FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

Transcription

1 FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER SAQ FAQ S Q: Should I complete the PCI Wizard or should I go straight to the PCI Forms? A: The PCI Wizard has been designed to simplify the self-assessment requirement of the Payment Card Industry (PCI) Data Security Standards (DSS). The Wizard is a guided interview that asks questions in a less technical manner, with help and guidance throughout the process. Most merchants find the PCI Wizard to be much easier than completing the Self-Assessment Questionnaire (SAQ). The SAQ is intended for those with a technical background and/or familiarity with the PCI DSS requirements. Due to the simple nature of the Wizard, we highly recommend that you use the Wizard to complete the self-assessment portion of your compliance validation. Q: Many of the questions in the PCI Wizard do not seem to apply to my organization, what should I do? A: If you come across a large number of instances where the questions do not reflect your business s environment, it is quite possible that you are completing the wrong PCI Wizard. Please or call Compliance Support to verify you are in the incorrect PCI Wizard and have them correct it for you. Q: How do I change my responses on the PCI Wizard? A: In order to edit your responses on the PCI Wizards, begin by logging into your Trustwave TrustKeeper account. Once you are logged into your account, click on the Dashboard link from the top left side of the screen. In the page that loads, click on PCI Self-Assessment and click on Continue. To edit your responses to the PCI Wizard, select a section and click Review Q&A or Continue. Q: Will you help me with the questions asked in the PCI Wizard? A: We can assist you with the PCI Wizard if you have specific questions regarding the compliance requirements. However, there are many resources available in the Trustwave TrustKeeper portal which may help you pass the PCI Wizard. When you are logged into the portal, click on the PCI icon, from there you should see a sub menu with different options, like Security Policy and Training. These tools will help you comply with the Policies and Procedures section of the PCI Wizard. You can modify the Security Policies and Procedures Document to fit your organization s needs, which will help you comply with the requirement that states that you must have a written security policy. All questions on the PCI Wizard have two circular blue icons that can be clicked for additional help. The blue circular icon with a? symbol, will help you choose the correct response to the questions. The blue circular icon with the i symbol, will tell you why the question is important. We recommend you make every effort to answer the question to answer the questions to the best of your ability. If you come across a question you are having trouble with, answer it the best you can, make a note of it and move on; then contact us with your list of specific questions. While we cannot actually answer the questions on the PCI Wizard on your behalf, we can offer clarification of specific questions. If you find that your responses are causing the Action required notice and icon, click the Resolve Issues button and review the questions, your response will be highlighted in red, and select the Click for Advice button for targeted suggestions on how to meet the requirement. Once you have made the changes, you can revise your answer appropriately. Q: If I do not have a computer/internet access how can I complete the PCI Wizard? Copyright 2014 Trustwave Holdings, Inc. All rights reserved. 1

2 A: You should make every attempt to complete the PCI Wizard online via the Trustwave TrustKeeper website. Most merchants also find the PCI Wizard to be much easier than a hardcopy SAQ. Trustwave TrustKeeper support is limited in the assistance they can provide with a hardcopy SAQ. We recommend contacting a friend, family member, neighbor, library or other public building for access to the Internet. Also you may consult your local copy store or Internet Cafe (if there is one nearby) as they often provide computers with Internet access. It is possible that your bank may allow you to fill out a hardcopy, paper version of the SAQ. You should consult your bank to determine if this is possible and the process that you would need to follow if they allow it. Q: What if I have a SAQ from another vendor? A: If you have already validated your compliance with another vendor, you can identify yourself as Already Compliant on the home page. This will require you to choose which SAQ you have completed and attest to your compliance. You will then be required to upload your SAQ and scan reports. Q: Will the Trustwave TrustKeeper system log me out of the system due to inactivity? Will this affect my work in the PCI Wizard? A: The Trustwave TrustKeeper systems will prompt you to reenter your password after an extended period of time. Please note your answers will not be lost. Q: What do I do when I ve completed the PCI Wizard? A: When you have successfully passed each section of the PCI Wizard, you will then be prompted to review the formal SAQ form (required for PCI DSS compliance). The formal SAQ form has been prepopulated based on your responses from the PCI Wizard. After you have reviewed and attested that this information is correct, click Acknowledge and Submit. SCANNING FAQ S Q: Why am I being required to have a scan preformed? A: The Payment Card Industry Data Security Standard (PCI DSS) states that any device involved in the processing, transmission, or storage of credit card holder data over the Internet, or any device which may be connected to such a system must have a passing vulnerability scan present once every quarter. If you have a website that redirects to a third-party for payment (such as PayPal or Authorize.net), Trustwave TrustKeeper will perform a vulnerability scan and provide you with the findings, however, these will not count towards compliance. Q: What will the scan do? How does it work? A: Scans generally operate by searching for open ports on the computer and determining what programs are listening to those open ports. The scanner tests those ports and the programs running behind them and reports back its findings for you to view online. If any action is needed the report will detail any actions for your organization to take in order to become compliant. The scanner attempts to identify or "fingerprint" any applications running behind open ports after running a port scan. Based on the findings, the Trustwave TrustKeeper system reports any vulnerability known to affect the version of the software identified. Sometimes if a version is flagged as vulnerable, the scanner checks for controls that might compensate for that vulnerability. If no compensating controls are present to mitigate the risk, the scanner reports a vulnerability. Also, the scanner may check the way that your applications are configured to make sure that they provide appropriate responses and prevent certain types of requests. Trustwave TrustKeeper does not analyze any traffic. 2 Copyright 2014 Trustwave Holdings, Inc. All rights reserved.

