PCI Compliance Services
We have extensive expertise with PCI-DSS and can assist with all PCI initiatives.
PCI Gap Assessments
As part of our PCI gap assessments we assist in identifying which areas of PCI are strong areas and which are opportunities for improvement. For any areas of opportunity we develop a list of recommendations to support your team in remediating any compliance or security short comings.
PCI Advisory
Our PCI advisory services are perfect for tough to solve PCI questions. This may include working through IT and Security architectural challenges with network segmentation or use of asymmetric encryption to reduce compliance scope.
PCI SAQ Support
If you need help determining which SAQ to complete or even completing your SAQ this might be the service for you.
Recent Blog Posts
Which Security Controls Framework is Right for You?
With acronyms inside of acronyms and hundreds of pages of documentation, choosing a framework for a security controls assessment seems like a daunting task. NuHarbor Security has years of experience working with different controls frameworks, and we have laid out the...
PCI-DSS Security Services Alignment:
| PCI REQUIREMENT (SAQ D) | HOW WE HELP |
|---|---|
| Requirement 1: Install and maintain a firewall configuration to protect cardholder data | |
| 1.1 Establish and implement firewall and router configuration standards. | NuHarbor Security trusted security technology partner. |
| 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. | NuHarbor Security trusted security technology partner. |
| 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. | Customer led initiative |
| 1.4 Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
• Specific configuration settings are defined. • Personal firewall (or equivalent functionality) is actively running. • Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices. |
NuHarbor Security trusted security technology partner.
OR Customer led initiative |
| 1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties. | Customer led initiative |
| Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters | |
| 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. | Customer led initiative |
| 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.PCI Advisory Services | Customer led initiative |
| 2.3 Encrypt all non-console administrative access using strong cryptography. | Customer led initiative |
| 2.4 Maintain an inventory of system components that are in scope for PCI DSS. | Customer led initiative |
| 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. | NuHarbor Security Policy Development Services |
| 2.6 Shared hosting providers must protect each entity’s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers. | NuHarbor Security PCI Advisory Services |
| Requirement 3: Protect stored cardholder data | |
| 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:
• Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements • Specific retention requirements for cardholder data • Processes for secure deletion of data when no longer needed • A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. |
NuHarbor Security PCI Advisory Services |
| 3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
It is permissible for issuers and companies that support issuing services to store sensitive authentication data if: • There is a business justification and • The data is stored securely. |
Customer led initiative |
| 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see more than the first six/last four digits of the PAN. | Customer led initiative |
| 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
• One-way hashes based on strong cryptography, (hash must be of the entire PAN) • Truncation (hashing cannot be used to replace the truncated segment of PAN) • Index tokens and pads (pads must be securely stored) • Strong cryptography with associated key-management processes and procedures. |
NuHarbor Security trusted security technology partner. |
| 3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. | NuHarbor Security PCI Advisory Services |
| 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data. | NuHarbor Security PCI Advisory Services |
| 3.7 Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. | NuHarbor Security Policy Development Services |
| Requirement 4: Encrypt transmission of cardholder data across open, public networks | |
| 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
• Only trusted keys and certificates are accepted. • The protocol in use only supports secure versions or configurations. • The encryption strength is appropriate for the encryption methodology in use. |
Customer led initiative |
| 4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.). | Customer led initiative |
| 4.3 Ensure that security policies and operational procedures for encrypting transmissions of cardholder data are documented, in use, and known to all affected parties. | Customer led initiative |
| Requirement 5: Use and regularly update anti-virus software or programs | |
| 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). | NuHarbor Security trusted security technology partner. |
| 5.2 Ensure that all anti-virus mechanisms are maintained as follows:
• Are kept current, • Perform periodic scans • Generate audit logs which are retained per PCI DSS Requirement 10.7. |
Customer led initiative |
| 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. | Customer led initiative |
| 5.4 Ensure that security policies and operational procedures for protecting systems against malware are documented, in use, and known to all affected parties. | NuHarbor Security Policy Development Services |
| Requirement 6: Develop and maintain secure systems and applications | |
| 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. | NuHarbor Security Vulnerability Management Managed Services
OR NuHarbor Security PCI Advisory Services |
| 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Note: Critical security patches should be identified according to the risk ranking process defined in Requirement 6.1. |
Customer led initiative |
| 6.3 Develop internal and external software applications (including web-based administrative access to applications) securely, as follows:
• In accordance with PCI DSS (for example, secure authentication and logging) • Based on industry standards and/or best practices. • Incorporating information security throughout the software-development life cycle |
Customer led initiative |
| 6.4 Follow change control processes and procedures for all changes to system components. | Customer led initiative |
| 6.5 Address common coding vulnerabilities in software-development processes as follows:
• Train developers at least annually in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities. • Develop applications based on secure coding guidelines. |
NuHarbor Security trusted security technology partner.
