PCI Assessment, Documents and Reports
1. PCI Policies & Procedures
The Policy and Procedures are the best practices that our industry experts have formulated to comply with the technical requirements of the PCI DSS. The policies spell out what your organization will do while the procedures detail how you will do it.
In the event of a PCI Compliance audit, the first things an auditor will inspect are the Policies and Procedures documentation. This is more than a suggested way of doing business. The Policies and Procedures have been carefully thought out and vetted, referencing specific sections in the PCI DSS Requirements and supported by the other reports included with the PCI Compliance module.
2. PCI Risk Analysis
PCI is a risk-based security framework and the production of a Risk Analysis is one of primary requirements for PCI compliance. In fact, a Risk Analysis is the foundation for the entire security program. It identifies the locations of electronic stores of, and/or the transmission of Cardholder Data and vulnerabilities to the security of the data, threats that might act on the vulnerabilities, and estimates both the likelihood and the impact of a threat acting on a vulnerability.
The Risk Analysis helps Card Processing Merchants and their 3rd party Service Providers to identify the components of the Cardholder Data Environment (CDE), how the data moves within, and in and out of the organization. It identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of Cardholder Data at rest and/or during its transmission.
3. PCI Management Plan
Based on the findings in the Risk Analysis, the organization must create a Risk Management Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, the PCI module provides a risk-scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources and ensure that issues identified are solved. The Risk Management plan defines the strategies and tactics the organization will use to address its risks.
4. Evidence of PCI Compliance
Just performing PCI-compliant tasks is not enough. Audits and investigations require evidence that compliance tasks have been carried out and completed. Documentation must be kept for six years. The Evidence of Compliance includes log-in files, patch analysis, user and computer information, and other source material to support your compliance activities. When all is said and done, the proof to proper documentation is accessibility and the detail to satisfy an auditor or investigator included in this report.
5. External Network Vulnerability Scan Details
Detailed reports showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.
6. Internal Network Vulnerability Scan Details
Detailed reports showing security holes and warnings, informational items including CVSS scores as scanned from inside the target network. Closing internal vulnerabilities helps prevent external attackers, once inside a network, and internal users from exploiting weaknesses typically protected by external firewalls.
7. PCI Pre-scan Questionnaire
This questionnaire contains a list of questions about physical and technical security that cannot be gathered automatically. The survey includes questions ranging from how facility controls access, firewall information, and application development, to authentication and change management standards.
8. External Port Security Worksheet
This worksheet allows you to document business justifications for all of the allowed ports, the protocol configured to use a specific port, and the documentation of any insecure configurations implemented and in use for a given protocol.
9. Cardholder Data Environment ID Worksheet
The Cardholder Data Environment Worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access Cardholder Data. This is an effective tool in developing data management strategies including secure storage and encryption.
10. Server Function ID Worksheet
Per PCI DSS Requirement 2.1.1, only one function per server can be implemented in order to prevent functions that require different security levels from co-existing on the same server. The Service Function Identification worksheet enables you to document server roles (web server, database server, DNS server, etc.) and the functions activated on each server (real/physical or virtual) within the Cardholder Data Environment (CDE).
11. User Identification Worksheet
The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have been terminated and should have had their access terminated can also be identified.
This is an effective tool to determine if unauthorized users have access to protected information. It also is a good indicator of the efforts the organization goes to so terminated employees and vendors have their access quickly disabled.
Another benefit is that you can review the user list to identify generic logons, such as Admin, Billing Office, etc., which are not allowed by PCI since each user is required to be uniquely identified.
12. Necessary Functions Worksheet
For each server in the Cardholder Data Environment (CDE), this worksheet presents startup applications, services, and other functions, allowing you to identify functions which are unnecessary for the server to fulfill its primary function.
13. Antivirus Capability Identification Worksheet
This worksheet enables the PCI readiness specialist to inspect and document the features and capabilities Antivirus Software deployed on computers throughout network both in and out of the Cardholder Data Environment (CDE).
14. PAN Scan Verification Worksheet
The Deep Scan includes a Personal Account Number (PAN) scanner. The results of the PAN scan are presented in this worksheet, allowing you the opportunity to investigate and verify if the detected numbers are truly an identifying account number/credit card.
15. Compensating Controls Worksheet
PCI allows compensating controls to be put in place to mitigate potential security issues in the environment. All discovered issues are presented in this worksheet to allow you to document the compensating controls that may be in place.
16. PCI Layer 2/3 Diagram
This diagram shows the various components discovered along with their Layer 2 and Layer 3 connections. Systems and devices that are part of the Cardholder Data Environment (CDE) are highlighted. Having a representation of the components in the CDE along with their connectivity to the global network is a requirement of PCI.