Long-Term PCI Data Security Standards Support

In this podcast, LBMC’s Bill Dean and John Dorling discuss some of the tools available to help merchants who are trying to achieve PCI compliance.

As a certified PCI Qualified Security Assessor (QSA), LBMC offers expert guidance to help clients navigate PCI regulations and maintain compliance. We provide practical solutions and emphasize long-term partnerships. Our low turnover rate ensures you work with the same QSA each year.

PCI Audit and Report on Compliance (ROC)

• Overview: Only Level 1 merchants and service providers are mandated to submit a QSA-led ROC, though acquirers may require it regardless of company size.
• Process: Our team guides you from scoping and segmentation through the audit process to issuing the final ROC and Attestation of Compliance (AOC). We also offer an “audit once, report many” approach for multiple frameworks.

PCI Gap Analysis

• Purpose: Evaluate current PCI compliance efforts and identify areas for improvement.
• Procedure: We provide guidance on scope reduction, interview key staff, perform testing procedures, and deliver an actionable list of remediation steps to prepare for a PCI audit or self-assessment questionnaire.

ASV Quarterly Scanning

• Requirement: PCI Requirement 11.2.1 mandates quarterly vulnerability scans by an Approved Scanning Vendor (ASV).
• Service: Our ASV service includes unlimited scans for one year using an industry-leading scanning engine, a secure portal for the self-assessment questionnaire, scan scheduling and administration, and electronic filing with acquiring banks.

Self-Assessment Questionnaire Version D (SAQ-D) Completion

• Support: We conduct interviews and walkthroughs to assist with the PCI DSS SAQ-D.
• Outcome: Ensure proper identification of the cardholder data environment and complete the SAQ-D form.

PCI Flash Assessment

• Objective: Provide a quick assessment to guide your PCI compliance strategy.
• Focus: Determine PCI scope and segmentation.

PCI Consulting (Virtual QSA)

• Service: Receive expert advice on PCI compliance through education from a senior-level PCI QSA.
• Benefit: Get timely answers and solutions to current projects impacting PCI compliance, only paying for the time you need.

Penetration Testing

• Objective: Ensure compliance with PCI DSS Requirement 11.3.
• Methodology: Our testing processes align with PCI DSS requirements, including CDE boundary validation. This helps assess your susceptibility to security attacks.

Web Application Security Assessments

• Objective: Evaluate the security of web applications to ensure compliance with PCI DSS Requirement 6.6.
• Methodology: We conduct “gray box” assessments (no access to source code) to identify vulnerabilities that could be exploited by attackers.

Card Data Discovery

• Objective: Identify all stored card data to meet PCI requirements.
• Methodology: We scan files and data stores, with the option to expand discovery to PII and ePHI.

PCI Training and Education

• Objective: Improve your organization’s security posture and reduce risk to cardholder data.
• Methodology: We provide education and training to enhance employee awareness of PCI Security and general security practices, reducing susceptibility to people-based attacks.

In this episode Bill Dean and Stewart Fey discuss penetration testing for PCI compliance. Learn about the differences between penetration testing and vulnerability assessments, and what is needed to meet requirements for PCI compliance.

Organizations subject to PCI DSS must demonstrate annual compliance and conduct regular security tests, including penetration tests. These tests can be self-administered or conducted by a third party during a PCI compliance audit. A penetration test simulates network attacks to expose vulnerabilities, offering insights into PCI DSS effectiveness.

What is a Penetration Test?

A penetration test is an intentional network attack performed by your organization or a third-party security partner to identify potential vulnerabilities. This test simulates various attacks, from malicious software to human hacking, to assess your system’s defenses. PCI requires annual penetration tests, which can be done internally, but many organizations prefer using a third-party partner for an unbiased, expert perspective.

Benefits of Third-Party Testing

Third-party testers provide an objective view and bring specialized expertise in common attack techniques, offering a realistic perspective of your system’s susceptibility. They lack extensive knowledge of your network, ensuring an authentic intruder’s perspective. This approach avoids the pitfalls of unreliable DIY tools and ensures thorough testing.

