PCI Data Security Standards
If you store, process or transmit credit card data, your business is subject to the Payment Card Industry Data Security Standards (PCI DSS), a set of security rules designed to curb costly breaches and thefts across the industry.
LBMC Information Security offers a full suite of payments-related data security services to help you attain and demonstrate PCI compliance. As a certified PCI Qualified Security Assessor (QSA), our experts can help you navigate through a maze of regulations, offering practical solutions to help you achieve and maintain compliance. Our team also takes a long-term partnership approach, because we know how important it is to have a reliable and consistent QSA. Our noticeably low turnover helps distinguish us from the rest by giving you the same QSA each year.
PCI Audit and Report on Compliance
While only Level 1 merchants and Service Providers (e.g., big-name chain merchants) must submit a QSA led Report on Compliance, acquirers can require a Report on Compliance regardless of your company size. We lead you through the entire process, from scoping and segmentation, through the audit process, to issuing a completed final Report on Compliance (ROC) and Attestation of Compliance (AOC) to the appropriate parties. We can also provide an “audit once, report many” approach if different frameworks apply.
PCI Gap Analysis
We review PCI compliance efforts performed to date, give clear and insightful guidance on scope reduction, interview key staff, perform testing procedures, and give you an actionable list of remediation steps to prepare you for a PCI audit or self-assessment questionnaire
ASV Quarterly Scanning
PCI Requirement 11.2.1 requires quarterly vulnerability scans by an Approved Scanning Vendor (ASV). LBMC Information Security’s ASV service includes unlimited scans for one year with an industry-leading scanning engine, a secure portal for completing the relevant self-assessment questionnaire, scheduling and administering of your scans, and electronic filing with acquiring banks if desired. The client can use the ASV system on demand at any time.
LBMC Information Security can perform interviews and walkthroughs to assist in the completion of the PCI DSS self-assessment questionnaire version D (SAQ-D). Afterward, we will work with our clients to ensure the cardholder data environment is properly identified and complete the appropriate SAQ-D form.
PCI Flash Assessment
Our team of PCI experts performs a quick assessment to provide you with a roadmap that will guide you through your individualized PCI compliance strategy focusing heavily on helping you determine your PCI scope and segmentation.
PCI Consulting (Virtual QSA)
Through education from a senior-level PCI Qualified Security Assessor, you will receive the expert advice you need on PCI compliance. With our PCI consulting services, you’ll hear timely answers and solutions to your current projects that could affect PCI compliance, while only paying for the time you need.
PCI and Web Application Security Penetration Testing
Penetration testing assures you’re compliant with PCI DSS Requirement 11.3. The methodology, scoping, and reporting processes align with the PCI DSS requirements for penetration testing, including the CDE boundary validation requirements. Through this testing, our team assesses your susceptibility to security attacks.
We also conduct “gray box” (meaning no access to source code) web application security assessments on your web applications to determine if someone might be able to compromise the security of the application itself or the data therein. This evaluates the security of the application by searching for vulnerabilities that could be exploited by an attacker. This testing assures compliance with PCI DSS Requirement 6.6.
Card Data Discovery
With the ability to scan files and data stores, our team can help you meet PCI requirements to identify all stored card data, with the option to expand data discovery to PII and/or ePHI.
PCI Training and Education
Training employees on PCI Security—and security awareness in general—is essential to helping your organization improve your security posture and reduce risk to cardholder data. Our team can help position your employees for success through education and training, reducing the susceptibility to people-based attacks.
Readiness Assessment: PCI Compliance Requirements
Even if you’ve already completed a self-assessment questionnaire, even if you believe in your heart of hearts that you’re compliant, it’s wise to have security experts perform a readiness assessment at least once. This process will help you verify that you’ve correctly interpreted the PCI DSS rules and that your assumptions are well-founded. Very often, merchants unknowingly and inadvertently misinterpret PCI compliance guidelines and mistakenly indicate compliance.
What is a readiness assessment?
A readiness assessment can help you self-evaluate more confidently in the future and help you learn more about how and why your security measures work. Often, the readiness assessment reveals opportunities to manage your security more robustly and cost-effectively in the future.
Three Steps of a Readiness Assessment
- Figure out where cardholder data is stored, processed, or transmitted in your environment. Where in your business process is data captured, and how is it handled? An assessor will follow the flow of card data through your network, whether it travels to a database or a third-party site. They’ll also conduct a thoroughgoing search for card data in unexpected places: stored in a spreadsheet in your file-sharing system, or hanging out on your email system.
- Define the scope for PCI compliance. Everywhere card data goes, PCI DSS is the rule of the land. But the opposite is also true: PCI doesn’t care about systems that don’t touch card data. So once you’ve followed the data, you can identify which systems are subject to DSS rules – and which ones you don’t need to worry about, at least as far as compliance is concerned. This information may guide your action plan, helping you save both time and money.
- Identify gaps between your scope and the requirements. Once you know exactly which portion of your system is subject to PCI DSS, you can compare the rules to the reality. In a readiness assessment, this will typically mean a series of interviews, inspections, and process walkthroughs, validating that all the necessary rules are in place.
When we perform readiness assessments at LBMC, we see certain common pitfalls that we take care to address. For example, PCI requires businesses to conduct quarterly internal vulnerability assessments — this means scanning for missing patches, default passwords, and other cracks in the armor that thieves or malware could easily exploit.
When you find a weakness, you’re required to review and remediate results tagged as high-risk. Then you’re supposed to run another scan that shows the problem has been addressed. Often, merchants run the scan but don’t read it. Or if they read it, they don’t clean up the problem. Or if they clean up the problem, they don’t run the scan again – and they don’t document the success.
