PCI Data Security Standards

PCI 审计 and Report on 合规

While only Level 1 merchants and Service Providers (e.g., big-name chain merchants) must submit a QSA led Report on 合规, 无论你的公司规模大小，收购方都可以要求你提供一份合规报告. We lead you through the entire process, from 范围 and segmentation, through the audit process, 向相关方出具完整的最终合规报告(ROC)和合规证明(AOC). 如果应用不同的框架，我们还可以提供“一次审计，多次报告”的方法.

PCI Gap Analysis

We review PCI compliance efforts performed to date, give clear and insightful guidance on scope reduction, interview key staff, perform testing procedures, 并为您提供一份可操作的补救步骤列表，为您准备PCI审计或自我评估问卷

ASV Quarterly Scanning

PCI Requirement 11.2.1要求由认可扫描供应商(ASV)进行季度漏洞扫描. LBMC网络安全公司的ASV服务包括使用行业领先的扫描引擎进行一年的无限制扫描, a secure portal for completing the relevant self-assessment questionnaire, scheduling and administering of your scans, and electronic filing with acquiring banks if desired. 的 client can use the ASV system on demand at any time.

SAQ-D Completion

LBMC网络安全可以进行访谈和演练，以协助完成PCI DSS自我评估问卷版本D (SAQ-D)。. 之后, 我们将与客户合作，确保正确识别持卡人的数据环境，并填写适当的SAQ-D表格.

PCI Flash Assessment

明升体育app下载PCI专家团队执行快速评估，为您提供路线图，该路线图将指导您完成个性化的PCI合规策略，重点是帮助您确定PCI范围和细分.

PCI Consulting (Virtual QSA)

Through education from a senior-level PCI Qualified Security Assessor, you will receive the expert advice you need on PCI compliance. With our PCI consulting services, 您将及时听到可能影响PCI合规性的当前项目的答案和解决方案, while only paying for the time you need.

PCI and Web Application Security Penetration Testing

Penetration testing assures you’re compliant with PCI DSS Requirement 11.3. 的 methodology, 范围, 报告流程与渗透测试的PCI DSS要求保持一致, including the CDE boundary validation requirements. 通过这个测试，明升体育app下载团队评估您对安全攻击的易感性.

我们还会对您的web应用程序进行“灰盒”(即无法访问源代码)web应用程序安全评估，以确定是否有人可能会危及应用程序本身或其中数据的安全性. 这通过搜索可能被攻击者利用的漏洞来评估应用程序的安全性. 这 testing assures compliance with PCI DSS Requirement 6.6.

Card Data Discovery

With the ability to scan files and data stores, 明升体育app下载团队可以帮助您满足PCI要求，以识别所有存储的卡数据, with the option to expand data discovery to PII and/or ePHI.

PCI Training and Education

培训员工了解PCI安全性(以及一般的安全意识)对于帮助您的组织改善安全状况和降低持卡人数据的风险至关重要. 明升体育app下载团队可以通过教育和培训帮助您的员工获得成功, reducing the susceptibility to people-based attacks.

Even if you’ve already completed a self-assessment questionnaire, even if you believe in your heart of hearts that you’re compliant, 让安全专家至少执行一次准备情况评估是明智的. 这个过程将帮助您验证您已经正确地解释了PCI DSS规则，并且您的假设是有充分根据的. 经常, 商家在不知情和无意中误解了PCI遵从性指南，并错误地表示遵从性.

What is a readiness assessment?

准备情况评估可以帮助您在将来更自信地进行自我评估，并帮助您更多地了解安全措施的工作方式和原因. 经常, 准备情况评估揭示了在将来更可靠、更经济地管理安全性的机会.

Three Steps of a Readiness Assessment

1. 弄清楚持卡人数据在您的环境中存储、处理或传输的位置. Where in your business process is data captured, and how is it handled? An assessor will follow the flow of card data through your network, whether it travels to a database or a third-party site. 他们还会在意想不到的地方彻底搜索卡片数据:存储在文件共享系统的电子表格中, or hanging out on your email system.
2. Define the scope for PCI compliance. Everywhere card data goes, PCI DSS is the rule of the land. 但反过来也是正确的:PCI不关心不接触卡数据的系统. So once you’ve followed the data, 您可以确定哪些系统受DSS规则的约束，哪些系统不需要担心, at least as far as compliance is concerned. 这些信息可以指导你的行动计划，帮助你节省时间和金钱.
3. Identify gaps between your scope and the requirements. Once you know exactly which portion of your system is subject to PCI DSS, you can compare the rules to the reality. In a readiness assessment, this will typically mean a series of interviews, 检查, and process walkthroughs, validating that all the necessary rules are in place.

When we perform readiness assessments at LBMC, we see certain common pitfalls that we take care to address. 例如, PCI要求企业进行季度内部漏洞评估——这意味着扫描缺失的补丁, default passwords, 以及其他容易被窃贼或恶意软件利用的漏洞.

当你发现一个弱点时，你需要审查和纠正标记为高风险的结果. 然后，您应该运行另一个扫描，以显示问题已被解决. 经常, merchants run the scan but 不 read it. Or if they read it, they 不 clean up the problem. 或者，如果他们解决了问题，他们不会再次运行扫描，也不会记录成功.

对于每个PCI规则(或“控制”)，您必须有文档来考虑是否符合要求. 这 is an easy and common rule to fall down on. 所以我们与商家坐下来，看看他们过去的扫描，以及他们的文件. 然后我们和他们一起完成自我评估问卷，找出每个问题的真实答案. 这 helps them accurately and confidently answer “yes” on each control.

