/
PCI DSS (Payment Card Industry Data Security Standard)) Compliance Assessment

PCI DSS (Payment Card Industry Data Security Standard)) Compliance Assessment

  • PCI compliance is adherence to the set of policies and procedures developed to protect credit, debit and cash card transactions and prevent the misuse of cardholders' personal information. All card brands require compliance with the Payment Card Industry Data Security Standard (PCI DSS).

  • Performing a PCI DSS compliance assessment, or validating compliance, is the process of evaluating an organization's security policies, procedures and network configurations against each applicable control in the standard.

 

  • Navigate to Company Level > Compliance > Assessments > PCI DSS section to use the default template to start with PCI DSS Assessment.

  • Click on Default Template to create your assessment for PCI DSS. The assessment is divided into 24 sections. Every section has a set of questions to be answered for this assessment. Few of the answers will be auto-populated based on CyberCNS scans that are successfully completed.

  • Click on Add to create a new PCI DSS Assessment.

  • To start with please provide the Assessment Name of your choice. The current assessment will be stored by this name.

  • In this assessment, there are 24 sections. Below are the different sections with descriptions which will be used for the assessment:

  1. Merchant Organization Information.

  2. Qualified Security Assessor Company Information (If Applicable): QSA, is a security company that has been certified by the PCI Security Standards Council (SSC) to perform PCI DSS assessments.

  3. Executive Summary: This captures information about Merchant Business and Types of Payment Channels used by the organization.

  4. Description Of Payment Card Business And Locations: In what capacity does the business store, process, and/or transmit cardholder data & locations.

  5. Payment Application And Description Of Environment: Information regarding the Payment Applications used by the organization.

  6. Third-Party Service Providers And Eligibility To Complete SAQ: Company sharing cardholder data with any third-party service providers details.

  7. Requirement 1: Install And Maintain A Firewall Configuration To Protect Data.

  8. Requirement 2: Do Not Use Vendor-Supplied Defaults For System Passwords And Other Security Parameters.

  9. Requirement 3:Protect Stored Cardholder Data.

  10. Requirement 4: Encrypt Transmission Of Cardholder Data Across Open, Public Networks.

  11. Requirement 5: Protect All Systems Against Malware And Regularly Update Anti-Virus Software or Programs.

  12. Requirement 6: Develop and Maintain Secure Systems And Applications.

  13. Requirement 7: Restrict Access To Cardholder Data By Business Need To Know.

  14. Requirement 8: Identify And Authenticate Access To System Components.

  15. Requirement 9: Restrict Physical Access To Cardholder Data.

  16. Requirement 10: Track and Monitor All Access To Network Resources And Cardholder Data.

  17. Requirement 11: Regularly Test Security Systems And Processes.

  18. Requirement 12: Maintain A Policy That Addresses Information Security For All Personnel.

  19. Appendix A: Additional PCI DSS Requirements.

  20. Validation And Attestation Details.

  21. Merchant Attestation.

  22. QSA Acknowledgement (If Applicable).

  23. ISA Acknowledgement (If Applicable)

  24. Action Plan For Non-Compliant Requirements.

  • Once all the details are provided click on Save and click on Next for the next page.

  • For every question in the assessment, evidence can be uploaded using Upload Evidence, once the assessment is saved in the draft mode.

Assessment Status

You can ONLY View/Download an assessment while it is in a COMPLETED status.

You can ONLY Edit an assessment while it is in DRAFT status.

  • Action options include: Edit, View/Download, and Delete.

  • Edit: Continue with updates/edits to an open assessment.

  • Delete: permanently deletes the assessment.

  • View/Download: Start the ZIP file download containing three files (DOCX, XLSX, and Evidence folder containing individual XLSX files with the answer/evidence collected by CyberCNS Scan during the assessment).

When downloading the ZIP file, the name is using ‘Company Name _ Assessment Name _ Date _ Time’.

  • Example of the three file outputs as mentioned above.

  • Example of the individual evidence output inside the ‘evidence’ folder.

This completes PCI DSS Compliance Assessment document.