SecureTrust delivers industry-leading assessment services and compliance-enabling technology to enterprises and service providers that must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). SecureTrust Compliance Validation Service (CVS) can help you proactively manage and streamline your PCI compliance efforts and ensure the process is completed with security in mind.
SecureTrust is the leader in PCI consulting and compliance validation services. We have more experience than any other Qualified Security Assessor Company (QSA-C) in managing large and complex assessments. We’ll help you establish your compliance program security strategy, and simplify the way you manage compliance and risk.
Establish Best Practices
Our trusted compliance and security advisors help you create a strong and strategic foundation. We also conduct and manage assessments, and deliver elite testing and remediation services.
Uniform security policies and integrated technologies are developed, deployed and delivered easily and consistently across your business.
Built-in best practices and industry-leading compliance tools simplify technology deployment and reduce the time and resources you spend on achieving and maintaining compliance.
Improve Visibility and Control
The TrustKeeper® portal delivers centralized, integrated and on-demand management of compliance and security programs.
Make Security a Priority
Our PCI approach is designed with the security of your business in mind. We've developed the right tools - powered by managed services and technology - to help your business become secure and help you validate compliance with the PCI DSS.
Compliance Manager simplifies the CVS engagement workflow and provides visibility and flexibility throughout the process.
How It Works
Whether you are a large enterprise or service provider, SecureTrust offers comprehensive CVS engagements to help you achieve and continuously maintain PCI compliance.
Your CVS engagement is delivered through the TrustKeeper portal that delivers centralized, integrated and on-demand management of compliance and security programs. TrustKeeper Compliance Manager helps you securely manage and validate your PCI DSS compliance activities. In addition, TrustKeeper Vulnerability Manager aids you in meeting external vulnerability scanning requirements.
PCI compliance is not a snapshot in time, but a continuous process that requires well-architected security solutions, ongoing diligence and planning. SecureTrust offers unmatched resources, experience and industry-leading compliance tools in guiding you through the process – from initial scheduling of your PCI review to final preparation of your Report on Compliance (ROC) and Attestation of Compliance (AOC).
SecureTrust CVS provides a dedicated team of experts to work with you, including a Qualified Security Assessor (QSA) who performs the assessment, a managing consultant who acts as your trusted advisor for our ongoing business relationship, and other experts depending on the size and complexity of your engagement. The compliance validation assessment includes five phases including ongoing quarterly business reviews and the option to add remediation services if needed.
Five Phases of Compliance
Compliance validation is demonstrated and assessed in five progressive phases:
1 Engagement Scoping and Discovery
Your QSA assesses the scope of your cardholder data environment to verify all locations, applications and flows of cardholder data have been included.
2 Onsite Assessment and PCI DSS Requirement Testing
SecureTrust reviews and analyzes your organization’s policies, procedures, configurations and dataflow diagrams as required for validating PCI DSS compliance. SecureTrust also conducts interviews and observes systems and processes to validate your compliance.
3 Draft Report on Compliance Creation
Your QSA drafts your Report on Compliance (ROC) and Attestation of Compliance (AOC).
4 Quality Assurance and Final ROC and AOC
The SecureTrust independent Quality Assurance team evaluates the reports to be sure that they accurately reflect your environment and can withstand internal and external scrutiny.
5 Closeout Meetings and Delivery of Final Reports
Completion of the process results in a written ROC to be provided to acquiring banks and an AOC which states your organization’s compliance status.
Ongoing Compliance Activity Review
In addition to the assessment activities that lead to the final report on compliance, SecureTrust provides quarterly Business-as-Usual (BAU) reviews throughout the contract term. The BAU reviews confirm that periodic activities such as vulnerability scans, penetration testing and log reviews are completed as required and that ongoing controls are being properly maintained.
Gap Analysis and Remediation
Some organizations will require a gap analysis before the compliance validation. Trustwave security consultants work with your organization to define any gaps in your PCI DSS compliance or your security posture. This can be followed by Gap Assessment Remediation to provide an action plan designed to address any compliance gaps.
