PCI DSS Compliance

PCI DSS compliance

The Payment Card Industry Data Security Standard (PCI DSS) was developed to provide a common set of security standards to enhance cardholder data security and to foster adoption globally. Achieving and maintaining PCI DSS compliance is an activity that any organization who stores, processes and transmits cardholder data must perform. The PCI DSS consists of six areas with twelve requirements to ensure proper controls are in place at the organization, in addition to specific processes and controls for third-party risk management.

There are PCI DSS requirements that FortifyData can help an organization meet in addition to the ones related to third-party risk management. Below are descriptions of how FortifyData can help you meet those specific requirements.

The PCI DSS and Enterprise Risk Management

Here is how FortifyData can help you meet the following areas of the PCI DSS.

PCI DSS Requirements

How We Help

PCI DSS Requirement 2: Do not use the vendor’s default settings and values for system passwords and other security parameters.

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include but are not limited to:
  • Center for Internet Security (CIS)
  • International Organization for Standardization (ISO)
  • SysAdmin Audit Network Security (SANS) Institute
  • National Institute of Standards Technology (NIST)

The FortifyData cyber risk management platform helps organizations audit their systems using applicable CIS, ISO or NIST benchmarking standards. Achieved using FortifyData Internal Agents.
Maintain an inventory of system components that are in scope for PCI DSS.

The FortifyData cyber risk management platform helps you discover and manage an inventory of all your company’s PCI scoped systems.

PCI DSS Requirement 5: Protect all systems against malware and update anti-virus software or programs regularly

PCI DSS 5.1.2
For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.

For internal systems, the FortifyData agents perform periodic assessments on systems not commonly affected by malicious software to identify new threats or malicious applications.

PCI DSS Requirement 6: Develop and maintain secure systems and applications

Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.

The FortifyData Cyber Risk Management Platform provides a reputable source for vulnerability ranking, leveraging the NVD CVSS base score calculation.
For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

The FortifyData Cyber Risk Management Platform performs automated application layer vulnerability security assessments and generates alerts for immediate review.

PCI DSS Requirement 11: Test security systems and processes regularly

PCI DSS 11.2
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).

The FortifyData cyber risk management platform allows your organization to perform internal and external vulnerability assessments. To help identify vulnerabilities and weaknesses within your infrastructure in a timely manner.

Internal Assessments achieved using FortifyData Internal Agents.

PCI DSS Requirement 12: Establish and maintain a policy that addresses information security for all personnel

PCI DSS 12.2
Implement a risk-assessment process that:​
  • Is performed at least annually and upon​ significant changes to the environment​ (for example, acquisition, merger, relocation, etc.),​
  • Identifies critical assets, threats, and​ vulnerabilities, and​
  • Results in a formal, documented analysis of risk.

The FortifyData Cyber Risk Management Platform allows your organization to perform quantitative and qualitative risk assessments of critical assets through analysis of threat and vulnerability discoveries. Methodologies include NIST SP 800-30 and Annualized Loss Expectancy (ALE) formulas.

The PCI DSS and Third-Party Risk Management

PCI DSS 12.8
Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:

The FortifyData Cyber Risk Management Platform allows your organization to automate your PCI DSS due diligence process for engaging service providers and third-party vendors. Monitor and receive notifications of high-risk service providers and vendors that are no longer in compliance.

PCI DSS 12.8.4
Establish a schedule to monitor service providers’ PCI DSS compliance status at least annually.

FortifyData offers a standard PCI DSS or custom questionnaire to gather and analyze performance data, is auto-validated with direct assessment findings from FortifyData assessments, delivering a single repository of all third-party vendor evidence.