General Masters, Inc.®

Payment Card Industry Assessment, Consulting, Reviews and Monitoring Services

As an Advanced technology, IT auditing, and Security consulting company, we are uniquely positioned to address all Payment Card Industry Data Security Standard (PCI DSS) compliance needs because everything required by the PCI DSS compliance are within various areas of our service offerings. We have the technical know-how and readily available resources to address your immediate needs. We are PCI Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) as required by the Security Standards Council.  We offer these PCI specific technical and consulting services:

·        Participation on new applications, hardware, operating systems to ensure they are PCI DSS compliant.

·        PCI DSS Compliance Readiness Services using the 12 PCI DSS requirements.

·        PCI DSS Compliance Review and Certification using the 12 requirements.

·        Gap Analysis and vulnerability of your computing environment.

·        On-site PCI data security audits.

·        Remediation assistance.

·        Internal Network Security scans – Penetration testing services.

·        PA DSS secure code audits.

·        Ongoing monitoring and continuous audit.

·        Issuance of compliance Reports to payment card industry members, merchants, and service providers that are required to achieve and maintain PCI compliance.

Overview:

The Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. It is a standard that all organizations, including online retailers, must follow when storing, processing and transmitting their customer's credit card data. It applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands. In essence, it affects any company with a merchant identification (ID) number.  The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, and procedures.

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.  The mission of the Council is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool.

PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to a third party are not expressly subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. 

Overview of Compliance Requirements:

To be PCI compliant companies must use a firewall between wireless network and their cardholder data environment, use the latest security and authentication such as WPA/WPA2 and also change default settings for wired privacy keys, and use a network intrusion detection system.  Also, the companies must meet the requirements of PA-DSS.  Validation of PCI compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions based on their merchant level must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.

Summary of PCI DSS Requirements:

The PCI DSS provides a detailed, 12 requirements structure for securing cardholder data that is stored, processed and/or transmitted by merchants and other organizations. By its comprehensive nature, the standard provides a large amount of information about security – so much that some people who are responsible for cardholder data security may wonder where to start the continuous journey of compliance. Toward this end, the PCI Security Standards Council provides the following Prioritized Approach to help stakeholders understand where they can act to reduce risk earlier in the compliance process.

No single milestone in the Prioritized Approach will provide comprehensive security or PCI DSS compliance, but working with General Masters will help your organization and stakeholders to expedite the process of securing cardholder data. Our PCI compliance review and consulting services include the testing of the following summarized 12 requirements and more.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

·        Establish firewall and router configuration standards that include the following.

·        Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

• Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
• Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for Web-based management and other non-console administrative access.
• Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.

Requirement 3: Protect stored cardholder data.

·        Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.

·        Do not store sensitive authentication data after authorization (even if encrypted).

·        Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

·        Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs).

·        If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.

·        Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse.

·        Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

• Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
• Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (e.g., IEEE 802.11i) to implement strong encryption for authentication and transmission.
• For new wireless implementations, it is prohibited to implement WEP after March 31, 2009.
• For current wireless implementations, it is prohibited to use WEP after June 30, 2010.
• Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, and chat).

 Requirement 5: Use and regularly update anti-virus software or programs.

• Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
• Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.
• Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.

Requirement 6: Develop and maintain secure systems and applications.

• Ensure that all system components and software have the latest vendor-supplied security patches installed. Install critical security patches within one month of release.
• Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2 to address new vulnerability issues.
• Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices and incorporate information security throughout the software development life cycle.
• Testing of all security patches, and system and software configuration changes before deployment.
• Follow change control procedures for all changes to system components.  The procedures must include processes that facilitate effective segregation of duty and system integrity.
• Develop all Web applications (internal and external, and including Web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes.
• For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure those applications are protected against known attacks.

Requirement 7: Restrict access to cardholder data by business need-to-know.

• Limit access to system components and cardholder data to only those individuals whose job requires such access.
• Establish an access control system for systems components with multiple users that restrict access based on a user’s need- to- know, and is set to “deny all” unless specifically allowed.

Requirement 8: Assign a unique ID to each person with computer access.

