PCI Compliance Testing Services

Rapid7 is a PCI Council Approved Scanning Vendor (ASV) which certifies us to help merchants achieve compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).

With Rapid7 NeXpose, our Professional Services staff can perform an independent scan and produce the certified document for your records.

Rapid7 consultants and Consulting Partners can also assist with the completion of your PCI DSS Self-assessment Questionnaire that solicits information about the internal security practices of your business, both on the Web and on your internal network.

Rapid7 PCI Compliance services include:

• PCI compliance audit report and automated scans on a quarterly, scheduled basis.
• Rapid7 Remediation Plan and Report with detailed step-by-step instructions for vulnerability remediation to attain full PCI compliance.
• Rapid7 PCI Professional Services Review.
• Rapid7 PCI Assessment Checklist completion for PCI certification.

What is PCI DSS Compliance?

PCI DSS is a worldwide standard endorsed by Visa, Cardholder Information Security Program (CISP), MasterCard, Discover, Diners Club, and American Express and is designed to respond to the rising number of incidents of stolen cardholder account data.  The goal of PCI DSS is simple, protect cardholder account data. The stark reality for the merchant is that the due diligence required to meet this standard is far from simple. In order to prepare for a PCI DSS compliance audit merchants must test, remedy, retest, and document their final compliance findings addressing the twelve requirements of PCI DSS.

At a broad brush level, the PCI DSS encompasses requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. The requirements scale based on the number of annual transactions. For example, a Level 1 merchant is the highest level. They process more than six-million transactions annually and typically conduct an annual audit using an independent Qualified Security Assessor (QSA).  Levels 2 through 4 include merchants that usually use the PCI DSS Self-assessment Questionnaire for their annual audit.

At all levels, merchants and service providers contract with a PCI Approved Scanning Vendor (ASV) to conduct vulnerability scans of any of their networks that transmit, process, or store cardholder data. In addition, to prepare for an annual PCI compliance audit, many merchants engage an external security assessment team to perform annual internal and external penetration test as part of their vulnerability plan mandated by PCI DSS Requirement 11.

Who is required to meet the PCI security standard?

All entities that accept credit or debit card payment, collect, process or store credit card transaction information, regardless of transaction volume, are required to be in PCI compliance. Failure to meet the security standard may result in substantial fines or permanent expulsion from card acceptance programs.

All merchant banks are also required to receive certified proof of PCI compliance from companies that process more than 20,000 credit card transactions per year or be liable and fined themselves. Many merchant banks are beginning to require that all businesses accepting credit card transactions produce this certification of PCI compliance.

What is needed to meet the PCI standard?

There are two basic steps required to meet the standard:

• Pass quarterly vulnerability scans conducted by a PCI Council "qualified independent scan vendor" such as Rapid7. NeXpose PCI Compliance and our Professional Services resources can provide this independent scan and produce the certified document for your records.
• Complete a security self-assessment questionnaire that asks you about your internal security practices, both on the Web and on your internal network. Rapid7 can assist with the completion of this questionnaire.