PCI On-Site Survey Service
Security audit by a Qualified Security Assessor (QSA)
The PCI On-Site Audit Service uses the Payment Card Industry Data Security Standard (PCI DSS) as a standard to audit the storage and usage of credit card information by companies that hold credit card information such as merchants.
What is Payment Card Industry Data Security Standard?
The Payment Card Industry Data Security Standard ("PCI DSS") is an international unified security standard for the effective protection of credit card information, jointly developed by five international card brands ( VISA, MasterCard, AmericanExpress, Discover, and JCB).
The ISMS standard, a well-known security standard, covers policies and standards related to management and overall business operations, including the establishment of security policies. On the other hand, PCI DSS is a more practical and specific standard that clearly defines procedures for ensuring the safety of card information and method to implement the necessary systems.
The PCI DSS consists of 12 requirements and defines minimum security standards to be followed.
The certification process consists of three stages, depending on the size of the target company: self-interview, vulnerability scan, and on-site survey. Except for the self-interview, all other activities will be conducted by the assessor QSA/ASV(*).
12 Requirements of the PCI DSS
Building and maintaining a secure network
- Requirement 1
- Deploy firewall to protect data and maintain optimal settings.
- Requirement 2
- Do not use the system or software factory default settings (security-related settings) as they are.
Protecting card-holder information
- Requirement 3
- Secure the stored data.
- Requirement 4
- Encrypt card-holder and sensitive information when sent over public networks.
Maintaining a program to manage vulnerabilities
- Requirement 5
- Use anti-virus software and update software regularly.
- Requirement 6
- Develop and maintain highly secure systems and applications.
Implementing robust access control method
- Requirement 7
- Restrict the data access within the scope of business needs.
- Requirement 8
- Assign the identification ID to each user when accessing a computer.
- Requirement 9
- Restrict physical access to card-holder information.
Regular network monitoring and testing
- Requirement 10
- Track and monitor all access to network resources and card-holder information.
- Requirement 11
- Regularly test security systems and control procedures.
Preparing information security policy
- Requirement 12
- Prepare a policy on information security.
Companies subject to PCI DSS
- Card merchants
Internet e-commerce shopping sites, distribution retail (department stores/supermarkets/electric appliance stores), transportation energy (gas stations/highways/railways/airlines), telecommunications (ISP/mobile carriers), service industry (hotels/restaurants), etc. - Settlement agents
- Service providers
*QSA/ASV: A security assessment organization accredited by the PCI Security Standards Council (PCI SSC), a PCI DSS council jointly operated by five international card brands.
Overview of PCI On-Site Survey Service
The on-site survey service conducts a comprehensive survey of internal rules, operations, system configuration, etc. of the customer to ensure that they correctly reflect the requirements set forth in the PCI DSS in accordance with PCI DSS-based audit procedure.
- 1. Interview
- We interview each person in charge about status of security measures, operational status, and information handling, and check the current status.
- 2. Document research
- We check documents such as security policies, standards, procedures, and records as an audit trail to verify that operations are being carried out as indicated in these documents.
- 3. Observation
- We enter areas where credit card information and payment information is used in the course of business and check the implementation status of physical security measures.
- 4. Checking settings
- We check if adequate security design is implemented for computer and network equipment.
Benefits of PCI On-Site Survey Service
■ Objective evaluation is done by experts
■ The current situation is assessed and problem areas are identified
■ Certificate of compliance with PCI DSS is issued
■ Security level is identified accurately
■ Appropriate and efficient security measures can be taken
■ It is effective for external PR
*Please contact us separately for issuing the certificate, as there are other conditions.
Flow of PCI On-Site Survey Service
| Preliminary survey/ Hold a meeting and collect information |
On-site survey | Report writing | Briefing | Certificate issued |
|---|---|---|---|---|
| We will confirm the scope of the review and the method of investigation. | QSA (auditor) will visit the site and verify compliance with PCI DSS. | We will compile the results of the investigation and prepare a report as prescribed by the PCI SSC. We will issue the signed certificate of compliance (AOC). | We will report the results of the survey on compliance with PCI DSS requirements. | In addition to the Certificate of Compliance (AOC), we issue our own certification logo mark and certificate if certain conditions are met. |