The PCI Compliance Process Scoping – Where is the cardholder data located? PCI Compliance is for the Cardholder Data Environment The next step in the process of validating compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirements is to properly identify and define what systems, processes, and people are involved in the transmission, processing, or storage of cardholder data –and- any systems, processes, and people that may impact the security of your cardholder data. The PCI Glossary provides the following definition: Cardholder Data Environment (CDE): The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components. The CDE is generally comprised of systems involved in the direct credit card transaction processing that originates from retail locations, kiosks, e-Commerce sites, and more frequently today – from mobile devices. Beginning with a credit card ‘swipe’ or entry of the credit card data into a payment application, all systems involved in the transmission of this credit card transaction traffic are in scope for PCI compliance. From the moment the credit card data is presented through all intermediate systems, to the point where the transaction data is sent to an outside entity such as a payment gateway, processor, or bank for credit authorization – and back – all the technology, people, and processes are all part of the CDE. The credit card transaction process being in scope is generally well understood. What is also in scope are any processes that occur after the initial transaction and/or support the transaction – such as refunds, chargebacks, dispute resolution, collections, fraud detection/prevention, loss prevention, customer support, help desk, and so forth. People and processes that support the payment processes – such as network and system administrators, DBAs, developers, customer care agents, security administrators, store managers, finance and accounting personnel – are all likely elements of the CDE and subject to PCI compliance. Limiting Scope If this sounds like a complex problem, or if your head is starting to hurt, you can understand why there is so much emphasis on limiting the scope for PCI compliance. Scoping your PCI environment, or CDE, is often a major undertaking and requires deep knowledge of all business and IT processes and data flows. The PCI DSS actually requires companies to have a documented process for determining what is and what is not part of the CDE (or simply “in scope”) and must also be able to present evidence and results of the methodology used to determine the scope of PCI in their enterprise. Data Discovery There has never been more emphasis placed on discovering and identifying all “people, processes, and technology” that are involved with cardholder data in a company’s enterprise than today. There is no single prescribed method for conducting this exercise within your company, and the PCI DSS does not provide specific guidance about how discovery exercises must be performed in any particular fashion. Qualified Security Assessor (QSA) companies, professional services companies, and solutions providers often advise their clients on how to conduct these discovery exercises, and sometimes even conduct the discovery exercises on behalf of their clients and/or provide tools and technology to perform “data discovery” exercises. Whatever the method for identifying your CDE, it is important to remember a couple of key points: 1. You must demonstrate where cardholder data IS present AND where it is NOT present; 2. Your methodology must be documented, and you must show evidence of the methodology being executed. Tenable for PCI Compliance Tenable offers a range of solutions for help you determine and validate PCI compliance and remain compliant between audits as your network changes. Internal Vulnerability Scanning with Nessus Vulnerability Scanner The Nessus vulnerability scanner may be used by organizations to satisfy quarterly internal vulnerability scanning requirements. When used on a continuous basis, Nessus enables companies to identify and correct issues well before the official compliance validation occurs. This also helps reduce the cost of the official validation assessment by reducing the time it takes to get the QSAs the information they need. Nessus can also identify sensitive data that is subject to PCI compliance requirements such as credit card numbers. Nessus can perform these searches without an agent and only requires valid credentials to scan a remote computer. PCI ASV Validation with Nessus Perimeter Service Tenable Network Security is a PCI Approved Scanning Vendor (ASV) and is certified to validate quarterly external vulnerability scans for companies to fulfill PCI DSS validation requirements. The ASV service allows companies to: Use a single solution, Tenable PCI Scanning Service, to perform PCI scans and submit them for quarterly PCI ASV validation. Submit up to 2 PCI scans per calendar quarter for validation by Tenable’s PCI-certified professionals. Easily generate executive, attestation, and detailed reports — offering proof of compliance needed for submission to your acquiring bank. Intelligent Continuous Monitoring with Tenable USM Nessus is a component of Tenable's Unified Security Monitoring (USM) platform, which also includes Tenable SecurityCenter, the Tenable Passive Vulnerability Scanner (PVS), and the Tenable Log Correlation Engine (LCE). The Tenable USM platform offers enterprises continuous monitoring and centralized intelligence for PCI compliance. Features include: Continuously monitor and discover new devices on the network that may create PCI exposure. Continuously detect the presence of malware that has infiltrated your network and is running malicious programs in your environment. Secure log aggregation / storage and log normalization / search for compliance monitoring and analysis. Identify PCI-relevant assets and limit PCI scans to those assets, reducing time and resources required for regular scans. Create a single view of risk exposure that includes Internet-facing web application vulnerabilities. About Tenable Network Security Tenable Network Security is relied upon by more than 20,000 organizations, including the entire U.S. Department of Defense and many of the world’s largest companies and governments, to stay ahead of emerging vulnerabilities, threats and compliance-related risks. Its Nessus and SecurityCenter solutions continue to set the standard to identify vulnerabilities, prevent attacks and comply with a multitude of regulatory requirements. For more information, please visit www.tenable.com. GLOBAL HEADQUARTERS Tenable Network Security 7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046 410.872.0555 www.tenable.com Copyright © 2013. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. 2
© Copyright 2024