For every PCI rule (or “control”), you must have documentation to be considered in compliance. This is an easy and common rule to fall down on. So we sit down with merchants and look at their past scans, as well as their documentation. Then we complete the self-assessment questionnaire with them to identify the true answers to every question. This helps them accurately and confidently answer “yes” on each control.
LBMC Information Security reviews compliance efforts can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us.
PCI Compliance Audit: Streamlining the Report on Compliance
As a Qualified Security Assessor, we’ve identified a handful of steps that make a PCI compliance audit run as smoothly as possible for merchants.
3 Steps to a Successful PCI Compliance Audit
- Identify a collaborative QSA. For the process to be as efficient as possible, it needs to be a collaborative process. Try to identify and partner with a QSA that demonstrates a solid understanding of your business environment. The QSA should also be able to explain its fieldwork protocol clearly.
- Get the documents in order. A Report on Compliance requires documentation for every control – which adds up to quite a lot of documentation indeed. Look for your QSA to give you plenty of time to get the documents together. Six weeks is an appropriate amount of lead time.
- Talk ahead of time. A QSA should schedule interviews with your key personnel a few weeks before they come on-site, so they can be conscious of your people’s time while gathering the data they need. Regular communication is fundamental, so when the QSA identifies areas of noncompliance, you can address it as quickly as possible. As long as an issue is addressed before the QSA writes its report, you should get credit for compliance. Make certain that you have a key internal contact regularly managing potential issues and handling requests for artifacts or documentation from your QSA. What you don’t want in a partner is a QSA who flies out an assessor who spends a week onsite, never speaking to you before or after. Make sure you find a partner who can educate you throughout the process, helping to strengthen your security and your confidence.
Penetration Testing and PCI Compliance Requirements
For every organization subject to PCI DSS, that means annual compliance demonstration and regular security tests – sometimes self-administered and sometimes conducted by a third-party organization in a PCI compliance audit. One of these important tests is called a “penetration test,” and it offers some useful insight into how and why PCI DSS works.
What is a penetration test?
On one level, it’s a network attack like any other, but this “attack” is conducted by yourself or a third-party security partner in an attempt to expose potential vulnerabilities. Make no mistake: it’s a full-fledged attempt to break into your system and try to get credit card data. At its most effective, a penetration test will simulate attacks ranging from malicious software to human hacking, detailing whether your system’s defenses stand or fall.
PCI requires one of these tests be conducted annually. It doesn’t have to be done by a third party, but most organizations find that they want to use a partner. That partner can provide an objective view without being biased by prior knowledge of your system, and they can also bring specialized expertise in the most common attack techniques, so they can conduct the same activities that the bad guys will, giving you the most relevant perspective of your susceptibility. They won’t have extensive knowledge of your particular network environment – including its particular strengths and weaknesses – so they can bring an authentic intruder’s perspective.
An authentic intruder’s perspective is essential. A penetration test isn’t just kicking the tires of your system, but it’s also taking it out for a drive and making sure it holds up to the rigors of the road – including the treacherous curves of real intruders and real malware. In the past, some businesses in do-it-yourself-mode downloaded sketchy and unreliable “penetration test tools” online to fulfill this PCI DSS requirement.
LBMC Information Security reviews compliance efforts can test to assure compliance and can help your team develop an action plan to remediate compliance.
Cybersecurity Sense Podcast: PCI Pen Testing
In this episode Bill Dean and Stewart Fey discuss penetration testing for PCI compliance. Learn about the differences between penetration testing and vulnerability assessments, and what is needed to meet requirements for PCI compliance.
Tools for Maintaining PCI Compliance
Glossary of Payment and Information Security Terms
It can be hard to fill out the self-assessment or communicate with your qualified security assessor (QSA) if you don’t understand the terminology. The PCI Security Council created a glossary of easy-to-understand explanations of technical terms used in payment security. No longer should the PCI DSS requirements and terminology sound like a foreign language to those who have the responsibility of completing a self-assessment or communicating with a QSA. The resource is free and can be downloaded at the PCI Security Council’s website or by clicking here.
Common Payment Systems
Another great resource for small merchants, first-time merchants, or merchants trying to mature their PCI DSS understanding is the Common Payment Systems resource on the PCI Security Council’s website. This resource is a set of real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it. Included is a variety of credit card payment implementations that are commonly seen across a variety of industries. Most importantly within this toolset is the understanding that PCI environments and merchant implementations are not “one-size-fits-all.” This excellent resource covers not only the 15 common types of payment card implementations but also their risk, threats, and protections. There’s also an easy-to-understand, graphical representation of each system’s risk profile. This valuable tool is also free by clicking here or by visiting the PCI Security Council’s website.
Guide to Safe Payments
The Guide to Safe Payments not only does a terrific job explaining core concepts, risk, terminology, and protection strategies, it also serves as a valuable resource for other useful PCI documents and tools. And, guess what? It is free as well from the PCI Security Council and can be accessed by clicking here.
Questions to Ask Your Vendors
To properly assist you in engaging and managing service providers and vendors, the PCI Security Council has created another (you guessed it) free resource. Questions to Ask Your Vendors provides a set of specific questions to ask vendors to make sure they are protecting your customer’s credit card data. You should only work with vendors and service providers who understand and accept their responsibility to protect cardholder data as described in the PCI DSS.
Cybersecurity Sense Podcast: New Tools for PCI Compliance
In this podcast, LBMC Information Security’s Bill Dean and John Dorling discuss some of the tools available to help merchants who are trying to achieve PCI compliance.