OR NuHarbor Security PCI Advisory Services |
| 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
• Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2. • Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic. |
Trusted partner for our customers to select web application firewall and vulnerability management technologies.
NuHarbor Security PCI ASV Services NuHarbor Security Application Penetration Testing Services NuHarbor Security PCI Advisory Services |
| 6.7 Ensure that security policies and operational procedures for developing and maintaining secure systems and applications are documented, in use, and known to all affected parties. | NuHarbor Security Policy Development Services |
| Requirement 7: Restrict access to cardholder data by business need to know | |
| 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. | Trusted partner for our customers to select identity and access management solutions. |
| 7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. | Trusted partner for our customers to select identity and access management solutions. |
| 7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties. | NuHarbor Security Policy Development Services |
| Requirement 8: Assign a unique ID to each person with computer access | |
| 8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components. | Customer led initiative |
| 8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
• Something you know, such as a password or passphrase • Something you have, such as a token device or smart card • Something you are, such as a biometric. |
Customer led initiative |
| 8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication. |
Trusted advisor for our customers to select 2 factor solutions. |
| 8.4 Document and communicate authentication policies and procedures to all users including:
• Guidance on selecting strong authentication credentials • Guidance for how users should protect their authentication credentials • Instructions not to reuse previously used passwords • Instructions to change passwords if there is any suspicion the password could be compromised. |
NuHarbor Security Policy Development Services |
| 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
• Generic user IDs are disabled or removed. • Shared user IDs do not exist for system administration and other critical functions. • Shared and generic user IDs are not used to administer any system components. |
Customer led initiative |
| 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:
• Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. • Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. |
Customer led initiative |
| 8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:
• All user access to, user queries of, and user actions on databases are through programmatic methods. • Only database administrators have the ability to directly access or query databases. • Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). |
Customer led initiative |
| 8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. | NuHarbor Security Policy Development Services |
| Requirement 9: Restrict physical access to cardholder data | |
| 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. | Customer led initiative |
| 9.2 Develop procedures to easily distinguish between onsite personnel and visitors, to include:
• Identifying onsite personnel and visitors (for example, assigning badges) • Changes to access requirements • Revoking or terminating onsite personnel and expired visitor identification (such as ID badges). |
Customer led initiative |
| 9.3 Control physical access for onsite personnel to sensitive areas as follows:
• Access must be authorized and based on individual job function. • Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled. |
Customer led initiative |
| 9.4 Implement procedures to identify and authorize visitors. | Customer led initiative |
| 9.5 Physically secure all media. | Customer led initiative |
| 9.6 Maintain strict control over the internal or external distribution of any kind of media. | Customer led initiative |
| 9.7 Maintain strict control over the storage and accessibility of media. | Customer led initiative |
| 9.8 Destroy media when it is no longer needed for business or legal reasons. | Customer led initiative |
| 9.9 Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution. | Customer led initiative |
| 9.10 Ensure that security policies and operational procedures for restricting physical access to cardholder data are documented, in use, and known to all affected parties. | NuHarbor Security Policy Development Services |
| Requirement 10: Track and monitor all access to network resources and cardholder data | |
| 10.1 Implement audit trails to link all access to system components to each individual user. | NuHarbor Security trusted security technology partner. |
| 10.2 Implement automated audit trails for all system components to reconstruct events. | NuHarbor Security trusted security technology partner. |
| 10.3 Record at least the following audit trail entries for all system components for each event. | NuHarbor Security trusted security technology partner. |
| 10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
Note: One example of time synchronization technology is Network Time Protocol (NTP). |
Customer led initiative |
| 10.5 Secure audit trails so they cannot be altered. | NuHarbor Security trusted security technology partner. |
| 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. | NuHarbor Security trusted security technology partner.
