evaluate the security of the in-scope web-based applications. This assessment determines the security posture of an Internet facing application and provides recommendations to improve the existing security measures in place.
Dynamic Web Application Security Assessment
During this portion of the engagement, LBMC will evaluate the security of the client's web application by "interacting" with it across the network. During this phase, manual and automated testing is performed against the web sites and web application, using commercial and/or Open Source web application scanners.
LBMC will also evaluate the use of secure coding standards in the development of the application. We will grade the web application security posture using the Open Web Application Security Project (OWASP) standards as the benchmark. Optionally, we can evaluate software code to determine weaknesses in the web application.
As far as the PCI Security Standards are concerned, only Level 1 merchants (typically big-name chain retailers) have to submit their Report on Compliance. But many acquirers require an RoC regardless of your size and the decision is up to them. After leading you through the audit process and completing the documentation needed to comply with PCI DSS, we issue the final Report on Compliance to the appropriate parties.
PCI requirement 11.2.1 requires quarterly vulnerability scans by an Approved Scanning Vendor (ASV). LBMC's ASV service includes unlimited scans for one year, a secure portal for completing the relevant self-assessment questionnaire, scheduling/administering your scans, and electronic filing with acquiring banks if desired. The client can use the ASV system on demand at any time.
This is the second edition of our popular, 34 page PCI compliance guide. It has been thoroughly updated for the 3.2 version of the PCI DSS standard that became official in May of 2016.
PCI compliance is critical for businesses that rely on credit card payments. PCI Compliance Guidelines gives organizations critical information and best practices to meet their PCI compliance deadline in a timely, efficient manner.
Download your copy of PCI Compliance Guidelines Explained
Do you need to know the cost of PCI security and compliance services for budgeting? Are you ready to move forward and need a quote? Our automated system will prompt you for the information we need to begin assessing your PCI compliance posture.
We are a nationally-recognized, award-winning IT security and compliance firm with more than 20 years of experience.
We offer the full spectrum of penetration testing, security architecture, risk assessment, and IT compliance services.
PCI compliance isn't easy, but it doesn't have to be hard. To begin your path to credit card security and compliance, contact us, call 1-844-526-2732, or request a callback for a time of your convenience.