3 Nor do the scanners actually perform any true penetration tests such as attempting to crack logins or executing buffer overflows. Trustwave TrustKeeper performs a scan of your network and looks for vulnerabilities. Trustwave TrustKeeper is trying to identify the same vulnerabilities that hackers/crackers would use. If you remove the vulnerabilities on your system as the remediation actions suggest, then you in effect make it harder for malicious traffic to get into your system. Q: Will the scan have negative impacts on my infrastructure? A: The Trustwave TrustKeeper scan is meant to provide a non-intrusive, external vulnerability scan. You may experience some latency on your Internet connection while this scan occurs (because the scan will use a portion of your available bandwidth while the scan is running), but it should not affect your infrastructure or cause any devices to stop responding. If you still have concerns we recommend scheduling your scan for a date when your infrastructure is not likely to be in heavy use. Q: What do I need to scan? A: You will want to scan any device involved in the processing, transmission, or storage of credit card holder data over the Internet, or any device which may be connected to such a system without proper network segmentation in place such as a firewall. Q: Why did my scan receive a fail result? What should I do? A: In order to understand why your Trustwave TrustKeeper vulnerability scan was non-compliant, we recommend consulting your latest scan report. This may be accessed by clicking the "Scanning" link on the PCI menu once logged into the portal. Click on the PDF Report to see the complete scan report. The scan report details all the vulnerabilities found within your network environment, a description is also provided for each vulnerability, along with a column to the right labeled "Remediation." To correct the vulnerabilities, we recommend following the suggestions that appear in the remediation action column. The description may also contain additional reference links that may be helpful in troubleshooting the issue. As a note, only vulnerabilities with a red box with the letters "PCI" in the score column affect the compliance of the report. Once these issues are corrected, you may schedule a new scan using the Rescan link to clear the findings from your report. Q: Why didn t you scan all of my systems? A: The Trustwave TrustKeeper system makes every effort to scan all of the devices that you have identified. However, some devices may be set up with firewalls that keep our scanners from gaining access to the device. Also, devices that are having connectivity issues or were powered off will keep our scans from connecting successfully. We recommend ensuring that any firewalls and/or IPS devices are configured to allow our connections. IPS devices or modules should be set to allow our scanners source IP addresses ( /24 and /24), but we do not recommend whitelisting these addresses on your firewall (only whitelist us on the IPS module on the firewall, if there is one). Many IPS devices will block the scanner s packets because they send so many requests in Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 3

4 a short amount of time, and some of those may be detected as suspicious or malicious since they are probing for possible vulnerabilities. Q: What if the scan appears to identify vulnerabilities that are not actually present in my environment? A: If the Trustwave TrustKeeper scanner has falsely identified a vulnerability that you believe does not actually exist on your system, then you should probably file a dispute against the vulnerability. In order to dispute a vulnerability, please begin by logging into your Trustwave TrustKeeper account. Once you are in your account, click the "Scanning" link from the menu on the top of the screen. When that page loads, you should find a list of all vulnerabilities found. Click on the vulnerability you d like to dispute. Click on the Dispute Finding button. In the next window that loads, select the reason of the dispute from the drop down box, place a short description of the dispute in the Title field, and in the Comment field, give a justification for why you believe this vulnerability should be disputed. Be as detailed as possible. Click Save when you are done. An engineer will then manually review the dispute and deny or accept the request. Please allow up to five business days for a response. Q: Can I add multiple IP addresses or domain names to my scans? A: PCI requirements mandate that any websites or IP addresses involved in the storage, processing, or transmission of cardholder data under your control must be scanned. Trustwave TrustKeeper does allow you to enter all in-scope websites and IP s. Trustwave TrustKeeper will not allow you to enter IP addresses that are not externally accessible. The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private networks: (10/8 prefix) (172.16/12 prefix) ( /16 prefix) If your IP address changes often (which is common with DSL lines), you may want to use the TrustKeeper Agent to automatically inform the portal of your address whenever it changes. If you are attempting to add a domain ending with ".gov," you will be unable to do so at this moment. Please determine if the.gov website is actually in scope. If it is, please contact Trustwave Compliance Support to have it added. Q: How can I reschedule a scan? A: In order to reschedule a scan, please begin by logging into your Trustwave TrustKeeper account. Once you are in your account click "Scanning and then Scan Setup. In the page that loads you should see a box labeled "Edit Schedule." Then choose the day you would like to run your scan and click Save. Q: What if I don t want to install the TrustKeeper Agent? A: The TrustKeeper Agent is not required for compliance. The TrustKeeper Agent helps automate the task of finding and entering IP address information. If you do not want to download and install the TrustKeeper Agent, then you will need to manually enter the public IP address of your financial network into the Network Questionnaire. If your IP address changes, you will need to login back in and update the IP address in the PCI Scan Management tab, right before your scan runs. 4 Copyright 2014 Trustwave Holdings, Inc. All rights reserved.