LBMC网络安全审查合规性工作，可以测试以确保合规性，并可以帮助您的团队制定行动计划来纠正合规性. If you have questions, please contact us.

As a Qualified Security Assessor, 我们已经确定了一些步骤，使PCI合规性审计尽可能顺利地为商家运行.

3 Steps to a Successful PCI 合规 审计

1. Identify a collaborative QSA. 为了使这个过程尽可能高效，它需要是一个协作的过程. 尝试识别并与一个对你的商业环境有深刻理解的QSA合作. 的 QSA should also be able to explain its fieldwork protocol clearly.
2. Get the documents in order. 合规性报告要求为每个控制提供文档——这实际上增加了相当多的文档. Look for your QSA to give you plenty of time to get the documents together. Six weeks is an appropriate amount of lead time.
3. Talk ahead of time. QSA应该在你的关键人员来现场前几周安排面试, 这样他们就能意识到你的员工在收集他们需要的数据时所花费的时间. Regular communication is fundamental, so when the QSA identifies areas of noncompliance, you can address it as quickly as possible. As long as an issue is addressed before the QSA writes its report, you should get credit for compliance. 确保您有一个关键的内部联系人定期管理潜在的问题，并处理来自您的QSA的工件或文档请求. 你 不 想要的合作伙伴是一个QSA，他会飞出去一个评估员，在现场呆上一周, never speaking to you before or after. Make sure you find a partner who can educate you throughout the process, helping to strengthen your security and your confidence.

For every organization subject to PCI DSS, 这意味着每年进行合规性演示和定期进行安全测试——有时是自我管理的，有时是由第三方组织在PCI合规性审计中进行的. One of these important tests is called a “penetration test,” and it offers some useful insight into how and why PCI DSS works.

What is a penetration test?

On one level, it’s a network attack like any other, 但是这种“攻击”是由您自己或第三方安全合作伙伴进行的，目的是暴露潜在的漏洞. 毫无疑问:这是一次全面的尝试，试图闯入您的系统并试图获取信用卡数据. At its most effective, 渗透测试将模拟从恶意软件到人为黑客的各种攻击, detailing whether your system’s defenses stand or fall.

PCI requires one of these tests be conducted annually. It doesn’t have to be done by a third party, but most organizations find that they want to use a partner. 该合作伙伴可以提供客观的观点，而不会因对系统的先验知识而产生偏见, 他们还可以带来最常见的攻击技术方面的专业知识, so they can conduct the same activities that the bad guys will, giving you the most relevant perspective of your susceptibility. 他们不会对您的特定网络环境(包括其特定的优势和劣势)有广泛的了解，因此他们可以带来真正的入侵者的视角.

An authentic intruder’s perspective is essential. A penetration test isn’t just kicking the tires of your system, 但它也带着它出去兜风，并确保它能经受住道路的严峻考验——包括真正的入侵者和真正的恶意软件的危险弯道. 在过去, 一些“自己动手”模式的企业在网上下载了粗略且不可靠的“渗透测试工具”来满足这种PCI DSS要求.

LBMC网络安全审查合规性工作，可以测试以确保合规性，并可以帮助您的团队制定行动计划来纠正合规性.

在这一集中，Bill Dean和斯图尔特 异常兴奋的讨论了PCI遵从性的渗透测试. 了解渗透测试和漏洞评估之间的区别, and what is needed to meet requirements for PCI compliance.

Glossary of Payment and Security Terms

如果不理解术语，可能很难填写自我评估或与合格的安全评估员(QSA)沟通. 的 PCI Security Council created a glossary of easy-to-understand explanations of technical terms used in payment security. 对于那些有责任完成自我评估或与QSA沟通的人来说，PCI DSS要求和术语听起来不再像外语. 这 resource is free from the PCI Security Council’s website.

Common Payment Systems

Another great resource for small merchants, first-time merchants, or merchants trying to mature their PCI DSS understanding is the Common Payment Systems resource on the PCI Security Council’s website. 这个资源是一组真实的视觉效果，可以帮助识别小企业使用的支付系统类型, the kinds of 风险s associated with their system, and actions they can take to protect it. 其中包括在各种行业中常见的各种信用卡支付实现. 在这个工具集中，最重要的是要理解PCI环境和商业实现不是“一刀切”的.“这个优秀的资源不仅涵盖了15种常见的支付卡实现类型，而且还涵盖了它们的风险, 威胁, and protections. 每个系统的风险概况也有一个易于理解的图形表示. 这 valuable tool is also free from the PCI Security Council’s website.

Guide to Safe Payments

的 Guide to Safe Payments not only does a terrific job explaining core concepts, 风险, 术语, and protection strategies, 它还可以作为其他有用的PCI文档和工具的宝贵资源. And, guess what? It is free as well from the PCI Security Council.

Questions to Ask Your Vendors

适当地协助您与服务提供者和供应商接洽和管理, PCI安全委员会创建了另一个(你猜对了)免费资源. Questions to Ask Your Vendors 提供了一组特定的问题来询问供应商，以确保他们正在保护客户的信用卡数据. 您只应与理解并接受其责任的供应商和服务提供商合作，以保护PCI DSS中所述的持卡人数据.

In this podcast, LBMC的Bill Dean和John Dorling讨论了一些可用的工具来帮助那些试图实现PCI合规性的商家.