We know every organization operates differently and has different needs based on maturity in complying with standards. To learn more about Compliance Validation Service Bundles, download the data sheet.
TrustKeeper Centralizes the Process
Delivered through TrustKeeper, Compliance Manager provides a centralized dashboard for the management of the annual assessment process. Compliance Manager supports rich interaction with SecureTrust through the compliance validation process, including:
- Central management for compliance activities
- Document, evidence artifact and report repositories
SecureTrust is a PCI Approved Scanning Vendor (ASV) and all CVS bundles include TrustKeeper Vulnerability Manager for Trustwave External Vulnerability Scanning (EVS). Trustwave proprietary scanning services enable your organization to meet the PCI DSS requirement for external vulnerability scanning, while providing security, support, self-scan and reporting capabilities. The CVS offering includes a defined set of external vulnerability scans as part of the subscription.
Full Suite of PCI Services
SecureTrust is recognized by the PCI Security Standards Council as a qualified Payment Application Data Security Standard (PA-DSS) assessor, point-to-point encryption (P2PE) assessor and a PCI Forensic (PFI) investigator.
When validating applications, our team will conduct interviews with stakeholders and thoroughly review documentation before completing functional and security testing of the application. The assessment includes technical and forensic review of the application components, transaction logs and cardholder data storage to ensure prohibited data (such as full track and card security codes) are not stored.
Complete Trustwave Vulnerability Management Services
Trustwave offers a full suite of Vulnerability Management services that deliver proactive scanning, testing and remediation of application, database and network vulnerabilities. Our integrated, on-demand security testing platform, you can rapidly identify and address security weaknesses, which helps you significantly reduce threats and risks to customer data, financial information, intellectual property, and more. The PCI DSS requires internal vulnerability scanning and internal and external penetration testing.
Trustwave Managed Security Testing (MST) delivers on-demand, precision penetration testing with just a few clicks – duplicating malicious attacks against your systems. Subscribers log in to schedule web application and internal or external network. MST offers database, network and application testing. Wireless network penetration testing is also available as a separate service to help address risks inherent to your wireless infrastructure.
Trustwave Security Solutions Help Streamline Compliance
Trustwave security technologies have evolved in response to customer challenges and our expertise in compliance. A business that employs security best practices with diligence will find greater efficiency throughout the compliance process. And as your validation program uncovers gaps in your business’ security, Trustwave has the right solutions to help you achieve your IT and security goals without overspending.
SIEM and Managed SIEM
Policy and Procedure Development
SecureTrust can help you build a customized set of internal policies to protect sensitive data and help you meet your compliance requirements. SecureTrust consultants conduct interviews with your key stakeholders and help develop a comprehensive set of policies for implementation within your organization.
Security Awareness, Training and Education
The PCI DSS requires merchants and service providers to implement a formal security awareness program and ensure employees understand the importance of handling cardholder data securely. Trustwave Security Awareness, Training and Education courses range from secure development practices, training for technical staff and awareness geared to specific job roles. Delivered online, Trustwave Security Awareness, Training and Education is ideal for organizations that need a company-wide program to help employees stay vigilant and aware.
Social Engineering Testing
As hardware and software security has become more effective, hackers are increasingly turning toward the human component as the penetrable point. Social engineering testing helps you identify vulnerabilities so you can educate your employees and prevent breaches. Trustwave experts will attempt to lure users with a fake website and phishing attempts. You will receive a detailed report that includes:
- Which users were included in the social engineering attempts
- Which users were susceptible to the attempts
- Which accounts were successfully compromised
Endpoint Protection with File Integrity Monitoring
The SecureTrust Endpoint Protection Suite delivers a complete defense-in-depth coverage for your users, network and data, including: integrated policy enforcement, compliance management, anti-virus and anti-malware. Add-on modules include Windows log collection, application white listing and File Integrity Monitoring (FIM). FIM examines OS and registry file data on Windows-based POS devices, computers and servers, and alert you to potentially risky or non-compliant activity.
Physical Security Assessment and Testing
Trustwave can identify the vulnerabilities of your facilities, both externally and internally, by testing your physical security controls for technical weaknesses.