5 GENERAL QUESTIONS, FAQ S Q: How do I know if I am compliant or not? A: To access your Payment Card Industry (PCI) compliance status log into your Trustwave TrustKeeper account, and click on the "Dashboard" link in the top left-hand side of the screen. There you should find information regarding your PCI compliance status. Q: Does my SSL certificate, payment processor or Trustwave make me compliant? A: No. While you may be taking precautions to safeguard credit card holder data, and you also may be working with PCI compliant companies, your organization is still responsible for its own compliance. The only way to validate compliance with the Payment Card Data Security Standard (PCI DSS) is to work with a Qualified Security Assessor (QSA) and/or an Approved Scanning Vendor (ASV) Trustwave is both a QSA and an ASV. At a minimum you will to have to have a passing Self- Assessment Questionnaire (SAQ) report, and you may be required to have a passing scan report as well, depending on your credit card processing environment. Q: What is PCI DSS? Why was it created? Why do I need to be compliant? A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards created by the PCI Security Standards Council (PCI SSC). This standards council is composed of many entities, including the largest credit card companies in the world such as Visa, MasterCard, American Express, Discover, JCB, among others. These standards were created in an effort to lower the incidence of identity theft and fraud, as well as to increase security of credit card systems in general. The PCI DSS states that any organization involved in the processing, transmission, or storage of credit card holder data must be PCI complaint. Any organization which is not complaint may be assessed fees by their bank or may even have their credit card processing services revoked. Q: I cannot login; my password is wrong and/or I am not able to remember it. What should I do? A: You can reset your password yourself. You only need to know your username associated with your account. Type login.trustwave.com in your web browser, enter your username, and click the link "I Forgot My Password." It's directly under the area where you would enter your login information. You will then be sent an with a link to reset your password. If you have forgotten your user name, you can also use the I Forgot My Username link on this page. You will be required to input your address associated with your user account. Q: Why am I being required validate my compliance? Who mandates these requirements? A: The Payment Card Industry (PCI) Security Standards Council (composed of the largest credit card payment brands such as Visa, MasterCard, etc ) publishes the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS states that any organization involved in the processing, transmission, or storage of credit card holder data must be PCI complaint. The payment brands enforce the PCI DSS on acquiring banks that process their particular brand of credit cards. The level of enforcement is based on the level of the merchant as determined by the payment brands. The banks in turn (under pressure from the payment brands) set compliance deadlines, monitor the compliance status of merchants, levy non-compliance fees, and may exempt merchants from certain PCI DSS requirements if deemed appropriate. If the bank is unable to meet the requests of the payment brands and get their merchants into compliance, it too may be assessed fees. Copyright 2013 Trustwave Holdings, Inc. All rights reserved. 5

6 Q: What if I refuse to validate my compliance? A: If you decide not to validate your Payment Card Industry Data Security Standard (PCI DSS) compliance, you may be assessed a non-compliance fee by your bank. If you ever experience a compromise or a data security breach, you will likely be held responsible for the financial costs of reversing these damages as well as the fines that are associated with a compromise. It is possible that your processor/bank may even revoke your ability to process credit cards. Q: I use Macintosh, Linux, UNIX, or another operating system. How can I complete the compliance process? A: Although you are using one of these operating systems, the steps towards compliance are the same as if you were using a Windows-based operating system. The main difference is that you will be unable to install or run the TrustKeeper Agent software. You will need to manually enter the IP information when you are filling out the Scan Location. If you need help finding your IP address, visit the following link from the computer on which you transfer, store, or process credit card information: Q: I'm having issues installing and/or running the TrustKeeper Agent. What should I do? A: Try uninstalling the old agent, re-downloading the agent and then re-installing the agent. The agent may be uninstalled by accessing "Add or Remove Programs" from the Windows control panel. If you are still having issues after that, then try installing the agent onto another computer which is on the same network that credit card information gets processed, transferred, or stored on (if this is at all possible). If you still cannot get the Agent to operate properly, then you will need to manually enter the public IP address of your financial network into Scan Location. 6 Copyright 2014 Trustwave Holdings, Inc. All rights reserved.