The best practices our experts have come up with to comply with the technical requirements of PCI. The policies are what your organization does while the procedures detail how you do it. In an audit, this is usually the first document request by the examiner.
A list of issues to remediate to ensure the security and confidentiality of Cardholder Data. Run the Risk Analysis at least once a year, or when any significant changes could affect one or more system components.
Includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. When all is said and done, the proof to proper documentation is in the underlying supporting information!
Shows security holes and warnings, and informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.
Report shows security holes and warnings, and informational items including CVSS scores as scanned from inside the target network. Closing internal vulnerabilities helps prevent external attackers and internal users from exploiting weaknesses typically protected by firewalls.
A list of questions about physical and technical security that cannot be gathered automatically. The survey includes questions ranging from facility access to firewall information to application development to authentication and change management standards.
Document business justifications for all allowed ports, the protocol configured to use a specific port, and any insecure configurations implemented and in use for a given protocol.
This worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access Cardholder Data. This is an effective tool in developing data management strategies including secure storage and encryption.
Only one function per server can be implemented to prevent functions that require different security levels from coexisting on the same server. The Service Function Identification documents server roles (web server, database server, DNS server, etc.) and the functions activated on each server (real/physical or virtual) within the Cardholder Data Environment (CDE).
The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have had their access terminated can also be identified. Determine whether unauthorized users have access to protected information.
For each server in the Cardholder Data Environment (CDE), this worksheet presents startup applications, services, and other functions, allowing you to identify functions which are unnecessary for the server to fulfill its primary function.
This worksheet enables the PCI readiness specialist to inspect and document the features and capabilities Antivirus Software deployed on computers throughout network both in and out of the Cardholder Data Environment (CDE).
The Deep Scan includes a Personal Account Number (PAN) scanner. The results of the PAN scan are presented in this worksheet, allowing you the opportunity to investigate and verify if the detected numbers are truly an identifying account number/credit card.
PCI allows compensating controls to be put in place to mitigate potential security issues in the environment. All discovered issues are presented in this worksheet to allow you to document the compensating controls that may be in place.
This diagram shows the various components discovered along with their Layer 2 and Layer 3 connections. Systems and devices that are part of the Cardholder Data Environment (CDE) are highlighted. Having a representation of the components in the CDE along with their connectivity to the global network is a requirement of PCI.
Generated by an Approved Scan Vendor, the PCI Attestation serves as your certificate or proof that the Host/IP address has passed the PCI-DSS standards for external vulnerabilities. The Attestation is available for a small, additional charge.