
如果你储存, 处理或传输信用卡数据, your business is subject to the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS是一组安全规则,旨在防止代价高昂的破坏和盗窃.

LBMC 网络安全 offers a full suite of data security services to help you achieve and maintain PCI compliance.


Working with LBMC on our PCI 合规 has helped us deliver a more secure product to our insurance-based customers.


在本期播客中, LBMC’s Bill Dean and John Dorling discuss some of the tools available to help merchants who are trying to achieve PCI compliance.


作为PCI认证合格安全评估员(QSA), LBMC offers expert guidance to help clients navigate PCI regulations and maintain compliance. 我们提供切实可行的解决方案,并强调长期合作关系. 明升体育app下载低流动率确保您每年与相同的QSA合作.


  • 概述: 只有一级商家和服务提供商被要求提交由qsa领导的ROC, 尽管无论公司规模大小,收购者都可能要求这样做.
  • 过程: Our team guides you from scoping and segmentation through the audit process to issuing the final ROC and Attestation of 合规 (AOC). 我们还为多个框架提供了“一次审计,多次报告”的方法.


  • 目的: 评估当前PCI合规工作并确定需要改进的领域.
  • 过程: 我们为缩小范围提供指导, 采访关键员工, 执行测试程序, and deliver an actionable list of remediation steps to prepare for a PCI audit or self-assessment questionnaire.


  • 要求: PCI要求11.2.1要求由认可扫描供应商(ASV)进行季度漏洞扫描.
  • 服务: Our ASV service includes unlimited scans for one year using an industry-leading scanning engine, 用于自我评估问卷的安全门户, 扫描调度和管理, 向收购银行提交电子文件.


  • 支持: 我们进行访谈和演练,以协助PCI DSS SAQ-D.
  • 结果: Ensure proper identification of the cardholder data environment and complete the SAQ-D form.

PCI Flash评估

  • 摘要目的: 提供快速评估以指导您的PCI遵从性策略.
  • 专注: 确定PCI范围和分段.


  • 服务: 通过高级PCI QSA的教育,接受PCI合规方面的专家建议.
  • 好处: 及时获得影响PCI合规性的当前项目的答案和解决方案, 只支付你需要的时间.



  • 摘要目的: 确保符合PCI DSS要求11.3.
  • 方法: Our testing processes align with PCI DSS requirements, including CDE boundary validation. 这有助于评估您对安全攻击的易感性.


  • 摘要目的: Evaluate the security of web applications to ensure compliance with PCI DSS Requirement 6.6.
  • 方法: We conduct “gray box” assessments (no access to source code) to identify vulnerabilities that could be exploited by attackers.


  • 摘要目的: 识别所有存储的卡数据以满足PCI要求.
  • 方法: 我们扫描文件和数据存储,并选择将发现扩展到PII和ePHI.


  • 摘要目的: 改善组织的安全状况,降低持卡人数据的风险.
  • 方法: We provide education and training to enhance employee awareness of PCI Security and general security practices, 减少对以人为本的攻击的易感性.


In this episode Bill Dean and 斯图尔特 异常兴奋的 discuss penetration testing for PCI compliance. 了解渗透测试和漏洞评估之间的区别, 以及满足PCI合规性要求所需的内容.


Organizations subject to PCI DSS must demonstrate annual compliance and conduct regular security tests, 包括渗透测试. 的se tests can be self-administered or conducted by a third party during a PCI compliance audit. 渗透测试模拟网络攻击以暴露漏洞, 提供PCI DSS有效性的见解.


A penetration test is an intentional network attack performed by your organization or a third-party security partner to identify potential vulnerabilities. 此测试模拟各种攻击, 从恶意软件到人为黑客, 来评估你的系统防御. PCI要求每年进行渗透测试, 哪些可以在内部完成, 但许多组织更喜欢使用第三方合作伙伴来进行公正的评估, 专家的观点.