• Assign all users a unique username before allowing them to access system components or cardholder data.
• In addition to assigning a unique ID, employ additional methods to authenticate all users.
• Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
• Render all passwords unreadable during transmission and storage on all system components using strong cryptography based on approved standards (defined in PCI DSS Glossary, Abbreviations, and Acronyms).
• Ensure proper user authentication and password management for non-consumer users and administrators on all system components.

Requirement 9: Restrict physical access to cardholder data.

• Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.
• Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible.
• Make sure all visitors are handled appropriately in accordance with established policy.
• Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the employee authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law.
• Store media back-ups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility. Review the location’s security at least annually.
• Physically secure all paper and electronic media that contain cardholder data.
• Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data.
• Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals).
• Maintain strict control over the storage and accessibility of media that contains cardholder data.
• Destroy media containing cardholder data when it is no longer needed for business or legal reasons.

Requirement 10: Track and monitor all access to network resources and cardholder data.

• Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
• Implement automated audit trails for all system components to reconstruct events.
• Record critical audit trail entries for all system components for each event.
• Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).
• Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).

Requirement 11: Regularly test security systems and processes [Monitoring].

• Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.
• Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
• Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a Web server added to the environment).

Requirement 12: Maintain a policy that addresses information security for employees and contractors [IT Security Governance].

• Establish, publish, maintain, and disseminate a security policy.
• Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures).
• Develop usage policies for critical employee-facing technologies (for example, remote access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), email usage and internet usage) to define proper use of these technologies for all employees and contractors.
• Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors.
• Assign to an individual or team specific information security management responsibilities.
• Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
• Screen potential employees (see definition of employees above) prior to hire to minimize the risk of attacks from internal sources.
• If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers.
• Create the incident response plan to be implemented in the event of system breach.
• Test the plan at least annually (proactively).
• Designate specific personnel to be available on a 24/7 basis to respond to alerts.
• Provide appropriate training to staff with security breach response responsibilities.
• Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems.
• Develop process to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

 Requirement A.1: Shared hosting providers must protect the cardholder data environment.

• Protect each entity’s (that is merchant, service provider, or other entity) hosted environment and data.

You must be proactive!

PCI DSS compliance is an ongoing exercise, meaning that you must continue to monitor your computing environment ongoing.  General Masters’ experienced PCI auditors will perform a comprehensive review or consulting services using the 12 Requirements noted above at an appropriately negotiated interval such as quarterly, etc.

Security Protection and Regulatory Compliance Monitoring Services:

We have partnered with Cyberoam – America for the delivery of proven security appliances as part of our PCI DSS monitoring services to help facilitate proactive compliance.  Cyberoam delivers a comprehensive security portfolio that meets both the network and endpoint protection requirements of organizations. With Unified Threat Management (UTM) appliances, Endpoint Data Protection and Cyberoam iView – The Open Source Logging and Reporting Solution, Cyberoam delivers complete visibility and control over user activity.

Cyberoam’s CheckMark Level-5 certified, ICSA firewall-certified UTM appliances are purpose-built for comprehensive network protection. They meet the high performance needs of small, medium and large enterprises with appliances ranging from CR15i to CR1500i.

Available in appliance and software form, Cyberoam iView is a logging and reporting solution that offers visibility into activity within the organization for high levels of security, data confidentiality and regulatory compliance. It provides an organization-wide security picture on a single dashboard through centralized reporting of multiple devices across geographical locations. It also achieves compliance reporting for PCI-DSS, HIPAA, GLBA and SOX and performs forensic analysis to study security breaches through logs and reports.

Recent negative media coverage regarding unauthorized access to credit card information has resulted in a loss of customer confidence, and ultimately resulting in loss sales dollar. As a result, all entities that handle credit cardholder information have been challenged to adopt more effective data protection measures. General Masters partners with its clients to ensure an ongoing compliance with your PCI DSS requirements.  We treat every relationship as a project, and assign a dedicated project manager to all engagements to help ensure that our clients have a key contact.

To obtain more information about our PCI DSS Assessment, Consulting, Reviews, and proactive monitoring and reporting, please complete the following form and select areas of interest. Our staff will contact you shortly with a response.