Obtaining PCI Compliance can be tough, and a headache for any company when not properly prepared. Most organizations who are held to PCI Compliance wait until the last moment to consider their upcoming PCI Audit and certification, this almost always leads to a long road of frustration for everyone involved.
Well Offensive Logic can help!
Our Cyber Security Experts will thoroughly examine your network, and applications to ensure that they are compliant with the PCI DSS mandates. We currently offer quarterly network and application testing to ensure that you are always prepared for the upcoming PCI audit, which in turn offers you peace of mind.
The Payment Card Industry Security Standards Council (PCI SSC) mandates that organizations must build and maintain a secure computing environment that processes, transmits or stores Card Holder Data (CHD). Offensive Logic understands that meeting and maintaining PCI Compliance is very important, and we are confident that our extensive experience in PCI Compliance Support will help you to ensure that your compliance regulations are met.
Application Penetration Testing
PCI DSS (Data Security Standards) 6.5 and 6.6 state that the organization must “Develop all Web Applications (Internal and External, and including Web Administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide (OWASP), and cover prevention of common coding vulnerabilities in software development processes”, to include:
- Information Leakage
- Session Management
- Default Configurations
- SQL Injection
- Cross Site Request Forgery
- Application and Business Logic
- Proper Input Validation
- Privilege Escalation Opportunities
- Client Side Code
- Server Side Input Validation
Additionally, For public-facing Web applications, the organization must address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
- Reviewing public-facing Web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes.
- Installing a Web-application firewall in front of public-facing Web applications”
Network Penetration Testing / Vulnerability Assessments
PCI Data Security Standards (PCI DSS) 11.2 and 11.3 requires an organization to run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in the network topology, firewall rule modifications, and product upgrades). Additionally an external and internal penetration test must be conducted at least once a year and after any significant infrastructure or application upgrades or modifications (such as operating system upgrades, the addition of a sub-network or web server added to the environment).
Offensive Logic’s penetration testing methodology will not only help you to become compliance, but also take steps beyond mere compliance to ensure the protection of your environment and Card Holder Data (CHD). While compliance measures must be implemented, we believe that this is just a baseline in protecting your network and applications from attack and compromise. Not only will we help ensure that you are compliant, we will help you ensure that you are SECURE!