Main certification stages
Stage 1. Preliminary audit
Conducting a preliminary audit (survey) is aimed at assessing the current level of compliance of information systems (IS), processes and regulatory documentation of the client with the requirements of the PCI DSS standard, based on the results of which recommendations are developed on the preparation of information systems, processes and regulatory documentation of the client for successful certification for compliance with the requirements of the standard PCI DSS. After the preliminary audit, consulting support is provided during the elimination of inconsistencies identified at this stage.
Stage 2. Preparation for certification audit
Preparation for a certification audit includes the following steps:1) Conducting an external network vulnerability scan (ASV)2) Conducting an internal network vulnerability scan3) Assessing the security of the client's company network by performing external and internal penetration testing4) Search for unauthorized Wi-Fi access points5) Penetration testing of network segmentation controls
External Network Vulnerability Scanning (ASV)PCI DSS Requirement 11.2.2 requires quarterly external network vulnerability scans. The purpose of conducting ASV scans is to identify errors in the architecture and configuration of systems that can be used to gain access to systems, servers, or the client's internal network. In addition to formal compliance with the PCI DSS standard, external network vulnerability scanning allows you to assess the security of the client's external network perimeter.
Internal network vulnerability scanningPCI DSS Requirement 11.2.1 requires quarterly internal vulnerability scans on the customer's internal network. The purpose of conducting an internal vulnerability scan is to identify errors in the architecture and configuration of systems that can be used to gain access to systems, servers that store, process or transmit payment card data. In addition to formal compliance with the PCI DSS standard, internal vulnerability scanning allows you to assess the security of systems within the client's company. Penetration Testing
PCI DSS requirements 11.3.1 and 11.3.2 require external and internal penetration testing to be performed at least once a year. Penetration testing of systems and networks is one of the methods for assessing security by simulating the actions of an intruder.
During testing, the detection and verification of vulnerabilities in systems that could arise due to software and technical errors, incorrect settings, operational shortcomings, etc. are performed. Testing also makes it possible to visually demonstrate to the client's management the relevance of identified vulnerabilities and the significance of potential damage.
Testing includes an active check of IT system vulnerabilities, which is performed only after agreeing on the time and scope of such actions with the client. Application vulnerabilities are often caused by bugs in application and system software. Such errors can be detected by testing running software and using specialized tools (vulnerability scanners).
Network Segmentation Control Penetration Testing
PCI DSS Requirement 188.8.131.52 requires both external and internal penetration testing of network segmentation controls for service providers at least twice a year. Network segmentation assessment is a method of analyzing network device settings to test segmentation, its effectiveness and isolation of all networks not related to the processing of payment card data from the payment card data processing environment.
Segmentation evaluation is performed both from outside the customer's company and from within the network to confirm that the payment card environment network is not accessible from other networks.
The results of the Network Segmentation Assessment provide information on whether segmentation has been performed correctly at the client's company to reduce the scope of the PCI DSS audit as per PCI DSS requirement 11.3.4.
Stage 3. PCI DSS Compliance Certification Audit
As part of the audit, the following activities are carried out:1) Collection and analysis of organizational and regulatory documentation, information about the system components of the Cardholder Data Environment (CDE) of the client2) Analysis of processes related to the protection and maintenance of system components in CDE3) Audit of compliance of the client's CDE system components with the requirements of the PCI DSS standard: o Interviewing client employees (third company, if necessary) according to the audit procedure developed by the PCI SSC consortium and adapted by the QSA consultant o Analysis of settings and configurations of CDE client system components o Formation of an evidence base for compliance of the client's CDE system components with the requirements of the PCI DSS standard4) Analysis of reports on the security assessment of the external and internal perimeter of the client's CDE network5) Development of reporting documents for acquiring banks and International payment systems Report on Compliance (RoC), as well as Attestation of Compliance (AoC)6) Providing a certificate of compliance with the requirements of the PCI DSS standard (in case of full compliance with the requirements of the standard)