Transcription
QUICK START GUIDEPCI Compliance Assessment ModuleInstructions to Perform a PCI Compliance Assessment2/25/2022 5:00 PM
Network DetectivePCI Compliance Module — Quick Start GuideContentsPerforming a PCI Compliance AssessmentPCI Compliance Assessment Overview33What You Will Need4Risk Assessment vs. Risk Profile5PCI Risk Profile Use for Ongoing PCI Compliance Assessments5Step 1 — Download and Install the Network Detective Application6Step 2 — Create a New Site6Step 3 — Start a PCI Compliance Assessment Project7Use the PCI Compliance Assessment Checklist7Step 4 — Collect Initial PCI Compliance Assessment Data8Step 5 — Cardholder Data Environment (CDE) Deep Scan13Step 6 — Collect Secondary Data14Step 7 — Document Exceptions14Step 8 — Generate Reports14Note on Time to Generate ReportsPerforming an ASV Scan and Downloading ASV Scan Reports1617Setting Up and Performing an ASV Scan17Setting Up Access to Your ServerScan ASV Scan Account to View and DownloadReports21Setting Up Your ASV Reports to include your Company Information23Notification that Your ASV Scan has Started24Viewing the Results of your ASV Scan25Performing an ASV Rescan using ServerScan28PCI Assessment Reports33Compliance Reports33Supporting Documentation35Change Reports372
PCI Compliance Module — Quick Start GuideNetwork DetectivePerforming a PCI Compliance AssessmentPCI Compliance Assessment OverviewNetwork Detective’s PCI Compliance Assessment Module combines 1) automated datacollection with 2) a structured framework for collecting supplemental assessmentinformation through surveys and worksheets. To perform a PCI Compliance Assessment,you will:lDownload and install the required toolslCreate a site and set up a PCI Compliance Assessment projectlCollect PCI Compliance Assessment data using the Network Detective ChecklistlGenerate PCI Compliance Assessment reports 2022 RapidFire Tools, Inc. All rights reserved.3
Network DetectivePCI Compliance Module — Quick Start GuideWhat You Will NeedIn order to perform a PCI Compliance Assessment, you will need the followingcomponents:Note: You can access these at https://www.rapidfiretools.com/nd.PCI ComplianceAssessmentComponentDescriptionNetwork DetectiveThe Network Detective Application and Reporting Tool guides you through theassessment process from beginning to end. You use it to create sites andassessment projects, configure and use appliances, import scan data, andgenerate reports. The Network Detective Application is installed on yourworkstations/laptops; it is not intended to be installed on your client orprospect sites.PCI Data CollectorThe Network Detective PCI Data Collector is a windows application thatperforms the data collections (network, local 'quick', and local 'deep') for thePCI Compliance Module. Supports both Network and Computer scans.Push Deploy ToolThe Network Detective Push-Deploy Tool pushes the local data collector tomachines in a specified range and saves the scan files to a specified directory(which can also be a network share). The benefit of the tool is that a local scancan be run simultaneously on each computer from a centralized location.Surveys andWorksheetsSurveys and worksheets contain questions that require investigation outsideof an automated scan. You create and manage these documents directly fromthe Network Detective Application, where you can also import and export yourresponses to and from Word. 2022 RapidFire Tools, Inc. All rights reserved.4
PCI Compliance Module — Quick Start GuideNetwork DetectiveRisk Assessment vs. Risk ProfileThere are two types of PCI Compliance Assessments that can be performed:AssessmentTypeDescriptionPCI RiskAssessmentA complete assessment that includes all worksheets and surveys. Required at least annually Recommended quarterly as part of a quarterly compliance review Requires that all manual worksheets be completedImportant: Allow for at least an entire day to perform theassessment on a typical 15 user networkPCI Risk ProfileUpdates a Risk Assessment to show progress in avoiding and mitigating risks and finds new ones that may have otherwise been missed. Does NOT require worksheets Requires selecting a prior Risk Assessment (will use existing worksheets) Requires less than 1 hour for a typical 15 user networkNote: You can only create a Risk Profile after you have firstperformed a Risk Assessment.PCI Risk Profile Use for Ongoing PCI Compliance AssessmentsA PCI Risk Analysis should be done no less than once a year. However, the NetworkDetective includes an abbreviated version of the PCI Risk Analysis assessment andreporting process within the Network Detective PCI Module. This process is called thePCI Risk Profile.The PCI Risk Profile is designed to provide interim reporting in a streamlined and almostcompletely automated manner. 2022 RapidFire Tools, Inc. All rights reserved.5
