PCI Compliance

If you store, process or transmit credit card information, then you need to be PCI DSS compliant.

What is PCI DSS?

Theft of credit cardholder personal information is on the rise, leaving businesses faced with mounting legal, remediation, and recovery costs. The negative media coverage, loss of customer confidence, and subsequent loss in sales can cripple the business. As a result, all entities that handle credit cardholder information are being challenged to adopt more effective data protection measures.

The Payment Card Industry (PCI) Data Security Standard (DSS) was created to confront the rising threat to credit cardholder personal information. The PCI DSS consists of the PCI Compliance Principles and Requirements for securing credit cardholder data in both hardcopy and electronic formats. The PCI DSS has been adopted by companies in the credit card industry as the global standard for the protection of customer information. The PCI Security Standards Council (SSC) owns, develops, maintains and distributes the PCI DSS, in addition to providing oversight for the Approved Scanning Vendor program that certifies companies as Approved Scanning Vendors (ASV).

According to a recent study conducted by Verizon Business based on organizations handling customer credit cardholder data that they audited, the typical organization had met less than a third of the requirements in PCI DSS, while over three-quarters of organizations they had worked with that had suffered payment card breaches were found to be either not compliant with PCI DSS or had never been audited. The goal of PCI DSS is simple; protect cardholder account data. To achieve this, the PCI SSC has gained endorsement of the PCI-DSS by the five major payment card brands: Visa’s Cardholder Information Security Program (CISP), MasterCard, Discover Financial Services, American Express, and JCB International.

Who needs to be PCI compliant?

The PCI SSC works with the five major payment card brands to ensure that merchants and service providers are PCI compliant. As a global standard, the PCI DSS applies to any entity worldwide that stores, processes or transmits credit cardholder data. This includes financial institutions, merchants and service providers in all payment channels. Financial institutions include banks, insurance companies, lending agencies, and brokerages. Merchants include restaurants, retailers (brick-and-mortar, mail/telephone order, e-commerce), transportation operators, and any virtually any point-of-sale that processes credit cards across all industries. Examples of service providers include transaction processors, payment gateways, customer service entities, (i.e. call centers), managed service providers, web hosting providers, data centers, and Independent Sales Organizations.

Penalties for non-compliance

The five major payment card brands enforce PCI compliance validation by requiring merchant banks to meet specific auditing and reporting criteria for their respective merchants and service providers. Merchant and service provider compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system. Entities that fail to comply with the PCI standards can be fined up to $500,000 for each instance of non-compliance, in addition to having their ability to process credit card transactions revoked. Even with these penalties as a deterrent, those handling payment cardholder data are finding it challenging to meet their PCI standard without obtaining assistance from security experts with experience in helping similar organizations to complete the PCI compliance audit process.

How Rapid7 Helps

Rapid7 has extensive experience partnering with financial institutions, merchants and service providers nationwide such as Stein Mart, Trader Joe’s, Olympia Sports, The Blackstone Group, LendingTree, and E*TRADE FINANCIAL, to help them with their security and compliance requirements. Rapid7’s PCI Compliance Solutions meet the data security standards required to achieve PCI compliance while also providing sound vulnerability management practices as part of a comprehensive security program designed to protect your credit cardholder data from intruders.

Rapid7 helps you comply with Requirements 6.5, 6.6, 11.2 and 11.3 of the PCI DSS v1.2 Because:

• Nexpose delivers audience-based PCI reporting, including PCI Executive Summary reports and PCI Audit Reports. PCI Executive Summary reports provide high-level PCI compliance results that indicate whether or not all the assets included the report comply with PCI standards. Rapid7 PCI Audit Report and Remediation Plan includes detailed step-by-step instructions for vulnerability remediation to address any deficiencies to automate compliance with the PCI DSS.
• Nexpose enables internal staff to conduct ad-hoc internal vulnerability scans after significant network changes (such as new system component installations, changes in network topology, firewall rule modifications, or product upgrades).
• Nexpose enables vulnerability assessment scanning and monitoring both inside and outside your perimeter defenses by using either distributed engines, or Rapid7 Managed PCI Services
• Nexpose provides scanning and reporting capabilities that meet or exceed the PCI Security Standards Council’s specifications for system security scanning. Nexpose scans assets and delivers detailed PCI audit reports using safe scan settings to generate a comprehensive report on all network-based vulnerabilities, in addition to performing patch verification, application-layer testing, and port scanning.
• Nexpose flexibly deploys as either an appliance, software, or a Managed Service for internal and external vulnerability scanning.

With Rapid7 Nexpose, our Professional Services staff can perform an independent scan and produce the certified documentation required by retailers to comply with the PCI DSS standard.

These services include:

• Performing quarterly internal and external vulnerability scans. Rapid7 has been recertified as an Approved Scanning Vendor (ASV) by the PCI Security Standards Council, authorizing us to help you achieve compliance with the PCI Data Security Standard (DSS). Rapid7 PCI Compliance Services perform an independent, quarterly ASV vulnerability scans and produce the certified documentation for your records. (Requirement 11.2)
• Leveraging Rapid7 Managed PCI Services to provide the added value of automated quarterly scans including external vulnerability scanning. Includes up to twelve rescans per quarter at no extra charge, full remediation plans, eight hours of consulting time with one of our professional security consultants (2 hours per quarter) to review scan results and discuss remediation recommendations as well as any requested scan & report configuration changes. (Requirement 11.2)
• Performing Rapid7 PCI Compliance Services offer annual internal and external penetration testing services required by PCI DSS in order to detect deficiencies more quickly and provide detailed recommendations for fixes that would prevent attacks. (Requirement 11.3)
• Performing Rapid7 PCI Gap Analysis for a detailed audit of your networked environment, Web application development secure coding policies, physical security control policies, training polices, and personnel policies in addition to providing guidance on network segmentation to show you how to reduce the scope of your PCI audit and limit your cardholder segment. (Requirement 6.5)
• Performing Web application assessment testing to identify vulnerabilities based on the OWASP Top 10 vulnerability list, in addition to providing Security Awareness Training, OWASP web development training and CEH/Penetration test training on request. (Requirement 6.6)
• Providing assistance in completing the appropriate PCI Self-Assessment Questionnaire (SAQ) when required for PCI certification.
• Providing cutting-edge security expertise as demonstrated in the active participation of Rapid7 Security Experts in evolving the DSS and Operational Guidelines through active participation in PCI SSC Task Forces, and active participation in industry forums

To learn more about how Nexpose capabilities meet the requirements to comply with the PCI DSS, refer to the Rapid7 PCI Compliance Guide.

Protect both your customers and your business by securing the privacy of credit cardholder data. Contact us to find out how Rapid7 can help you implement PCI for both Web and storefront transactions, and achieve PCI compliance.