PCI DSS Compliance

Most people are unaware that if they handle credit cards, they are obliged to follow a set of rules called the Payment Card Industry Data Security Standard (PCI-DSS). Depending on how many credit cards you handle, this can range from quarterly scans of your network, to requiring exhaustive independent audits.

The cost of not complying can range from severe – having your ability to process credit card payments suspended or cancelled – to catastrophic – paying millions of dollars in compensation as well as hundreds of thousands in punitive fines to the card issuer if you’re the victim of an attack.

iSec services can assist you with PCI compliance, whether you simply need help filling out the questionnaire, or need full level 1 compliance. iSec services offers gap analysis – and we help you overcome this issue. Unlike other organizations that would push you for the regulation, our experts will check to see if you actually need it or can do without it.

Onsite Penetration tests will focus on vulnerabilities which exist on the internal system as seen by an insider. Tests would include penetration testing of entire IT related equipment at the client site. Activities done during these penetration tests include

• Penetrating the internal network as an insider with knowledge that a regular employee of the client would have, had he been terminated, removed etc.
• Security and Audit settings will be reviewed and catalogued on NT systems.Use of other vulnerability testing software may be used.
• Penetration Team will connect to the client’s internal network and attempt to compromise the servers, workstations and other devices.
• Using compromised accounts or through a normal account provided by the client, we will attempt to gain administrative/root access to servers, network equipment and other machines in the network.
• We will identify the damage that can be done if administrative or root access is achieved on any of these machines.
• Duration for these tests would be between two to three weeks.

Remote Penetration tests will focus on security and robustness of Information Technology Infrastructure of a client organisation. Penetration tests will cover the servers installed, modems, routers, bridges and authenticating services in use at the client premises.

These penetration tests are done using tools which include third party products as well as our own software. These tests will include following activities:

• Port Scanning from external network.
• Exploiting the weaknesses of Operating system and applications to harvest files from the system and also plant files into the system.
• Testing availablity of unsecured modems and attempts to gain access to a system.
• Questionnaire to the client organisation regarding the network layout and management of IP addresses.
• Normal duration of these tests is 3-4 weeks.
• At the end of tests a detailed report with recommendations is made to the client.

To ensure we do not accidentally penetrate another company (which can be a felony offense), the client will provide the telephone numbers they use and wish us to test.As an alternative, the client could provide us with a corporate telephone book that is available to all employees. We will use this to ensure we stay within the company’s valid phone number ranges.