Network DetectivePCI Compliance Module — Quick Start GuideWhether performed monthly or quarterly, the Risk Profile updates the Risk Analysis anddocuments progress in addressing previously identified risks, and finds new ones thatmay have otherwise been missed and resulted in a data breach.An important aspect of this abbreviated process is the need that the PCI Module has beenalready used to perform a PCI Risk Assessment of your customer’s Cardholder DataEnvironment (CDE) on a previous occasion.Follow these steps to perform a PCI Compliance Assessment:Step 1 — Download and Install the Network DetectiveApplicationVisit https://www.rapidfiretools.com/nd. Download and install the Network DetectiveApplication.Step 2 — Create a New SiteTo create a new site:1. Open the Network Detective Application and log in with your credentials.2. Click New Site to create a new Site for your assessment project.3. Enter a Site Name and click OK. 2022 RapidFire Tools, Inc. All rights reserved.6
PCI Compliance Module — Quick Start GuideNetwork DetectiveStep 3 — Start a PCI Compliance Assessment Project1. From within the Site Window, click Start to begin the assessment.2. Next, select Compliance Assessments, and then select your chosenPCI Compliance Assessment.3. Then follow the prompts presented in the Network Detective Wizard to start the newAssessment.Use the PCI Compliance Assessment ChecklistOnce you begin the PCI Compliance Assessment, a Checklist appears in theAssessment Window. The Checklist presents the Requiredand Optionalstepsthat are to be performed during the assessment process. The Checklist will be updatedwith additional steps to be performed throughout the assessment process. 2022 RapidFire Tools, Inc. All rights reserved.7
Network DetectivePCI Compliance Module — Quick Start GuideComplete the required Checklist Items in the exact numerical order presented. Use theRefresh Checklist feature to guide you through the assessment process at each stepuntil completion.When you complete a step, that item will be updated with a green check markchecklist.in theYou may also print a copy of the Checklist for reference purposes by using the PrintedChecklist feature.Step 4 — Collect Initial PCI Compliance Assessment Data1. First complete the PCI Pre-Scan Questionnaire. View the assessment Checklistfor updates and to track progress.2. Initiate the External Vulnerability Scan.Note: In cases where your client requires an External Vulnerability Scan to becompleted by a PCI DSS Approved Scanning Vendor (ASV), based onavailability, an ASV Scan may be initiated from the PCI Module’s AssessmentWindow. See "Performing an ASV Scan and Downloading ASV Scan Reports"on page 17 for more information.3. Download, install, and run the PCI Data Collector as an Administrator. ThePCI Data Collector is available at https://www.rapidfiretools.com/nd.4. Select the PCI Network Data Collector option. Follow the prompts and run thePCI Network Scan. 2022 RapidFire Tools, Inc. All rights reserved.8
PCI Compliance Module — Quick Start GuideNetwork DetectiveNote: Take note of the output file location for the scan. This will be on yourcomputer's Desktop by default.5. Import the PCI Network Scan results by clicking Import Scan File in theAssessment Window. Select the output file created in the step above.6. Next, to perform the PCI “Quick” Local Computer Scans of computers on thenetwork, download and install the Push Deploy Tool on your USB drive fromhttps://www.rapidfiretools.com/nd.7. Extract the contents of the Push Deploy Tool .ZIP file to a USB drive or directly toany machine on the target network.8. Using the Run as Administrator option, run theNetworkDetectivePushDeployTool.exe contained within the folder namedNetworkDetectivePushDeployTool. 2022 RapidFire Tools, Inc. All rights reserved.9
Network DetectivePCI Compliance Module — Quick Start GuideImportant: For the most comprehensive scan, you MUST run the PushDeploy Tool as an ADMINISTRATOR.9. From the tool’s Settings and Configuration window, select the PCI “Quick” Scanoption. Specify the Folder to store resulting computer scan files, and enter thenecessary Administrator Credentials. Click Next. 2022 RapidFire Tools, Inc. All rights reserved.10
PCI Compliance Module — Quick Start GuideNetwork DetectiveImportant: For the Push Deploy Tool to push local scans to computersthroughout the network, ensure that the following prerequisites are met: Ensure that the Windows Management Instrumentation (WMI) service isrunning and able to be managed remotely on the computers that you wish toscan. Sometimes Windows Firewall blocks Remote Management of WMI, sothis service may need to be allowed to operate through the Firewall. Admin must be present on the computers you wish to scan, and beaccessible with the login credentials you provide for the scan. Push/Deployrelies on using the Admin share to copy and run the data collector locally. File and printer sharing must be enabled on the computers you wish toscan. For Workgroup based networks, the Administrator credentials for allworkstations and servers that are to be scanned are recommended to bethe same. In cases where a Workgroup-based network does not have a one setof Administrator credentials for all machines to be scanned, use the Add optionto add all of the Administrator credentials for the Workgroup. Multiple sets ofAdministrator credentials will be listed in the Credentials box.Tip: For your convenience, create a shared network folder to centralize andstore all scan results data files created by the Push Deploy Tool. Thenreference this folder in the Storage Folder field to enable the local computerscan data files to be stored in this central location.10. In the Computers and Status window, set the IP Address range of the computersto be scanned and then run the scan. After defining the computer IP Addressrange, click the “unpause” button as instructed to start your data collection scan.Alternatively, you can click the Next button where you will be prompted to start thedata collection process. 2022 RapidFire Tools, Inc. All rights reserved.11
Network DetectivePCI Compliance Module — Quick Start GuideAfter starting the data collection, the Computers and Status window will presentthe status of the scan for each computer selected for scanning.11. When the data collection process is complete, click Next to proceed to theCollected Data Files window. Click Finish to complete the Push Deploy Tooldata collection process and to access the scan files produced.12. After the PCI Quick Local Data Scan is complete, click Import Scan File in theAssessment Window to import the scan results into the Assessment.13. Run the PCI Data Collector selecting Quick Local Scan on the computers thatwere unreachable and Import the scan results. This scan is optional if theunreachable computers are not to be a part of the PCI Assessment process.14. Complete the Gate 1 Completion Worksheet. The purpose of the Gate 1Completion Worksheet is to confirm that the initial phase of the PCI assessment hasbeen performed, including all optional scans, before proceeding to the next phase ofthe assessment process.15. Complete the PCI Post-Scan Questionnaire. 2022 RapidFire Tools, Inc. All rights reserved.12
PCI Compliance Module — Quick Start GuideNetwork DetectiveStep 5 — Cardholder Data Environment (CDE) Deep Scan1. Complete the Cardholder Data Environment ID Worksheet. In this worksheet,you identify which system components are part of the Cardholder DataEnvironment.2. Complete the Deep Scan Selection Worksheet. The computers selected in thisworksheet will be scanned in the next step.3. Using the Push Deploy Tool, initiate the PCI Deep Scan for selected systems.4. Likewise, choose whether to include PDF files in the scan. Note that this mayincrease the total scan time.Tip: The Push Deploy Tool is used to push Quick Scan and Deep Scan tasksout to a range of computers on the network. It is recommended that a networkshare Storage Folder be set up and used to store resulting scans.5. After the PCI Deep Scan is complete, Import the scan results into theAssessment. This scan searches the selected local computers’ files for cardholderdata in the form of Primary Account Number (PAN) information. 2022 RapidFire Tools, Inc. All rights reserved.13
Network DetectivePCI Compliance Module — Quick Start Guide6. Complete the Gate 2 Completion Worksheet. This worksheet confirms that youhave performed the second phase of the PCI assessment before proceeding to thenext phase.7. Run the PCI Data Collector selecting the Deep Local Scan on the individualcomputers that were unreachable.Note: Using the Data Collector to perform this scan is Optional if theunreachable computers are not to be a part of the PCI Assessment process.Step 6 — Collect Secondary Data1. Complete the User ID Worksheet.2. Complete the Anti-Virus Capability Worksheet.3. Complete the Necessary Functions Identification Worksheet.4. Complete the Server Function ID Worksheet.5. Complete the PAN Scan Worksheet.6. Complete the External Port Security Worksheet.7. Complete the PCI Verification Questionnaire.Step 7 — Document ExceptionsOptional: Complete the Compensating Controls Worksheet.Step 8 — Generate Reports1. Run Network Detective and login with your credentials.2. Then select the Site and go to the Active Assessment Project.3. Click the Reports Ready button at the end of the assessment checklist. 2022 RapidFire Tools, Inc. All rights reserved.14
PCI Compliance Module — Quick Start GuideNetwork Detective4. Select which of the PCI Compliance Assessment reports that you want to generate.You can use the Reports drop-down menu to filter reports related to the activeassessment project, reports that are ready to generate, or to browse all availablereports.5. Click the Create Reports button and follow the prompts to generate the reports youselected.i. If you have not previously edited your Report Preferences, you will beprompted to do so before generating reports. 2022 RapidFire Tools, Inc. All rights reserved.15
Network DetectivePCI Compliance Module — Quick Start GuideTip: See the Network Detective User Guide for instructions on how to customizeyour reports with your company's branding.Click Generated Reports from the left-hand Site menu to access previously generatedreports. Double click a set of assessment reports to open the folder in Windows Explorer.Note on Time to Generate ReportsImportant: Larger data sets will require more time to generate reports. If the data setis especially large — in the range of several thousand users, for example — a full setof reports may take several hours to complete. 2022 RapidFire Tools, Inc. All rights reserved.16
PCI Compliance Module — Quick Start GuideNetwork DetectivePerforming an ASV Scan and Downloading ASV ScanReportsIn cases where your client requires an External Vulnerability Scan to be completed by aPCI DSS Approved Scanning Vendor (ASV), based on availability, an ASV Scan maybe initiated from the PCI Module’s Assessment window. ServerScan, a RapidFireTools, Inc. partner, will be performing the ASV External Vulnerability Scan on theHost/IP Address Range you specify in an ASV Scan Request as outlined in the processbelow.Note: Prior to performing an ASV Scan, it is recommended that you perform anExternal Vulnerability Scan using the PCI Assessment Module as a part of your PCIAssessment and remediate any identified vulnerabilities.Setting Up and Performing an ASV ScanFollow these steps to use the PCI Assessment Module to initiate a request for an ASVScan:1. Select ASV External Scan option to request that an External Scan be performed.The Request ASV External Scan window is displayed.2. Select the Add Host/IP link and the Add IP Address or Host window is displayed.3. Enter the IP Address and select Add. 2022 RapidFire Tools, Inc. All rights reserved.17
Network DetectivePCI Compliance Module — Quick Start GuideConfirm that the IP Address is added to list in the Request ASV External Scanwindow.4. Then select the Next button to proceed to the next step.5. In the Request ASV External Scan window, enter in your Email, TelephoneNumber, and any Special instructions, and select the Authorize the ScanAffirmation.6. Next, select the Submit button to submit your ASV Scan Request. 2022 RapidFire Tools, Inc. All rights reserved.18
PCI Compliance Module — Quick Start GuideNetwork DetectiveIf you have used the Network Detective ASV Scan feature before and have aServerScan account, use the email address that you have associated with thisaccount.7. You will be presented with a Confirm window stating that you should check theHost/IP Addresses that you have selected for your ASV Scan(s) before finalizingwith your ASV Scan request.8. Select the OK button to proceed. You may select Cancel to go to the previous step.The Submitting Scan Request window will be displayed noting your submissionsprogress while your ASV Scan Request is submitted.Upon acceptance of the Scan Request’s submission, you will receive confirmationthat your scan has been submitted.Important: It may take up to 30-60 minutes during the business hours of 9am5pm Mountain Time (MT) for your ASV Scan request submission to beconfirmed. Any scan requests submitted outside of these business hours will beprocessed the next business day. 2022 RapidFire Tools, Inc. All rights reserved.19
Network DetectivePCI Compliance Module — Quick Start GuideTip: If you already have used the ASV Scan feature in the past and have aServerScan ASV Scan account, please proceed to "Notification that Your ASVScan has Started" on page 24.After your ASV Scan Request has been submitted, you will receive an emailnotification from RapidFire Tools, Inc. stating that your ASV Scan Request has beensubmitted to ServerScan for processing.A listing of your ASV Scan Request will also be listed under the Scans Bar in thePCI Assessment window.9. ServerScan, a RapidFire Tools, Inc. partner, will be performing the ASV ExternalVulnerability Scan on the IP Range you specified. 2022 RapidFire Tools, Inc. All rights reserved.20
PCI Compliance Module — Quick Start GuideNetwork DetectiveAfter the ServerScan system reviews the details of your scan request and you areusing the ASV Scan service for the first time, you will receive an email notificationabout setting up your ASV Scan account at ServerScan.The purpose of this account is so that you can download the results of your scanAfter receiving this email from ServerScan, you should proceed to "Setting UpAccess to Your ServerScan ASV Scan Account to View and Download Reports"below to configure access to your ASV Scan account and the reports that are madeavailable after your ASV Scan is complete.Setting Up Access to Your ServerScan ASV Scan Account to Viewand Download ReportsIf you are using the ASV Scan feature for the first time and have received an emailnotification from ServerScan welcoming you to the ServerScan ASV Scan service,proceed to the steps immediately below.If you already have a ServerScan ASV Scan account, please proceed to the next sectionentitled "Notification that Your ASV Scan has Started" on page 24.Follow these steps to complete the set up of your ServerScan account. 2022 RapidFire Tools, Inc. All rights reserved.21
Network DetectivePCI Compliance Module — Quick Start Guide1. Set up your Password for your PCI/ASV Scanning Account at ServerScan byselecting the link contained within the Welcome to ServerScan email notification thatyou received.2. Following the instructions on the ServerScan website to log into your account used toaccess details about your ASV Scan results and to manage ASV Rescans.3. Assign your password to the ServerScan account created for your ASV ScanManagement, Reports, and Scan Attestation document(s). 2022 RapidFire Tools, Inc. All rights reserved.22
PCI Compliance Module — Quick Start GuideNetwork DetectiveA confirmation that your new Password has been assigned to your ServerScanaccount will be presented.Setting Up Your ASV Reports to include your Company InformationNext set up the reports that will be generated to include your company's specificinformation. To do this:1. Access the ServerScan My Settings feature.2. Enter the Company Name and Address details in the My Settings page. 2022 RapidFire Tools, Inc. All rights reserved.23
Network DetectivePCI Compliance Module — Quick Start Guide3. Your settings are saved after you navigate away from the My Settings page.4. Exit the ServerScan website by selecting the Logout link.Notification that Your ASV Scan has StartedAfter your ASV Scan has been initiated by ServerScan, you will receive a notification byemail that your PCI Server Scan Started.Upon completion of your ASV Scan, you will receive an email notifying you that the PCIServer Scan you requested is complete. 2022 RapidFire Tools, Inc. All rights reserved.24
PCI Compliance Module — Quick Start GuideNetwork DetectiveAfter receiving the PCI Server Scan Complete notification by email, you will access yourServerScan account to view the results. To view the results of your ASV Scan, proceedto the next section.Viewing the Results of your ASV ScanAfter your ASV Scan is complete, you will receive an email notification stating that thescan has completed. The PCI Server Scan Complete email notification will contain asummary of your ASV Scan results.To view the results of your ASV Scan, follow the steps below.1. Log into your ServerScan ASV Scan account by visiting www.serverscan.com andselecting the MY ACCOUNT link.The User Account login window will be displayed. 2022 RapidFire Tools, Inc. All rights reserved.25
Network DetectivePCI Compliance Module — Quick Start Guide2. Enter your Email Address and Password and select the Log In button to accessyour account.After logging into your account, the Go to Scan Manager option will be displayed.3. Select the Go to Scan Manager option to view the results of your ASV Scan. 2022 RapidFire Tools, Inc. All rights reserved.26
PCI Compliance Module — Quick Start GuideNetwork DetectiveThe Scan Manager window will be displayed.4. Select the View Compliance Reports link.The Compliance Reports window will be displayed.5. Using the Download Reports option(s), download and view the ASV ScanReports. 2022 RapidFire Tools, Inc. All rights reserved.27
Network DetectivePCI Compliance Module — Quick Start Guide6. Based on the outcome of your ASV Scan (in terms of the identified vulnerabilities),download and view the Executive Scan Report, the Detailed ASV Scan Report,and Attestation documents.7. Log out of the ServerScan Portal.Review the Executive and Detailed reports for the ASV Scan performed byServerScan.If your ASV Scan revealed security vulnerabilities that prevent your Merchant clientfrom passing its PCI External Network Vulnerability Protection requirements, afterthe identified vulnerabilities are remediated, you may want to perform a "Rescan"using the ServerScan service.Proceed to the next section to learn how to use the ServerScan Rescan option torun another ASV Scan on your client's network.Performing an ASV Rescan using ServerScanTo run another ASV Scan (i.e. Rescan) to check for external vulnerabilities on yourclient's network perimeter, follow these steps:1. Log into your ServerScan account visit the ServerScan website atwww.serverscan.com and select the MY ACCOUNT link.2. Enter in your Username and Password and select the Log In option to log intoyour ServerScan account: 2022 RapidFire Tools, Inc. All rights reserved.28
PCI Compliance Module — Quick Start GuideNetwork Detective3. Select the ServerScan Go to the Scan Manager button.The Scan Manager window will be displayed.4. Select the View Compliance Reports link. 2022 RapidFire Tools, Inc. All rights reserved.29
Network DetectivePCI Compliance Module — Quick Start GuideThe Compliance Reports window will be displayed.5. To start the Rescan in the Compliance Reports window, select the Rescan iconthat is present in a previous scan's results entry.The New Scan settings window will be displayed to enable you to schedule yourRescan.6. Set up and Submit the Rescan.Review the Name, Email, and Target Hosts fields to verify that the preloadedinformation from your original ASV Scan is correct.7. Select the Schedule Options, Run This Scan On Date and Time, and TimeWindow settings.After defining the scan's settings, select the Submit button.The Scheduled Scan confirmation window will be displayed. 2022 RapidFire Tools, Inc. All rights reserved.30
PCI Compliance Module — Quick Start GuideNetwork DetectiveOnce your Rescan submission has been verified by the ServerScan system, youwill receive a notification by email stating that your ASV Scan has been scheduledand started.8. Log out of your ServerScan account.9. Upon receipt, view the email Notification that confirms that your ASV Rescan hasbeen scheduled and started.10. After your Rescan is complete, you will receive an email Notification that the ASVScan is complete.Upon the completion of the Rescan, you can log into your ServerScan account todownload and view the reports containing the results of the ASV Scan. 2022 RapidFire Tools, Inc. All rights reserved.31
