PCI DSS Consulting Service

Overview

Card Brands or Acquirers require the entities transferring, processing and/or storing card holder data, Merchants levels, criteria, and related validation requirements are defined according to the volume count of transactions.

Merchant Criteria	Validation Requirements	Certification unit
Level 1 (1) Any merchant, regardless of acceptance channel, processing more than 6,000,000 payment card transactions per year. (2) Any merchant that has had a data breach or attack that resulted in an account data compromise. (3) Any merchant identified by any card association as Level 1	(1) Annual Report on Compliance (ROC) (2) Quarterly network scan by Approved Scan Vendor (ASV). (3) Attestation of Compliance Form	Qualified Security Assessor (QSA) Approved Scan Vendor (ASV)
Level 2 1 million – 6 million (all channels).	(1) Annual Self-Assessment Questionnaire (SAQ). (2) Quarterly network scan by ASV. (3) Attestation of Compliance Form.	Merchant Approved Scan Vendor
Level 3 20,000 to 1 million E-commerce	(1) Annual Self-Assessment Questionnaire (SAQ). (2) Quarterly network scan by ASV. (3) Attestation of Compliance Form.	Merchant Approved Scan Vendor
Level 4 Less than 20,000 E-Commerce	(1) Annual Self-Assessment Questionnaire (SAQ). (2) Quarterly network scan by ASV. (3) Attestation of Compliance Form.	Merchant Approved Scan Vendor

The Standards

The purpose of PCI DSS is to protect the card holder data. The 12 requirements are seen as shell protects to the card holder data.

Virus

ulnerability

Transfer Encryption

Dev

System

Data Security

Monitor

Network Firewall

Access Control

Policy

PCI DSS Compliance Assessment and Consulting Service

The PCI DSS compliance assessment work process flow is as shown below. Normally, the time frame needed from the planning of implementation to completion of assessment, for small and medium organizations, is around 6 to 8 weeks [not including systems development], and 8 to 12 weeks for a large organization.The estimated time including planning, consulting and assessment stages.

Generally speaking, PCI DSS Assessment is a continuous process. Our Consultants and PCI DSS QSA will work with the client organization through the Planning Stage, Implementation Stage, Consulting Stage, and the Assessment Stage.

All processes will be leaded by the PCI DSS QSA to check and review system securities, technical controls, management controls and consultants follow by assistance of fixing the findings of non-compliances.

After successful completion of the assessment, Report of Compliance (ROC) will be prepared and signed off by one of our PCI DSS QSAs, and Attestation of Compliance (AOC) will be prepared by QSA Company which is then signed off by the client’s executive management. The AOC, and sometime together with ROC, is then submitted to the Acquirer or the Card brand to complete the PCI DSS Compliance process.

Implementation Guidance and Highlights

Below are the main elements of assessment :

1. Firewall installation to protect cardholder data

The client organization is required to have installed and properly configured firewall equipment, and related network diagrams, firewall policies and configuration documentation. PCI DSS also mandates at least one DMZ and one Internal Network.

2. Change default system passwords and other parameters

Default accounts, passwords and other relevant security parameters for externally purchased systems, equipment, application software, must be changed prior to the network for live operation.

3. Protection of stored card holder data

The minimization principle should be applied to storage of cardholder data, meaning only the absolute minimum amount of required cardholder data should be stored. All stored cardholder data must have robust encryption to render them unreadable, as well as have comprehensive and strictly enforced access control policies and rules.

4. Transfer of card holder data through open and public networks

If card holder data is necessary to be transmitted through public networks (open and public), it is required to apply strong cryptography and algorism during transmission, to prevent the data being leaked or unauthorized access.

5. Protect IT systems to avoid virus attacks and stay updated on the virus definition codes and programs.

PCI DSS requires installation of Virus Protection software and up-to-date update of the virus definition code. When choosing Virus Protection software, it is strongly recommended to to have Trojan Horse, Spyware and other malware detection capabilities. Generate system and scan logs and review periodically.

6. Develop and maintain secure systems and applications.

It is recommended to apply best practices of secure system developments, e.g. Security Development Life Cycle(SDLC) or OWASP Secure Coding Practices to your in-house-development or outsourced processes. Integrate security controls into the entire software development life cycle. It is also required to have measures in place to deal with the known vulnerabilities of OWASP Top 10.

7. Restrict access to cardholder data on a strict need to know basis

To prevent unnecessary or unauthorized cardholder data access, it is required to limit the access rights to only those who have legitimate business needs for such data. This could be achieved by implementing a robust access control in system and applications levels.

8. Identify and authenticate access to system components

Unique ID must be assigned to every person with permission to access cardholder data. This will enable the tracking and tracing of the responsibilities in the investigation following an information security incident as well as facilitating ongoing monitoring. All passwords for any systems or applications, no matter for transmission or storage, secure protection or encryption are mandatory.

9. Restrict physical access to cardholder data

For the physical access to card holder data or card holder data environment, monitoring and physical access control mechanisms are required for appropriate protection to the environment and systems. All visitor access should be recorded and controlled effectively. The visitor logs should be retained for least three months.

10. Track and monitor all access to network resources and cardholder data

For all cardholder data access activities, it is required to track and monitor the access activities. For monitoring of the system events, it is required to record User identification, Type of event, Date and time, Success or failure indication, Origination of event and the affected data range, system component, resource ID or other identifier.

A 7×24 system and process must be in place to deal with any security breach incidents.

11. Regularly test security systems and processes

Perform annual tests on all security control related mechanisms, measures, and processes to ensure they remain in good order. Perform quarterly internal vulnerability scan. Scans should also be performed following any significant changes to the network or system environment. The external vulnerability scan can only be conducted by a PCI SSC Approved Scan Vendor.

External Penetration Test and internal boundary controls should be tested according to PCI DSS Requirement (External PT for one time per year, and two times Internal PT annually)

12. Maintain a policy that addresses information security for all personnel

An organization is required to establish, publish, maintain and communicate its information security policies to all personnel including relevant external third parties to ensure all personnel understand the responsibilities and importance of information security. Procedures and requirements documents for risk assessments and risk treatments, annual security training requirement, incident response plan should be in place. Drills to test these procedures should be conducted regularly andthe records kept for audit purpose.

Contact Us！

关于我们

联系我们