image

Nollysoft PCI-DSS App (Panthera)

Nollysoft’s PCI Data Security Standard application assists Assessors Companies, Merchants, and Service Providers in conducting PCI DSS Assessments to comply with the PCI DSS mandates. The app is a comprehensive database-driven solution that enables Assessors, Merchants, and Service Providers to create Reports on Compliance (ROC), Self-Assessment Questionnaire (SAQD), and Attestation on Compliance (AOC) with a security mindset. Panthera uses Nollysoft exclusive, robust algorithm to capture data and produce each mandatory regulatory report in under sixty seconds.

The app provides a unique value to Assessors enabling them to reuse previously created assessments and allowing multiple Qualified Security Assessors (QSAs) to work on different assessment sections simultaneously, significantly reducing time to completion.

CONTACT SALES
image

Panthera’s Unique Value to Customers

The App Helps Customers to Meet Compliance Goals

Well-defined role-based automation workflow.
Complete assessments in less time compared to using Word document template for assessment.
Reuse previous assessment to increase efficiency.
Ability to delegate assessment sections to others (for example, QSA) for a considerable time savings.
Ease of PCI template update as newer versions becomes available.
A ‘ready-to-submit’ Report on Compliance (ROC), Self-Assessment Questionnaire (SAQD), and Attestation of Compliance (AOC).

The 12 PCI DSS Requirements – A step-by-step guide

01. Install and maintain a firewall configuration

01

Meeting the PCI DSS firewall requirements is the first step towards organizational compliance. Firewalls restrict incoming and outgoing network traffic and are often the first line of defense when it comes to hackers.

You’ll need to properly configure your firewall and routers to protect your payment card data environment. Also, establish firewall and router rules and standards that determine which types of traffic are allowed and which aren’t.

03. Protect stored cardholder data

03

Safeguarding cardholder data is the most critical of all PCI DSS compliance requirements. You need to know where cardholder data is going, the location it will be stored, and for exactly how long. Plus, all cardholder data must be encrypted using industry-accepted algorithms and security keys.

One common mistake is when companies aren’t aware that the primary account numbers (PAN) are stored in an unencrypted fashion. That’s why using a card data discovery tool is useful. This PCI requirement also includes rules for how card numbers should be displayed, such as hiding all but the first six or last four digits.

05. Protect all systems against malware

05

It’s not enough to simply install basic antivirus software to be PCI-DSS compliant. You need to update and patch your antivirus software applications on a regular basis. This PCI security standard is designed to guard against malware and any number of viruses that could compromise your systems and cardholder data.

Antivirus software should be up to date throughout your entire cardholder information technology ecosystem. This includes servers, workstations, and laptops or mobile devices used by employees and/or management. Antivirus software should always be actively running, using the latest signatures, and generating logs that can be audited.

07. Restrict access to cardholder data

07

Any entity that handles payment card data must also allow or deny access to said data based on roles and permissions. More specifically, PCI DSS requirements state that individuals should only have access to private cardholder data on a need-to-know, business essential basis.

In addition to digital access, organizations must also meet PCI DSS physical security requirements. You should have documented access control policies and procedures based on things like job function, level of seniority, and reason for needing access to cardholder data. Document all users and their access level and keep it up to date at all times.

09. Restrict physical access to cardholder data

09

Being PCI compliant isn’t about digital security. Companies must also take PCI DSS physical security seriously on their own. This PCI requirement covers physical access to things like servers, paper files or workstations that house or transmit cardholder data.

This PCI requirement also mandates the use of video cameras and general electronic monitoring of entry and exit ways of physical locations like file storage and data centers. Recordings and access logs must then be kept for a minimum of 90 days. You should have access processes to distinguish between employees and visitors. Finally, all portable media with cardholder data such as flash drives must be physically guarded and destroyed when it’s no longer necessary for business.

11. Regularly test security systems and processes

11

Malicious actors and cybercriminals are constantly poking and prodding systems in hopes of discovering a vulnerability. That’s why PCI standards include requirements about continuous system and process testing. Activities like penetration and vulnerability testing can help you meet this requirement.

You’ll be required to conduct periodic wireless analyzer scanning on a quarterly basis to identify unauthorized access points. External IPs and domains need to be scanned by a PCI Approved Scanning Vendor (ASV) Internal vulnerability scan should be conducted quarterly as well. And a thorough application and network penetration test should take place annually.

02. Do not use vendor-supplied defaults

02

Never rely on the default settings for any servers, network devices, or software applications. This goes for everything from Wi-Fi routers to firewalls. The password, username, and other default security settings are often insufficient to me PCI standards.

This second PCI DSS standard requirement states that you not use vendor-supplied defaults for passwords and other security parameters. Make sure to upgrade your settings for all new devices and hardware, as well as maintain documentation for your configuration security hardening procedures.