Third-party testers provide an objective view and bring specialized expertise in common attack techniques, 提供系统易感性的现实视角. 的y lack extensive knowledge of your network, ensuring an authentic intruder’s perspective. 这种方法避免了不可靠的DIY工具的陷阱,并确保了彻底的测试.

LBMC网络安全可以审查合规工作, 进行渗透测试以确保合规性, 并帮助制定补救行动计划.



即使你已经完成了一份自我评估问卷,并相信自己是合规的, 让安全专家执行准备情况评估是明智的. 这 verifies that you’ve correctly interpreted PCI DSS rules and that your assumptions are well-founded. Merchants often misinterpret PCI compliance guidelines and mistakenly indicate compliance.


A readiness assessment helps you self-evaluate more confidently in the future and understand how and why your security measures work. 它揭示了更稳健、更经济地管理安全性的机会.


1. 识别持卡人数据位置

  • Determine where cardholder data is stored, processed, or transmitted in your environment.
  • 评估员将通过您的网络跟踪卡片数据流, 包括意想不到的地方,比如电子表格或电子邮件系统.

2. 定义PCI合规性范围

  • 通过跟踪卡数据的去向,确定哪些系统受PCI DSS规则的约束.
  • 不接触卡数据的系统不在范围内, 通过专注于相关系统,帮助您节省时间和金钱.

3. 识别和解决差距

  • Compare the scope to PCI DSS requirements through interviews, inspections, and process walkthroughs.
  • 常见的缺陷包括季度内部脆弱性评估, 缺失的补丁, 默认密码, 文件不充分.



  • 定期扫描缺失的补丁和其他漏洞.
  • Review and remediate high-risk results, then run another scan to confirm the problem is resolved.


  • 确保每个PCI规则(或“控制”)的文档被认为是兼容的.
  • Review past scans and documentation to accurately complete the self-assessment questionnaire.

LBMC网络安全可以审查您的合规工作, 确保遵从性, 并帮助您的团队制定补救措施的行动计划. 如需更多信息或帮助,请与我们联系.


作为一名合格的保安评估员, we’ve identified a handful of steps that make a PCI compliance audit run as smoothly as possible for merchants.


1. 确定协作性QSA.

  • 为了使这个过程尽可能高效,它需要是一个协作的过程. Try to identify and partner with a QSA that demonstrates a solid understanding of your business environment. QSA还应该能够清楚地解释其现场工作协议.

2. 整理文档.

  • A Report on 合规 requires documentation for every control – which adds up to quite a lot of documentation indeed. 寻找你的QSA,给你足够的时间来整理文件. 六周的交货时间是合适的.

3. 提前谈话.

  • A QSA should schedule interviews with key personnel weeks before the on-site visit to respect their time and gather necessary data. Regular communication is crucial to quickly address noncompliance issues before the QSA’s report. Ensure a key internal contact manages potential issues and handles documentation requests.

Avoid QSAs who don’t communicate before or after the assessment; find a partner who educates you throughout the process, 增强你的安全感和自信心.



Understanding terminology is crucial for filling out the self-assessment or communicating with your QSA. PCI安全委员会提供了一个 词汇表与易于理解的解释 支付安全中使用的技术术语. 此资源是免费的 在PCI安全委员会的网站上.


对于小商家或初次商家来说 通用支付系统资源 PCI安全委员会网站上的信息是无价的. 它提供了真实的视觉效果来帮助识别支付系统, 相关的风险, 以及保护措施. 这 tool covers 15 common types of payment card implementations and their risk profiles. 这 有价值的工具 可以在PCI安全委员会的网站上找到.


安全付款指引  解释核心概念、风险、术语和保护策略. 它还可以作为其他有用的PCI文档和工具的中心. 该指南在PCI安全委员会的网站上是免费的.


为了有效地管理服务提供商和供应商,PCI安全委员会提供 向供应商提出的问题 . 这 resource includes specific questions to ensure vendors protect customer credit card data. 它是免费的,可以在PCI安全委员会的网站上获得.


斯图尔特 异常兴奋的


画了 Hendrickson

股东 & 网络安全实践负责人

