PCI DSS Vulnerability Scan and Risk Assessment 漏洞掃描和風險評估

Security Service 服務

Table of Content

  1. |What is PCI DSS ?| PCI DSS 是什麼?|
  2. |Our Services in PCI DSS| 我們的 PCI DSS 服務|
  3. | How We Can Help ? | 我們如何能幫到你? |

What is PCI DSS ?

Organisations that process, transmit or store cardholder data must comply with the PCI DSS (Payment Card Industry Data Security Standard). The Standard consists of a complex set of requirements, which includes the need to conduct regular Vulnerability Scans, Penetration Tests, and Risk Assessments upon Card Data Environment (CDE), as to identify weaknesses that could be exploited by cyber criminals.

Our Services in PCI DSS

1. Vulnerability Scan ( 4 times per year)

Automated CDE Network Layer Vulnerability Scans are required 4 times per year for compliance. External scans are a separate requirement from Internal scans, and has to be conducted separately. Internal vulnerability scans has to be conducted by a qualified person who is independent of the device or component being scanned.

Scan Findings rated as critical, high risk or medium risk (i.e. those with a CVSS (Common Vulnerability Scoring System) score of 4.0 or higher must be remediated. A rescan has to be performed within 30 days to illustrate any critical, high-risk or medium-risk vulnerabilities has been remediated.

2. Penetration Test ( at least annually, or upon significant change of CDE )

In PCI DSS compliance, there are 4 types of penetration test:

  • Network (Internal & External) penetration tests
  • Web application penetration tests
  • Wireless penetration tests
  • Social engineering penetration tests

PCI DSS requirements 11.3.1 and 11.3.2 state that penetration testing must be performed at least annually, or upon any significant changes to your network or applications.

Exceptions: Penetration testing is mandate except for organisations under the following SAQs (self-assessment questionnaires).

  • SAQ A: For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.
  • SAQ B: For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor.
  • SAQ B-IP: For merchants that don’t store cardholder data in electronic form but use IP-connected point-of-interaction devices. These merchants may handle either card-present or card-not-present transactions.
  • SAQ C-VT: For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
  • SAQ P2PE: For merchants that use point-to-point encryption. It’s therefore not applicable to organisations that deal in e-commerce.

3. Risk Assessment ( at least annually, or upon significant change of CDE )

PCI DSS Requirement 12.1.2 requires organizations to establish an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment.
The aim is to allows organizations to keep up to date with business changes and provides a mechanism to evaluate those changes against the evolving
threat landscape, emerging trends, and new technologies. Examples of changes include the introduction of a new product line or service offering, introduction of a new software application in the CDE, change of a network topology impacting the CDE, etc.

How We Can Help ?

Contact us (click here) and let us get into the details

Back to Top

PCI DSS 是什麼?

一個組織 在處理傳輸或存儲持卡人數據時, 必須遵守PCI DSS(支付卡行業數據安全標準)。 該標準包含一系列複雜的要求,其中包括需要定期進行漏洞掃描,滲透測試和卡數據環境風險評估(CDE),以識別可能被網絡犯罪分子利用的漏洞。

我們的 PCI DSS 服務

1.漏洞掃描(每年4次)

每年需要4次自動CDE網絡層漏洞掃描才能實現合規性。 外部掃描是內部掃描的單獨要求,必須單獨進行。 內部漏洞掃描必須由獨立於被掃描設備或組件的合格人員執行。

掃描結果被評為嚴重,高風險或中等風險(即CVSS(常見漏洞評分系統)評分為4.0或更高的那些必須進行補救。必須在30天內進行重新掃描,以說明任何關鍵,高風險或 中風險漏洞已得到糾正。

2.滲透測試(至少每年一次,或在CDE發生重大變化時)

在PCI DSS合規性中,有4種類型的滲透測試:

網絡(內部和外部)滲透測試
Web應用程序滲透測試
無線穿透測試
社會工程滲透測試

PCI DSS要求11.3.1和11.3.2規定,滲透測試必須至少每年執行一次,或者對網絡或應用程序進行任何重大更改。

例外:除了以下SAQ(自我評估問卷)下的組織外,滲透測試是強制性的。

SAQ答:對於將整個卡片數據處理外包給經過驗證的第三方的商家。 這包括電子商務商家和郵件/電話訂購商家。
SAQ B:對於不接收持卡人數據,但確實控制將數據重定向到第三方支付處理器方法的電子商務商家。
SAQ B-IP:對於不以電子形式存儲持卡人數據但使用IP連接的交互點設備的商家。 這些商家可以處理存在卡或不存在卡的交易。
SAQ C-VT:適用於通過虛擬支付終端而非計算機系統處理持卡人數據的商家。 虛擬終端向託管虛擬終端支付處理功能的第三方提供基於web的訪問。
SAQ P2PE:適用於使用點對點加密的商家。 因此,它不適用於從事電子商務的組織。

3.風險評估(至少每年一次,或在CDE發生重大變化時)

PCI DSS要求12.1.2要求組織建立識別威脅和漏洞的年度流程,並進行正式的風險評估。
目的是使組織能夠及時了解業務變化,並提供一種機制來根據不斷變化來評估這些變化
威脅形勢,新興趨勢和新技術。 更改示例包括引入新產品線或服務產品,在CDE中引入新軟件應用程序,更改影響CDE的網絡拓撲等。

我們如何能幫到你?

聯繫我們,點擊這裡 click here ,讓我們了解詳情

回頁首