Our first step is to complete a Gap Analysis based on both PCI-DSS and / or security best practices. Typicallly, it is determined that additional security controls must be implemented in order to meet PCI compliance standards or best practices. The projects necessary are outlined below as well as the PCI Control Objective they fulfill.
Scope Reduction and Network Segmentation to Meet Security Requirements
Limit the number of systems over which confidential data is transmitted, stored or processed. Address PCI requirements within the new technology that are outstanding with the goal of minimizing the amount of design changes and capital expenditure required downstream from this project.
1.2 Build a firewall configuration that restricts connections
1.3 Prohibit direct public access
4.2 Never send unencrypted PANs by end-user messaging technologies
6.6 Ensure applications are protected against known attacks by either reviewing application vulnerabilities or installing web-application firewalls
8.3 Two-factor authentication for remote access
8.4 Render all passwords unreadable during transmission and storage
10.1 Establish a process for linking all system access points to individual users
10.2 Implement automated audit trails
11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic