NEOHAPSIS

Payment Card Industry (PCI) Compliance Services

When processing credit card information, implementing a smart information security program is no longer an option—it's a requirement. A consortium of payment card providers have mandated that any organization that stores, processes, or transmits credit card data must comply with the Payment Card Industry (PCI) Data Security Standard¹ (DSS).² Potential penalties for non-compliance can include fines up to $500,000 and a loss of payment card transaction privileges. Since June 2005, thousands of merchants have implemented information security safeguards to conform to the globally recognized standards.

Neohapsis Experience:

• Approved PCI DSS Qualified Security Assessor (QSA)
• Approved Scanning Vendor (ASV)
• Qualified CISP Incident Response Assessor (QIRA)³

Neohapsis security assessments are conducted by data security professionals who have in-depth experience and extensive knowledge in market and compliance requirements, current security standards, best practices, and government regulations. Over the last eight years, Neohapsis has provided deeply technical and process-rich assessments to over 750 organizations. Neohapsis is trusted by VISA to respond in the event of a security incident and perform forensic investigations. Our clients include merchants and service providers from all tiers across a multitude of industries.

Risk Assessment and Remediation

As an approved PCI DSS QSA, Neohapsis works with your team to identify gaps in compliance and to establish priorities for remediation. We review all systems, technologies, policies, processes and procedures covered by the PCI DSS. Our services include:

Analyze project scope against PCI criteria Review solutions and control for PCI requirements Interview with key personnel On-site assessment of your facilities Physical network audit

Perform initial vulnerability scan Review of pre-assessment and scan results Conduct gap analysis Complete a readiness report Develop a complete list of remediation items and suggested priorities

On-site Audit and Report on Compliance

Neohapsis focuses on all relevant systems and system components related to authorization and settlement, including:

• External network connections
• Connections to and from the authorization and settlement environment
• Point-of-Sale (POS) terminals
• Data repositories outside of the authorization and settlement environment that contain more than 500,000 account numbers

Wireless Assessment:

Neohapsis conducts wireless assessments for organizations that utilize wireless POS terminals to process and store cardholder data or for wireless LAN connected to or part of the cardholder environment.

Other Services:

As part of a PCI audit, Neohapsis will work with your team to complete the needed requirements, which include:

• An annual self-assessment
• Verifying the vulnerability scan results
• Testing and validating the controls
• Preparing a formal PCI Report on Compliance (ROC) or a Self-Assessment Questionnaire (as required)
• Submitting the ROC and documentation to the bank or merchant processor
• Accreditation and certification of audit report

Quarterly External Vulnerability Scan:

PCI DSS requires all companies processing card payments to comply with a quarterly external vulnerability scan performed by an approved ASV; Neohapsis is a PCI ASV. Neohapsis performs these quarterly scans in line with the standards set by the PCI Standards Council. The non-intrusive scans are run over the Internet and help identify vulnerabilities and mis-configurations of Internet accessible web sites, applications, and information technology infrastructures.

Annual Self-Assessment

Annual Self-Assessment Questionnaire that is to be completed Level 2, 3 and 4 merchants and service providers is validated and, if desired, can be conducted by Neohapsis (recommended). The Questionnaire addresses all system(s) and/or system component(s) involved in processing, storing, or transmitting cardholder data.

Reports

When it comes to usable results that matter, Neohapsis delivers. In Neohapsis' PCI reports, a concise and jargon-free executive summary is followed by comprehensive audit findings and observations, analyses, and detailed technical recommendations for remediation. Helpful details include:

• Inventories of relevant data exchange relationships
• Overview of the environment , including network topology
• Verification of direct connection to payment card company
• Validations of hardware and critical software in use
• Review of POS products used (merchants only)
• Validation of wireless LANs and POS terminals
• Quarterly scan results summary

Incident Response and Forensics

In the event of a security breach, VISA requires a forensic review from QIRA. Neohapsis is one of the few approved Qualified CISP Incident Response Assessor (QIRA) in the world. VISA requires that members, merchants, and service providers must take immediate action to investigate the incident, limit the exposure of cardholder data, notify VISA, and report investigation findings. Neohapsis experienced forensic specialists enable you to prepare for, manage, and respond to any actual and suspected occurrence of a computer security incident.

Neohapsis provides analysis techniques to:

• Recover deleted, destroyed, encrypted, and other hidden electronic evidence
• Reconstruct events by uncovering the hidden activity records left by operating systems, Web browsers, and many other applications
• Present compelling expert testimony in plain English that law enforcement and juries can understand

Neohapsis investigates system intrusion and potential compromise. This is an important component for ensuring confidentiality, availability, and integrity to verify and isolate vulnerabilities or origins of security incidents.

Neohapsis not only assists with the investigation and root cause analysis, but also can help remediate vulnerabilities and work with you to re-establish PCI compliance.

Merchant and Service Provider Validation Table⁴

Level		Description	On-site Security Audit	Self-Assessment Questionnaire	Network Security Scan
M E R C H A N T	1	MasterCard and Visa: Any merchant - processing more than 6 million transactions per year Any merchant that has suffered a hack Any merchant identified by any payment card brand as Level 1	Required Annually Neohapsis (QSA)		Quarterly Scan Neohapsis (ASV)
	2	Visa: Any merchant processing 1 - 6 million transactions per year MasterCard: All merchants with 150,000 – 6 million e-commerce transactions per year Any merchant identified by any payment card brand as Level 2		Required Annually Neohapsis	Quarterly Scan Neohapsis (ASV)
	3	Visa: Any Merchant processing 20,000 – 1 million e-commerce transactions per year MasterCard: All merchants with 20,000 – 150,000 e-commerce transactions per year Any merchant identified by any payment card brand as Level 3		Required Annually Neohapsis	Quarterly Scan Neohapsis (ASV)
	4	Visa: Any merchant processing less than 20,000 e-commerce transactions per year, and all other merchants processing less than 1 million transactions per year MasterCard: All other merchants		Required Annually Neohapsis	Quarterly Scan Neohapsis (ASV)
S E R V I C E P R O V I D E R	1	Visa: All VisaNET processors and all payment gateways MasterCard: Includes all Third Party Processors (TPPs) All service providers that store card data for Level 1 or 2 merchants	Required Annually Neohapsis (QSA)		Quarterly Scan Neohapsis (ASV)
	2	Visa: Any service provider that is not in Level 1 and stores, processes, or transmits more than 1 million transactions per year MasterCard: All service providers that store card data for Level 3 merchants	Required Annually Neohapsis (QSA)		Quarterly Scan Neohapsis (ASV)
	3	Visa: Any service provider that is not in Level 1 and stores, processes, or transmits less than 1 million transactions per year MasterCard: All other service providers not included in Levels 1 and 2		Required Annually Neohapsis	Quarterly Scan Neohapsis (ASV)

About Neohapsis

Founded in 1997, Neohapsis is a leader in delivering managed risk services. Neohapsis is the first Managed Risk Services Provider (MRSP) to expertly align organizations' unique risk profiles with a new breed of managed and professional services designed to mitigate corporate and personal liability. Our holistic approach to enterprise risk management blends security, information technology, and operations management with an innovative set of services that ensures ongoing confidentiality, integrity, availability, and efficiency.

Neohapsis provides high-quality, in-depth independent security consulting, forensic services, and product testing. Neohapsis' experts deliver specialized services in information risk management, application security, network and endpoint security, security product testing, and digital forensics. Neohapsis Lab, a highly respected independent IT product testing facility, backs this consulting expertise.

Neohapsis also offers a full spectrum of managed services, delivered by our team of world-class security and risk management experts who have defined much of what is considered standard practice in the industry. This depth of expertise enables Neohapsis to optimize our approach in addressing each of our clients' unique needs, especially in times of crisis, and to mentor senior managers responsible for managing information risk. Neohapsis' clients include some of the world's most well respected organizations, encompassing a wide range of industry sectors. To learn more, visit Neohapsis at: www.neohapsis.com.

1. The PCI Data Security Standard is available online.
2. American Express®, Diners Club®, Discover® Card, JCB®, MasterCard International®, VISA® U.S.A.
3. Complete list of VISA Cardholder Information Security Program (CISP) Qualified Incident Response Assessor list is available here.
4. Please see PCI Security Standards for up to date merchant and service provider requirements