LBMC Cybersecurity can review compliance efforts, conduct penetration tests to ensure compliance, and help develop an action plan for remediation.

Importance of a Readiness Assessment

Even if you’ve completed a self-assessment questionnaire and believe you are compliant, having security experts perform a readiness assessment is wise. This verifies that you’ve correctly interpreted PCI DSS rules and that your assumptions are well-founded. Merchants often misinterpret PCI compliance guidelines and mistakenly indicate compliance.

What is a Readiness Assessment?

A readiness assessment helps you self-evaluate more confidently in the future and understand how and why your security measures work. It reveals opportunities to manage your security more robustly and cost-effectively.

Three Steps of a Readiness Assessment

1. Identify Cardholder Data Locations

• Determine where cardholder data is stored, processed, or transmitted in your environment.
• An assessor will follow the flow of card data through your network, including unexpected places like spreadsheets or email systems.

2. Define PCI Compliance Scope

• Identify which systems are subject to PCI DSS rules by tracking where card data goes.
• Systems not touching card data are outside the scope, helping you save time and money by focusing only on relevant systems.

3. Identify and Address Gaps

• Compare the scope to PCI DSS requirements through interviews, inspections, and process walkthroughs.
• Common pitfalls include quarterly internal vulnerability assessments, missing patches, default passwords, and inadequate documentation.

Common Pitfalls and Solutions

Quarterly Internal Vulnerability Assessments:

• Regularly scan for missing patches and other vulnerabilities.
• Review and remediate high-risk results, then run another scan to confirm the problem is resolved.

Documentation:

• Ensure documentation for every PCI rule (or “control”) to be considered compliant.
• Review past scans and documentation to accurately complete the self-assessment questionnaire.

LBMC Cybersecurity can review your compliance efforts, assure compliance, and help your team develop an action plan for remediation. For more information or assistance, please contact us.

As a Qualified Security Assessor, we’ve identified a handful of steps that make a PCI compliance audit run as smoothly as possible for merchants.

3 Steps to a Successful PCI Compliance Audit

1. Identify a Collaborative QSA.

• For the process to be as efficient as possible, it needs to be a collaborative process. Try to identify and partner with a QSA that demonstrates a solid understanding of your business environment. The QSA should also be able to explain its fieldwork protocol clearly.

2. Get the Documents in Order.

• A Report on Compliance requires documentation for every control – which adds up to quite a lot of documentation indeed. Look for your QSA to give you plenty of time to get the documents together. Six weeks is an appropriate amount of lead time.

3. Talk Ahead of Time.

• A QSA should schedule interviews with key personnel weeks before the on-site visit to respect their time and gather necessary data. Regular communication is crucial to quickly address noncompliance issues before the QSA’s report. Ensure a key internal contact manages potential issues and handles documentation requests.

Avoid QSAs who don’t communicate before or after the assessment; find a partner who educates you throughout the process, enhancing your security and confidence.

Glossary of Payment and Security Terms

Understanding terminology is crucial for filling out the self-assessment or communicating with your QSA. The PCI Security Council offers a glossary with easy-to-understand explanations of technical terms used in payment security. This resource is free on the PCI Security Council’s website.

Common Payment Systems

For small or first-time merchants, the Common Payment Systems resource on the PCI Security Council’s website is invaluable. It provides real-life visuals to help identify payment systems, associated risks, and protective actions. This tool covers 15 common types of payment card implementations and their risk profiles. This valuable tool is available on the PCI Security Council’s website.

Guide to Safe Payments

The Guide to Safe Payments  explains core concepts, risks, terminology, and protection strategies. It also serves as a hub for other useful PCI documents and tools. This guide is free on the PCI Security Council’s website.

Questions to Ask Your Vendors

To manage service providers and vendors effectively, the PCI Security Council provides Questions to Ask Your Vendors . This resource includes specific questions to ensure vendors protect customer credit card data. It is free and available on the PCI Security Council’s website.

Focus on what matters while we handle your PCI compliance. Contact us today for a quote or to discuss your needs. Call us at (844) 526-2732 or fill out the form below.