Safeguard payment card data properly.
Who Needs ItIf your organization stores, processes or transmits payment card data (such as accepting credit card payments), you are required to be PCI DSS-compliant (commonly referred to simply as “PCI compliant”) by the payment brands and your merchant bank. It’s important to understand that failure to comply with the PCI DSS can result in breaches and fines. You may also lose the ability to accept payment cards. There are two primary components to validate your organization’s PCI DSS compliance:
1. Security QuestionnaireAll organizations need to respond to a set of requirements that take the form of a questionnaire. Depending upon your organization’s role and transaction volume, you will need to complete one of the following:
PCI DSS Compliance Assessment
If your organization is a service provider, does extremely high-volume sales or is specifically instructed by your bank or processor, you must undergo a full compliance assessment. This assessment must be performed by a Qualified Security Assessor (QSA), such as Sikich, which results in a Report on Compliance (ROC). The process is similar to undergoing a traditional IT audit.
Self-Assessment Questionnaire (SAQ)
If your organization does not have to undergo a full compliance assessment, you will instead have to complete the appropriate version of the PCI DSS SAQ. Which SAQ is applicable to your organization depends upon how you accept credit card payments. The self-assessment process determines if you are taking the proper precautions to protect cardholder data.
If your organization is able to self-assess, there are a few options for completing your SAQ. The PCI SSC’s website includes information about compliance and the SAQ, and offers the ability to download the various questionnaires for free.
Many organizations find that they need at least some level of guidance while going through the SAQ process. For larger organizations, Sikich works with your team on a personalized basis to interpret and respond to your SAQ. For smaller organizations, Sikich provides a secure web portal to help you determine which SAQ is right for you, complete an enhanced version of the SAQ and get assistance with understanding your requirements along the way.
2. Quarterly Vulnerability Scans
If your systems are connected to the Internet, you are required to have vulnerability scans performed on a quarterly basis. The scans look for weaknesses that an attacker might use to access your systems. An Approved Scanning Vendor (ASV), such as Sikich, must conduct these scans.
Through our secure web portal, your organization is able to set up, manage and review your vulnerability scans. In the event you fail a scan, meaning a security vulnerability is found, your report will contain detailed recommendations to address any issues identified. Once your organization is able to make the appropriate changes to address the discovered vulnerabilities, you can kick off a rescan to see if the changes were effective.
Understanding the Assessment Process
If your organization is required to work with a QSA or you are electing to have an expert by your side to assess and validate your compliance, Sikich assists you with the following three-phase process for your PCI DSS compliance assessment:
- The process starts with pre-assessment consulting that identifies and analyzes your organization’s compliance scope and gaps.
- From there, the assessment gets underway, as we work with your organization to remediate, or reconcile, any issues that exist. Once gaps have been appropriately addressed, we will conduct a validation audit and issue a Report on Compliance (ROC).
- During the post-assessment phase, we review the conclusions with your executive team and provide additional security recommendations. We also do periodic checkups throughout the year to help your organization monitor compliance, which leads to substantial efficiencies in your next annual assessment.
1. Pre-Assessment – Preparing for Compliance
Many organizations find the initial stages of achieving and validating compliance to be the most challenging. To get your organization moving in the right direction, Sikich conducts pre-assessment consulting to analyze the scope of your compliance efforts, as well as identify any potential gaps.
Through a series of conference calls and on-site visits, Sikich works with your team to create a detailed report that outlines findings and recommendations to minimize your scope and address known gaps in compliance. The pre-assessment consulting from Sikich puts your organization in a better position to achieve compliance, saving you both costs and effort.
2. Assessment – Achieving and Validating Compliance
During your assessment, Sikich will work with your team, both on-site and remotely, to perform a specialized IT audit to test the security of your systems, interview key staff members and review your policies and procedures.
Addressing the gaps and vulnerabilities found during an assessment can be time-consuming, frustrating and expensive. Working with our team of experts gives you the technical insight and ability necessary to remediate issues efficiently and effectively.
In addition to performing a full PCI DSS validation audit or assisting you with your SAQ, Sikich helps your organization meet the following PCI DSS requirements.
- Install and maintain a firewall, per Requirement 1:
- 1.1 Establish firewall and router configuration standards
- 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
- 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
- Encrypt non-console administrative access per Requirement 2.3:
- 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
- Identify clear-text cardholder data, per Requirement 3.4:
- 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs)
- Perform a code review, per Requirements 6.3.2 and 6.6:
- 6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
- 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks
- Perform quarterly external vulnerability scanning, per Requirement 11.2.2:
- 11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC).
- Perform penetration testing, per Requirements 11.3 – 11.3.2:
- 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following:
- 11.3.1 Network-layer penetration tests
- 11.3.2 Application-layer penetration tests
- Install and maintain an intrusion detection/prevention system, per Requirement 11.4:
- 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises.
- Implement security policies and procedures, per Requirement 12:
- 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:
- 12.1.1 Addresses all PCI DSS requirements.
- 12.1.3 Includes a review at least annually and updates when the environment changes.
- Perform a risk assessment, per Requirement 12.1.2:
- 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.
- Conduct security awareness training, per Requirement 12.6.1:
- 12.6.1 Educate personnel upon hire and at least annually.
Once your organization has fully demonstrated compliance, we will submit your completed Attestation of Compliance (AOC) and Report on Compliance (ROC) to the payment card brands or your acquirer, as appropriate.
3. Post-Assessment – Maintain Your Compliance
Achieving compliance at a single point in time during the year can prove to be difficult. Maintaining that level of compliance throughout the year, as required by the PCI DSS, can be even tougher.
To help your organization monitor your compliance throughout the year, Sikich provides quarterly follow-ups after your assessment is completed. Once each quarter, Sikich works with your team to address compliance maintenance efforts, changes in your environment and future plans that may affect your scope. These checkups are helpful reminders that keep your organization focused on its compliance and security throughout the year, rather than just a point in time.
What We Do
Sikich assists your organization with every aspect of PCI DSS compliance. We help you:
- Maximize the return on your security investment
- Understand the PCI DSS and how it applies to your organization
- Work towards achieving, validating and maintaining your compliance
We pride ourselves on being able to help you simplify the process of validating your compliance with the PCI DSS. Our process is scalable for any environment size and knowledge level. Whether you’re an astute network security administrator or a small business owner going through your first security audit, we’ll make the process as painless as possible and be there for you when you need us.
Sikich can guide you through the validation process to get you back to your core competency—running your business. Only now, your organization’s data will be better protected.
Start working toward validating your PCI DSS compliance today.
All it takes is your name and phone number or email address to learn more about our services and expertise. If you’d like, you’ll also be able to send additional details after you submit your information here.