Network DetectivePCI Compliance Module — Quick Start Guide11. To view the results of your scan, log into your ServerScan account. Then select theServerScan View Compliance Reports option. 2022 RapidFire Tools, Inc. All rights reserved.32
PCI Compliance Module — Quick Start GuideNetwork DetectivePCI Assessment ReportsThe PCI Assessment Module can generate the following reports and supportingdocuments:Compliance ReportsThese reports show where you are in achieving PCI compliance. In addition, thesedocuments identify and prioritize issues that must be remediated to address PCI relatedsecurity vulnerabilities through ongoing managed services.Report NameDescriptionEvidence of PCIComplianceJust performing PCI-compliant tasks is not enough. Audits andinvestigations require evidence that compliance tasks have beencarried out and completed. Documentation must be kept for sixyears. The Evidence of Compliance includes log-in files, patchanalysis, user & computer information, and other source materialto support your compliance activities. When all is said and done,the proof to proper documentation is accessibility and the detailto satisfy an auditor or investigator included in this report.PCI Policies &Procedures DocumentThe Policy and Procedures are the best practices that ourindustry experts have formulated to comply with the technicalrequirements of the PCI DSS. The policies spell out what yourorganization will do while the procedures detail how you will do it.In the event of a PCI Compliance audit, the first things an auditorwill inspect are the Policies and Procedures documentation. Thisis more than a suggested way of doing business.The Policies and Procedures have been carefully thought outand vetted, referencing specific sections in the PCI DSSRequirements and supported by the other reports include withthe PCI Compliance module.PCI Post-ScanQuestionnaireThe Post-Scan Questionnaire contains the documentedresponses to list of questions that were formulated based on theresults of scans that have been performed.PCI Pre-scanQuestionnaireThis questionnaire contains a list of questions about physical andtechnical security that cannot be gathered automatically. Thesurvey includes questions ranging from how facility controlsaccess, firewall information, application development, to 2022 RapidFire Tools, Inc. All rights reserved.33
Network DetectiveReport NamePCI Compliance Module — Quick Start GuideDescriptionauthentication and change management standards.PCI CompliancePowerPointThis PowerPoint slide deck presents a visual overview of the PCIassessment.PCI Risk AnalysisReportPCI is a risk-based security framework and the production of aRisk Analysis is one of primary requirements for PCI compliance.In fact, a Risk Analysis is the foundation for the entire securityprogram. It identifies the locations of electronic stores of, and/orthe transmission of Cardholder Data and vulnerabilities to thesecurity of the data, threats that might act on the vulnerabilities,and estimates both the likelihood and the impact of a threatacting on a vulnerability.The Risk Analysis helps Card Processing Merchants and their3rd party Service Providers to identify the components of theCardholder Data Environment (CDE), how the data moveswithin, and in and out of the organization. It identifies whatprotections are in place and where there is a need for more. TheRisk Analysis results in a list of items that must be remediated toensure the security and confidentiality of Cardholder Data at restand/or during its transmission. The Risk Analysis must be run orupdated at least annually, more often if anything significantchanges that could affect one or more system components in theCDE itself. 2022 RapidFire Tools, Inc. All rights reserved.34
PCI Compliance Module — Q
Network Detective PCI ComplianceModule—QuickStartGuide 2022RapidFireTools,Inc.Allrightsreserved. 3 PerformingaPCI ComplianceAssessment PCI ComplianceAssessmentOverview . PCI Compliance Assessment Module Quick Start Guide Author: RapidFire Tools, Inc. Created Date:
![PCI Compliant - but are we secure -- FOR PRINTING IN GRAYSCALE [Read-Only]](/img/14/303-pci-3.jpg)
