Stage 1. Preliminary audit
Conducting a preliminary audit (inspection) aimed at assessing the current compliance level of the client’s information systems (IS), processes and regulatory documents with PCI DSS requirements. Based on these audit results, recommendations for preparation of the client’s information systems, processes and regulatory documents for successful PCI DSS certification will be developed. After the preliminary audit, consulting support is provided to eliminate nonconformities identified at this stage.
Stage 2. Preparation for the certification audit
Preparation for the certification audit includes:1) An external vulnerability scan (ASV) of the network 2) An internal vulnerability scan of the network3) Assessment of the client’s corporate network security by performing external and internal penetration tests4) A search for unauthorized Wi-Fi access points5) Penetration tests for network segmentation control tools
External vulnerability scan (ASV)
An external vulnerability scan of the network must be performed quarterly according to PCI DSS requirement 11.2.2. ASV scans are performed to detect bugs in system architecture and configuration that can be used to gain access to the client’s systems, servers, or corporate network. Apart from formal PCI DSS compliance, the external vulnerability scan allows us to assess the security of the external perimeter of the client’s network.
Internal vulnerability scan
An internal vulnerability scan of the client’s internal network must be performed quarterly according to PCI DSS requirement 11.2.1. The internal vulnerability scan is performed to detect bugs in system architecture and configuration that can be used to gain access to systems or servers where payment card data is stored, processed or transmitted. Apart from formal PCI DSS compliance, the internal vulnerability scan allows us to assess the security of the client’s internal corporate systems.
External and internal penetration tests must be performed at least once a year according to PCI DSS requirements 11.3.1 and 11.3.2. Penetration testing of systems and networks is one of the security assessment methods used to simulate the activities of potential intruders.
The tests identify and verify system vulnerabilities that may have occurred due to software and technical bugs, incorrect settings, operating problems etc. The tests also make it possible to demonstrate the relevance of identified vulnerabilities and the significance of potential losses to the client’s management staff.
Test performance involves a rigorous check of vulnerabilities in IT systems, which is performed only after agreeing its time frame and scope with the client. Application and operational system software bugs are often the reason for app vulnerabilities. Such errors can be detected by testing the software in use and using specialized tools (vulnerability scanners).
Search for unauthorized Wi-Fi access points
According to req 11.1 of PCI DSS, a process must be implemented for a quarterly wireless access point check in premises where payment card data is stored, processed or transmitted, as well as for detection and identification of unauthorized wireless access points.
Upon completion of a premises scan, the collected information will be analyzed and reported to the client. A report contains information on detected wireless access points with a certain risk level.
Penetration tests of segmentation control tools
According to req 188.8.131.52 of PCI DSS, service providers must conduct external and internal penetration tests of network segmentation control tools at least twice a year. Network segmentation assessment is a method for analyzing network device settings to verify segmentation, its effectiveness, and isolation of all non-payment card processing networks from the payment card processing environment.
Segmentation assessment is performed both outside the client’s company and from inside the network to confirm that the payment card processing environment network is inaccessible from other networks.
The results of the network segmentation assessment provide information on whether segmentation is performed correctly within the client company to reduce the PCI DSS audit boundary, according to req 11.3.4 of the PCI DSS.
Stage 3. PCI DSS compliance certification audit
The audit includes:
1) Collection and analysis of organizational and regulatory documents, information about the client’s Cardholder Data Environment (CDE) system composition2) Analysis of processes related to the protection and maintenance of system components in the CDE3) A compliance audit of the client’s CDE system components according to the PCI DSS requirements:• Interviewing client employees (third-party, if necessary) within the audit procedure developed by the PCI SSC consortium and adapted by the QSA consultant• Analysis of the client’s CDE system component settings and configurations• Assembling an evidence base for compliance of the client’s CDE system components with PCI DSS requirements4) Analysis of security assessment reports on the external and internal perimeter of the client’s CDE network5) Development of reporting documents for acquiring banks and International Payment Systems, Report on Compliance (RoC), as well as Attestation of Compliance (AoC)6) Issuance of the PCI DSS compliance certificate (in the event of full compliance)