OR NuHarbor Security Managed Security Services |
| 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). | NuHarbor Security trusted security technology partner. |
| 10.8 Additional requirement for service providers only: Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
• Firewalls • IDS/IPS • FIM • Anti-virus • Physical access controls • Logical access controls • Audit logging mechanisms • Segmentation controls (if used) Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement. |
NuHarbor Security trusted security technology partner.
OR NuHarbor Security Managed Security Services |
| 10.9 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. | NuHarbor Security Managed Security Services |
| Requirement 11: Regularly test security systems and processes | |
| 11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify both authorized and unauthorized devices. |
NuHarbor Security PCI Advisory Services |
| 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed. For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred. |
NuHarbor Security trusted security technology partner.
OR NuHarbor Security Managed Security Services |
| 11.3 Implement a methodology for penetration testing that includes the following:
• Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) • Includes coverage for the entire CDE perimeter and critical systems • Includes testing from both inside and outside the network • Includes testing to validate any segmentation and scope-reduction controls • Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5 • Defines network-layer penetration tests to include components that support network functions as well as operating systems • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months • Specifies retention of penetration testing results and remediation activities results. |
NuHarbor Security Infrastructure Penetration Testing Services
OR NuHarbor Security Application Penetration Testing Services |
| 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. |
NuHarbor Security Managed Security Services |
| 11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes, additions, and deletions) of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
Note: For change-detection purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. Change-detection mechanisms such as file-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider). |
NuHarbor Security trusted security technology partner. |
| 11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. | Customer led initiative |
| Requirement 12: Maintain a policy that addresses information security for all personnel | |
| 12.1 Establish, publish, maintain, and disseminate a security policy. | NuHarbor Security Policy Development Services |
| 12.2 Implement a risk-assessment process that:
• Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.), • Identifies critical assets, threats, and vulnerabilities, and • Results in a formal, documented analysis of risk. Examples of risk-assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30. |
NuHarbor Security Risk Assessment Services |
| 12.3 Develop usage policies for critical technologies and define proper use of these technologies.
Note: Examples of critical technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage. Ensure these usage policies require the following: |
NuHarbor Security Policy Development Services |
| 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. | NuHarbor Security Policy Development Services |
| 12.5 Assign to an individual or team the information security management responsibilities. | NuHarbor Security On-Demand CISO |
| 12.6 Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. | NuHarbor Security trusted security technology partner. |
| 12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.)
Note: For those potential personnel to be hired for certain positions such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only. |
|
| 12.8 Maintain and implement policies and procedures to manage service providers, with whom cardholder data is shared, or that could affect the security of cardholder data, as follows | NuHarbor Security Vendor Management Services |
| 12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement. |
NuHarbor Security PCI Advisory Services |
| 12.10 Implement an incident response plan. Be prepared to respond immediately to a system breach. | NuHarbor Security PCI Advisory Services |
| 12.11 Additional requirement for service providers only: Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:
• Daily log reviews • Firewall rule-set reviews • Applying configuration standards to new systems • Responding to security alerts • Change management processes Note: This requirement is a best practice until January 31, 2018, after which it becomes a requirement. |
NuHarbor Security PCI Advisory Services |
| Appendix A1: Additional PCI DSS Requirements for Shared Hosting Providers | |
| A1 Protect each entity’s (that is, merchant, service provider, or other entity) hosted environment and data, per A1.1 through A1.4:
A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS. Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable. |
|
| A1.1 Ensure that each entity only runs processes that have access to that entity’s cardholder data environment. | NuHarbor Security PCI Advisory Services |
| A1.2 Restrict each entity’s access and privileges to its own cardholder data environment only. | NuHarbor Security PCI Advisory Services |
| A1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10. | NuHarbor Security trusted security technology partner.
OR NuHarbor Security Managed Security Services |
| A1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. | NuHarbor Security Trusted Forensic Partner |
| Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS
Note: This Appendix applies to entities using SSL/early TLS as a security control to protect the CDE and/or CHD |
|
| A2.1 Where POS POI terminals (and the SSL/TLS termination points to which they connect) use SSL and/or early TLS, the entity must either
• Confirm the devices are not susceptible to any known exploits for those protocols. Or: • Have a formal Risk Mitigation and Migration Plan in place. |
NuHarbor Security PCI Advisory Services |
| A2.2 Entities with existing implementations (other than as allowed in A2.1) that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. | NuHarbor Security PCI Advisory Services |