A PCI Compliance Assessment from PerformanceIT will tell you whether or not your business is operating under the Payment Card Industry Data Security Standard (PCI DSS). If not, we will outline what you need to do to become compliant under the PCI DSS.
After our assessment is complete, you will have documented evidence proving that you have taken the measure to become PCI compliant.
Included in the PCI Compliance Assessment:
PCI Policies & Procedures Document
Shows how to best comply with standards established by the PCI DSS.
PCI Risk Analysis Report
Identifies electronic store locations, cardholder data transmissions, and security vulnerabilities, as well as estimates the likelihood of an attack and level of impact possible threats pose to your system.
- The Risk Analysis is the foundation for our entire security program and is a primary requirement for becoming PCI compliant.
- A Risk Analysis should be done at least once a year.
PCI Risk Profile Report
Provides interim reporting in a streamlined manner.
- Abbreviated version of the Risk Analysis.
PCI Risk Management Plan
Uses the findings from the Risk Analysis to outline tasks that must be done to minimize, avoid, or respond to current and possible risks.
Evidence of PCI Compliance
Performing PCI-compliant tasks is not enough. Auditors will ask for evidence to prove that compliant tasks have been carried out to completion.
Compliance Evidence includes:
- Login Files
- Patch Analysis
- User and Computer Information
- Other source material to support your compliance activities.
NOTE: Be sure to hold on to this documentation for at least 6 years.
PCI Pre-Scan Questionnaire
Contains a list of questions about the physical and technical security of your system that cannot be gathered automatically.
- How facility controls are accessed
- Firewall information
- Application development
- Authentication processes
- Change management standards
External Port Security Worksheet
Documents the justifications for all of the allowed ports, the protocol configurations, and any insecure configuration.
Cardholder Data Environment ID Worksheet
Identifies the devices that store or have access to cardholder data.
- Helps businesses develop better data management strategies.
Server Function ID Worksheet
Allows us to document server roles (web server, database server, DNS server, etc.) and the functions activated on each server (real/physical or virtual) within the Cardholder Data Environment (CDE).
- As per PCI DSS Requirement 2.1.1, only one function per server can be implemented to prevent functions that require different security levels from co-existing on the same server.
User Identification Worksheet
Determines if unauthorized users have access to protected information.
- Identifies whether a user is an employee or vendor.
- Users who should have had their access terminated can also be identified.
Necessary Functions Worksheet
Presents startup applications, services, and other functions for each server in the Cardholder Data Environment (CDE).
- Allows us to identify functions which are unnecessary for the server to fulfill its primary function.
Antivirus Capability ID Worksheet
Presents the features and capabilities Antivirus Software deployed on computers throughout the network—both in and out of the Cardholder Data Environment (CDE).
PAN Scan Verification Worksheet
Determines if detected numbers are truly an identifying account number/credit card.
Compensating Controls Worksheet
Shows potential security issues and the compensating controls that may be put in place.
- PCI allows compensating controls to be put in place to mitigate potential security issues in the environment.
PCI Layer 2/3 Diagram
Shows the various components discovered along with their Layer 2 and Layer 3 connections.
- Systems and devices that are part of the Cardholder Data Environment (CDE) are highlighted.
- Having a representation of the components in the CDE along with their connectivity to the global network is a requirement of PCI.