I just found out that we need to have a pci compliance audit run. We are at level 4 the bottom of the list as we do very few transactions.

Has anyone gone through this process? Can you recommend an auditor?

What was the audit like?

Thanks folks.

I use ControlScan for my company/web site. The process consisted mainly of subscribing to daily security/vulnerability scans of our web server, web site, and company network, as well as comprehensive questionnaires regarding the steps we take to secure our network. They also provided us with templates for internal security policies that we were able to modify and implement (another requirement). It takes a while to get the paperwork completed, and if you don't have a security plan in place already, you may have a lot of work to do to secure your site and network to ensure compliance, but most auditors will help you get up to spec.

Hi Netman,

Have you heard of Configuresoft's ECM (Enterprise Configuration Manager). Our Center for Policy & Compliance has created a complete toolkit for PCI-DSS that comes with ECM out of the box (we also have SOX, GLBA, HIPAA, FISMA, etc...)

ECM will discover all servers and desktops touching your network (Win, Unix, Linux) and collect a baseline of all configuration settings, sw,hw, services, permissions, etc... Then using the PCI template ECM will compare all your machines to determine your state of compliance. Then you can use ECM to do full remediation, whether it means pushing out the latest hotfix, stopping a service or changing a security setting in bulk to all machines. Then you can have ECM alert you going forward of any machines drifting away from your standards.

Let me know if you want to see a demo or you need more info. My email address is charlotte.rickert@configuresoft.com and my number is 719-687-1656 Thanks!!

Our clients have been using Security Metrics, which is literally a pain in the a**.

I don't know if it's just them or what, but we have pretty competent hosting administrators and they've been unable to get us a passing grade so far (on 2 servers).

Chowell, I take it that it is your web server that is causing the failure, has your hosting company or the testing company given you any specifics on why you failed? Most of the PCI analysis that I tried (I did demo plans with a few companies before we selected ControlScan) involved quite similar steps - a "procedural audit" which consisted of a questionnaire about our current security practices, and a physical audit consisting of extensive daily or weekly vulnerability scans of our web server and the web-facing side of our company network. If you got through the procedural audit, the physical audit shouldn't give you any problems unless the hosting company is not adequately securing the servers, or a vulnerability exists in your web software.

We use Portsentry which I think is going to cause problems, since a lot of ports appear to be open; but really they looking for scans. Also, it shuts down the ip number from which the scan originated which I think is not allowed.

My company uses Pegasus Technologies. These guys are top shelf, and really know their stuff.

Pegasus Technologies (http://www.pegasustechnologies.com/)

dfenster

PortSentry is an IDS, which is recommended and allowed under PCI. The requirement is that the IDS not block traffic from the auditor. The auditor must provide you with a list of IPs that their scans originate from, and you would enter these in your IDS. (For PortSentry, you should add them to the portsentry.ignore file, I believe.)

Thanks wige, I've contacted Controlscan
dfenster Does Pegasus do audits? Saw nothing on their site showing it.

Do these guys do internal audits? or are they just looking for Internet exposure?

dfenster, looking at Pegasus' web site, it looks like they offer vulnerability scans as one of their services, however I do not see any indication on their site that they are licensed or approved by the PCI Security Standards Council, and obtaining quarterly scans by such an approved auditor is a requirement. I would contact them and make sure they are approved, and get a certificate number. The company name is not listed as approved.

Hello all,

we too are a level 4 company we prolly run < 10,000 txns a year. According to the PCI DSS, a level four company only has to submit to a self-assessment. We took a common sense approach to PCI compliance shifting responsibility for the bulk of it to our payment gateway, who is a big company who has passed an audit.

To start with we do not store primary account number(PAN) data not even in a session. Our only exposure is in the transport of PAN's from our website to the gateway and we exceed requirements on that as to encryption, number of bits etc. The thrust of PCI is to avoid theft of data that could be used to defraud cardholders. Let's say worst possible thing happens and our server is completely breached and some thief makes off with all our data. They are going to get our customer list but there are no PANS. PANS from any transactions originating at our website are stored at our gateway. We are paying them hefty fees for the privilege of running cards, let them also eat the the risk associated with storing the account numbers.

As a Level 4, we wholly avoid the problem of audits by using 1) a large experienced certified ASP for order capture & 2) Authorize.net for the processing of card transactions.

Thus, there is absolutely no customer data on our server. Any such data directly retained by us is stored off-line.

I thought long and hard about not storing ANY customer data as well, but we use it for so many things that it did not make sense for our business not to keep their name addy and email local. We have opt-in emailing lists embedded in our web app for one thing, and for another, customers occasionally need to go back and tweak a transaction after it has already happened, and they use their email for this purpose. The advice I was given was as long as you keep no trace of credit card data and you SSL everything to your gateway you pretty much dodge the PCI bullet.

According to Visa (http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_management/cisp_overview.html|Merchants#anchor_3) , all vendors at level 4 must have quarterly network scans. The networks subject to scanning are any network that collects or stores personal financial information of customers. By this definition, it is not limited to your web server. It also includes the network your point of sale is contained within.

As far as I have been able to determine, the following scenarios are correct:

If you do not accept credit card transactions and do not have any records of credit card transactions (the transaction is handled exclusively off site and you get no card information from the transaction, only your processor needs to worry about PCI compliance.

If you collect credit card information, and forward that information to another party for processing, and retain no information about the transaction, you must have quarterly scans. This is to prevent attacks that may cause your server to begin recording the card data and/or transmitting it to an outside party.

If you receive card data at your location, either because you receive reports or receipts post-transaction containing this information, or because you obtain it for processing phone or store orders, your local network must also be scanned quarterly.

Regardless of the number of transactions you process, whether you need an external audit or can rely on a self-assessment is going to depend on your chain of custody of credit card data (PAN and/or card number), as wige indicated above. If you do require an external auditor, the PCI SSC maintains a list of certified QSA’s at https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

You can also get some additional information on our website at eIQnetworks - Solutions - Regulations - PCI (http://www.eiqnetworks.com/solutions/PCI.shtml)

According to Visa (http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_management/cisp_overview.html|Merchants#anchor_3) , all vendors at level 4 must have quarterly network scans. The networks subject to scanning are any network that collects or stores personal financial information of customers. By this definition, it is not limited to your web server. It also includes the network your point of sale is contained within.

As far as I have been able to determine, the following scenarios are correct:

If you do not accept credit card transactions and do not have any records of credit card transactions (the transaction is handled exclusively off site and you get no card information from the transaction, only your processor needs to worry about PCI compliance.

If you collect credit card information, and forward that information to another party for processing, and retain no information about the transaction, you must have quarterly scans. This is to prevent attacks that may cause your server to begin recording the card data and/or transmitting it to an outside party.

If you receive card data at your location, either because you receive reports or receipts post-transaction containing this information, or because you obtain it for processing phone or store orders, your local network must also be scanned quarterly.

Exactly Wige.

Noone should kid themselves that there's a way around it, not to mention that if you are dealing with card information you should WANT to be compliant.

Dave

Networks subject to scanning requirements are those that are deemed to be "on-line;" "off-line" networks are exempt.

Note the qualifying phrase within "The PCI DSS requires that all merchants with externally-facing IP addresses perform external network scanning to achieve compliance."

This does, of course, leave open the question of whether or not any network that has I'net connectivity of any sort is truly "off-line." For example, what of that which is accessible via a VPN only? Or, one in which a client machine can be remotely accessed?

Additionally, as regards "Approved Scanning Vendors," by all reports there is a great deal of disparity between what does and does not constitute "compliance" with regards to such scans.