PCI DSS Compliance Assessments
Attain or confirm your PCI DSS readiness
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide security standard that many credit and payment card brands are requiring companies to be compliant with if they plan on processing payments.
All companies storing, processing or transmitting cardholder data of almost any major payment card brand must be compliant, and those who are found to be non-compliant risk being subject to fines or expensive and lengthy audits, and sometimes even losing their ability to process these card payments.
Companies are required to validate their PCI DSS compliance annually, but even with these controls in place, PCI-compliant companies have still suffered a leak of cardholder data. These leaks have proven to be disastrous, leading to negative publicity, large fines and other penalties, loss of trust, and sometimes threatening the existence of the organization.
Network Architecture Review
- Determine if cardholder data is being transmitted, protected, and stored appropriately
- Review current network diagrams to identify where cardholder data originates and where it is transmitted
- Identify potential weaknesses where breaches may originate
Recommend network architecture improvements when relevant to PCI standard
System and Device Configuration Review
- Review configuration of key systems and network devices
- Determine if weaknesses exist in current configuration
- Conduct firewall, system logging, and change management
- Determine where improvements can be implemented
- Review existing security policies to see if they are repeatable and accountable
- Ensure information contained in security policies meets PCI requirements
- Interview and conduct test cases to determine if awareness level exists at user level, and how effective policies are
Physical Security Review
- Onsite visit to review physical security of the organization and
- Conduct walkthrough of facility
- Review authorization, access control, monitoring, logging and storage policies
- Execute a variety of automated and manual assessment activities to identify vulnerabilities
- Use data from automated scans to identify and attempt to gain access to key systems using a variety of commercial and publicly available exploits
- Background describing project history
- Objectives of assessment and business driver behind the project
- Description of Scope of Work
- Approach used to conduct the assessment
- Risk Analysis summary
- Vulnerability Assessment summary
- An overview of compliance for each PCI control requirement
- General recommendations summarized from detailed findings
- Project team utilized during the engagement
Detailed breakdown of each control for twelve PCI requirements presented in a matrix.
Detailed Analysis of Requirements
Presentation of test cases and results, and recommendation for identified weaknesses.
Penetration Testing Results
Detailed analysis of penetration testing activities, summary of exploit attempts and access obtained, screenshots and illustrations as evidence.