PCI DSS Readiness Assessment
Planning for a successful DSS compliance audit
Regardless of where you fall in the merchant level definitions, completing your own thorough compliance checks in advance of a DSS compliance audit can save you both time and money. The PCI Security Standards Council has defined a comprehensive set of standards to enhance the security of cardholder data, at the center of which is the PCI DSS. Level 1 and 2 merchants are required to demonstrate DSS compliance with a QSA report (RoC), while Level 2-4 merchants must complete the self-assessment questionnaire (SAQ). However, the requirements can be confusing, which is why we developed the CyberSheath PCI Readiness Assessment.
CyberSheath’s PCI Readiness Assessment establishes baseline security controls in your business operations to ensure that compliance is achieved as efficiently as possible. Not only does this improve your cybersecurity and increase the likelihood of a successful audit, but it also helps to lower security admin and spending, enabling you to spend more on actual defense.
Our unique approach to PCI DSS compliance stems from our Measure Once, Comply Many™ ethos, which aims to guarantee compliance as a natural consequence of secure day-to-day operations.
What does a PCI Readiness Assessment involve?
A successful PCI Readiness Assessment entails an in-depth review of your existing infrastructure, applications, and policies. Activities include:
- Target scanning to identify targets of interest.
- Port scanning to identify services on each target.
- Version scanning to fingerprint the services and OS.
- Vulnerability scanning of targeted hosts.
- Application scanning for vulnerabilities at the application level.
- Automated and manual penetration testing.
- Review of existing policies and procedures.
- Documentation of gap analysis against PCI DSS requirements.
- Readiness report documenting assessment findings and suggested remediations.
- A detailed plan of remedial actions and milestones with deliverables.
Remediation of Assessment Findings
Should your PCI Readiness Assessment identify areas of vulnerability or deficiency in your security operations, CyberSheath engineers will work with your team to develop a remediation plan according to your available resources.
Areas of focus include:
- Project management.
- Device configuration.
- Design, building, deployment, and testing of new or updated systems.
- Development of new policies, procedures, and controls.
- Training for in-house staff.
- Process validation.
- Policy generation.
- Documented step-by-step instructions.
PCI DSS Audit Certification
CyberSheath partners with a number of trusted QSA experts. Together, we can lead you through the final PCI audit process with the necessary expertise, artefacts and documentation to meet the PCI Security Council compliance standards.
Working with your in-house compliance team, CyberSheath will offer full support during the audit process, from completion of the self-assessment, through selection of an independent PCI auditor and coordination of audit activities.
CyberSheath services include:
- Verification of PCI compliance pertaining to the standards/regulations.
- Testing and validation of controls.
- Preparation of formal reports and questionnaires.
- Verification of required vulnerability scan results.
- Submission of related documentation.
- Certification of audit report.
- Resolution of questions from auditing personnel.
Because most standards require ongoing monitoring of your security people, processes and technologies to maintain compliance, CyberSheath provides 24/7 monitoring and compliance managed services. Benefits include:
- An annual audit of security systems and procedures.
- Periodic review of networks for security posture as needed.
- Quarterly vulnerability scans.
- Regular monitoring/analysis of network devices for security events and breaches.
- On-demand assessment of specific network components for security posture.
- Periodic review of access, management, and data encryption.
- Log monitoring and forensics to investigate specific incidents.