PCI DSS Scope Assessment Solution
Reduce PCI DSS Scope, Increase Certification Success, Manage Credit Card Data
For merchants and service providers that process credit cards in order to sell goods and services, achieving PCI DSS (Payment Card Industry Data Security Standard) compliance can be a long, costly and difficult process but imperative in order to protect credit card information from fraud and misuse.
For organisations who are oblidged to secure sensitive and valuable card holder data (CHD) in order to meet PCI compliance standards, the first and most vital step is to find and locate where CHD is stored within an entire data environment.
Overview
PixAlert’s PCI Automated SCOPE Assessment provides a fully automated mechanism to find where CHD is stored on any part of the corporate network (including inbound/outbound live email). This enables organisations understand the scope and scale of their CHD exposures across their enterprise while creating the necessary groundwork for successful PCI DSS certification.
Enables Business To:
- Identify where CHD exists
- Quickly assess PCI DSS scope (outlined on pgs 10-13 of PCI Security Standard Council)
- Increase CHD audit success rate
- Improve compliance activity in a structured and continuous process
- Manage card holder data - migrate/ delete/ access control
- Manageable and meaningful reporting - ROC ready
- Define an Incident Response Strategy to the mismanagement of CHD
- Measure Security Policy effectiveness and uptake
- Measure User Acceptance of existing controls and policies
- Continuous monitoring to expose vulnerabilities and enable remediation (requirement 11 of PCI DSS standard)
Benefits to Business
Benefit to Business
- Achieve PCI DSS certification faster
- Maintain and ensure an easier path to PCI DSS re-certification
- Minimise audit cost and preparation time, improve resource efficiencies
- Reduce CHD loss/leakage incident rate
- Manage risk through continuous PCI capability assessment
- Improve customer security – protect corporate revenue
Process
Process - Preparing For Compliance
AUDIT
- Through a comprehensive scan of all network wide resources (files servers, mail servers, desktops, laptops), an organisation can efficiently discover and identify where CHD components (both structured and semi-structured card details) are stored on their network.
- PixAlert’s PCI Automated SCOPE Assessments are non-intrusive to existing IT processes and follow a well defined, proven process.
- Intelligent and actionable reporting will provide users with visibility and control over the extent of their CHD components (both in and out of the scope environment). In identifying vulnerabilities, it will enable an organization to take proactive, corrective action through the implementation of proper controls and updated risk assessments.
- Migrate card data to a secure location or classify
- Remove/delete unwanted or legacy CHD
- Manage ownership and access control levels
- Comprehensive, configurable and meanignful reporting - ROC ready
RE-AUDIT
- Regular audits will help to demonstrate that PCI DSS is being continuously monitored and maintained through automated scans and reporting structures which ensure that consistent security measures and compliancy standards are being upheld constantly.
Resources
Resources
Paper: PixAlert’s PCI DSS Positioning White Paper
Data Sheet: PCI DSS Automated Scope Assessment
Case Study:Global Insurance Group - Protecting Confidential Customer Data - Maintaining PCI Compliance
Blog: PCI DSS –Continuous Risk Based Approach to Addressing Security Threats
Blog:PCI DSS - Positive Trends Emerge in Latest Compliance Report
Blog:Watchdog Ruling Sets PCI DSS on Legal Footing for Protection of Credit Card Data
Blog:Keeping The Bad Guys Out - Credit Card Security for Small Retailers
Blog:The Retail Road to Compliance
Press Release:PixAlert and ExoIS Form New Strategic Partnership in Protecting Credit Card Security
Our Customer’s Experience
Client: National UK Banking Network
‘Seeking a Solution to Determine What Card Holder Data Exists Within Out-Of-Scope PCI Environment’
Requirement: A national UK Banking Network working towards PCI DSS certification required a solution to accurately determine the scope of their PCI DSS by identifying all locations and flows of cardholder data CHD within and outside the scope of their data environment. The bank specifically requested a methodology to verify and prove both at time of audit and an ongoing basis that no CHD existed in their out-of-scope environment.
Solution: PixAlert’s PCI Automated SCOPE Assessment
Process: A comprehensive, non-intrusive audit of all network resources (files servers, email servers, desktops and laptops) enabled the bank to discover and identify the existence of all cardholder data stored across their network and in particular CHD stored in their out-of–scope environment
Outcome: The audit analysis revealed that 25% of targeted resources were discovered to contain CHD data, many of which were in the bank’s out-of-scope data environment, and identified email exposure risk as ‘very high’. In particular, the customer found that patterns of usage were identified which showed poor practice had been built into their business process including: emails containing credit card details; inappropriate use of credit card details in testing of software and inappropriate storage of credit card details. This information enabled the bank to take corrective action in remediating their CHD, reassess their controls and policies and for the purposes of PCI DSS assessment, ensure that their data was correctly secured within their in-scope environment.
Conclusion: PixAlert’s PCI Automated SCOPE Assessment provided the bank with visibility and actionable intelligence over the extent of their data exposure and specifically identified sources of vulnerability. It enabled the bank to take proactive control to manage their CHD risk while achieving PCI DSS certification.
As a result of their initial audit, the bank has chosen to implement PixAlert’s PCI Automated SCOPE Assessment to achieve re-certification and maintain PCI DSS security continuously through regular re-audits and reporting.
Data Discovery Analysis