04. Encrypt transmission of cardholder data

04

This PCI DSS requirement step is like the previous one, only it focuses on data traffic and transmission rather than storage. This includes data-in-motion via open, closed, private, or public networks. Hackers often target data as it’s going from one location to another because they assume it’s more vulnerable.

You should know where cardholder data is going to and coming from, whether it be a merchant, payment gateway, or payment processor. Also, make sure to encrypt cardholder data prior to transmission using secure versions of protocols that will reduce the risk of moving data being compromised. You should be aware that PCI DSS v4.0 will provide more specific guidance on multi-factor authentication (MFA).

06. Develop and maintain secure systems

06

Next, you’ll need to define and implement processes to both identify and classify risk for the sake of technology deployment. Without first conducting a thorough risk assessment, it’s impossible to manage and utilize technology in compliance with PCI standards.

After a risk assessment, you can then begin rolling out equipment and software used in processing or handling sensitive payment card information. Don’t forget to also apply patches in a timely manner, also a PCI DSS standard requirement. This includes patches for items like databases, point-of-sale terminals, and operating systems.

08. Identify and authenticate access to system

08

Per PCI DSS standard number eight, every user should have their own unique, individual username and password access. Never — under any circumstances — employ group or shared usernames or passwords. Moreover, all unique usernames and passwords should be complex.

This isn’t just to prevent hackers from guessing or stealing passwords to enter the system. It also ensures that — in the event of an internal data breach — activity can be traced and tracked back to specific users with near 100 percent certainty. To bolster unique access even further, PCI DSS requirements state that you employ two-factor authentication.

10. Track and monitor all access to network

10

Being PCI compliant isn’t about digital security. Companies must also take PCI DSS physical security seriously on their own. This PCI requirement covers physical access to things like servers, paper files or workstations that house or transmit cardholder data.

This PCI requirement also mandates the use of video cameras and general electronic monitoring of entry and exit ways of physical locations like file storage and data centers. Recordings and access logs must then be kept for a minimum of 90 days. You should have access processes to distinguish between employees and visitors. Finally, all portable media with cardholder data such as flash drives must be physically guarded and destroyed when it’s no longer necessary for business.

12. Maintain a policy that addresses info security

12

The last step to becoming PCI compliant centers on organizational focus and cooperation. And that’s the creation, implementation, and maintenance of a company-wide information security policy. This infosec policy should cover employees, management, and relevant third parties.

Your infosec policy should be reviewed annually, disseminated to internal and third parties with all users acknowledging and reading said policy. You’re also required to perform user awareness training and employee background checks to prevent the wrong people from accessing cardholder data.

image
image
image

Why Panthera?

Panthera Manual Panthera Benefits
Database-driven SAQ D Assessment check check Significant time savings
Database-driven AOC check check Automated workflow
Assessment Delegation check Not easily achievable Considerable time savings
Database-driven ROC Assessment check check Reuse of previous assessment resulting in considerable time savings
Database-driven Reports check check Each report prints under 60 seconds
Security Panthera is designed and implemented with a security mindset Word Template security Enhanced role-based security controls to protect client data:
Confidentiality
Integrity
Availability

COMPLIANCE

Failure to comply could result in

Significant fines by the card brands. Inability to accept credit card for payments. Brand reputation damage. Customer litigation.

Compliance is determined based on

How your organization stores, processes, and/or transmits cardholder data across your infrastructure. Compliance is based on “Level” and “Type” Level is based on the number of transactions performed in a 12-month period. Type is defined by how your organization takes credit cards.

COMPLIANCE TYPE

A
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced; this would never apply to face-to-face merchants.
B
Imprint-only merchants with no cardholder data storage OR Stand-alone dial-up terminal merchants, no cardholder data storage
C
Merchants with payment application systems connected to the Internet, no cardholder data storage
C-VT
Merchants using only web-based virtual terminals, no electronic cardholder data storage
D
All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ

COMPLIANCE LEVEL

Level 1
  • Organizations with over 6M transactions per year
  • Suffered a Breach
  • Brand Discretion (e.g., Visa or Mastercard)
  • Labeled Level 1 by other Credit Card Brand
Level 2

Organization with 1M to 6M transactions per year.

Level 3

Organizations with 20,000 to 1M e-commerce transactions per year.

Level 4

Organizations with fewer than 20,000 to 1M e-commerce transactions per year, and all other merchants – regardless of acceptance channel-processing up to 1M transactions per year.

WHAT DOES IT MEAN FOR ME?

Level 1
  • Annual report on compliance (“ROC”) to be completed by Qualified Security Assessor (“QSA”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form
Level 2
  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
Level 3
  • Annual SAQ
  • Quarterly network scan by ASV
  • Attestation of Compliance Form
Level 4
  • Annual SAQ recommended
  • Quarterly network scan by ASV
  • Compliance validation requirements set by merchant bank