Preparing for PCI DSS Certification

Payment Card Industry Data Security Standard (PCI DSS – https://www.pcisecuritystandards.org), is a set of requirements in the area of security for businesses that process payment and credit card data.
In order to ensure a high level of security, a consistent standard has been created – Payment Card Industry Data Security Standard.
Businesses that accept card payments or conduct e-commerce activities are obliged to conduct annual audits to confirm compliance with the standard. The requirements apply to payment processing, infrastructure and consumer payment information.
Standard applies to payment service providers, merchant-service units and banks. The consequences of non-compliance with the requirements are:

• Lack of payment card capabilities,
• Business and financial complications.

Organizations that, among others, require compliance with the standard are: Visa International, MasterCard, American Express, JCB International and Diners Club International.
This is a standard that strictly defines the requirements that must be met before entities that are involved in the processing of payment card data. An entity that guarantees the PCI DSS standard confirms that an organization has the highest level of security in the payment processing process.
nFlo offers to perform a PCI DSS compliance audit of systems. We perform security testing of infrastructure and applications, demonstrating risks and a report that includes recommendations leading to compliance with the standard. Our consultants can also lead the project to prepare the environment to complete the requirements in compliance with the standard and receive certification in this area.

Service Description:

Preparing infrastructure for a PCI DSS audit utilizes the requirements of the PCI DSS standard for processing, storing and transmitting card data. Based on several years of experience as a PCI DSS QSA auditor, we prepare the systems, processes and application for the requirements of the PCI DSS standard, so that the audit runs smoothly and the systems meet the requirements of the PCI DSS standard.
Security review of PCI DSS requirements is carried out comprehensively in all layers of the security system of processes that process card data:

• organizational,
• process,
• Technical.

The approach to infrastructure analysis is based on the experience of working as a PCI DSS QSA auditor and how infrastructure reviews are performed during audits.

As part of the work, PCI DSS infrastructure verification is being carried out. For this purpose, the following activities should be carried out as a minimum:

• Analysis of documentation of processes supporting the security of card data processed,
• Verification of the configuration of servers and applications and security support applications in accordance with the requirements of the PCI DSS standard,
• Analysis of security locations in the card infrastructure network,
• Analysis of documentation and processes based on information provided by your employees.

Our methodology for preparing infrastructure for a PCI DSS audit involves conducting the work in the following steps:

• Step 1 – preliminary analysis to identify the main business processes, card data processing sites, IT systems used, implemented organizational, process and technical solutions,
• Step 2 – identify the safeguards implemented to protect the organization’s card data processing resources and verify their completeness from the perspective of PCI DSS requirements,
• Step 3 – implement the needed processes, configuration changes and documentation required by the PCI DSS standard,
• Step 4 – perform penetration testing, vulnerability testing of systems on internal and external networks. Prepare the infrastructure for PCI ASV scanning,
• Step 5 – perform the final PCI DSS audit from the point of view of the PCI DSS QSA auditor,
• Step 6 – Assist during the PCI DSS audit, working with the PCI DSS QSA auditor to meet PCI DSS infrastructure requirements.

The work is carried out at the technical layer on the basis of an analysis of the documentation of the systems in the scope of work, as well as by reviewing selected configurations.

We expect you to provide the necessary information on the solutions being analyzed, including technical documentation and network diagrams, and will allow meetings with those responsible for maintaining the various components of the systems.

Analysis of the security architecture of the card environment carried out from the perspective of identification and risk analysis for technological processes.
As part of the work, verification of the adequacy and completeness of the implemented security features of the ICT infrastructure compliant with PCI DSS requirements is carried out. For this purpose, the following activities should be carried out as a minimum:

• Analysis of the current organizational structure for the PCI DSS security area.
• Verification of current processes that support environmental safety, including:
  • Risk Management,
  • Access control for systems that process card data,
  • Incident Management,
  • Change and Configuration Management,
  • Malware protection,
  • Vulnerability management of systems that process card data,
  • Business Continuity Plans,
  • Systems security architecture analysis,
  • Analysis of network architecture based on documentation and information provided by your employees,
  • Analyze how to separate production environments and methods for securing access to production environments,
  • Analysis of the monitoring tools used for card systems,
  • Overview of the function and effectiveness of the use of security infrastructure components,
  • Analyze software documentation and solutions to ensure the security of the card environment.

Customer benefits:

Customers gain professional support in making their systems PCI DSS compliant, minimizing risk and increasing the chances of passing a formal certification audit.

For whom it is intended:

The service is dedicated to organizations processing payment card data that need support in preparing for PCI DSS certification.