Welcome

Welcome to the TrustKeeper PCI Compliance Getting Started Guide. This guide provides an overview of the PCI Compliance validation process, and how to use TrustKeeper to complete the process.

Welcome 1

1. Program Overview 2

PCI DSS 2

Validating Compliance with the PCI DSS 2

Documentation of Validation 3

2. TrustKeeper Overview 3

What You Need to Do (Quick Start Guide) 5

Step 1: Complete your Merchant Profile 5

Step 2: Setup and Schedule your Vulnerability Scan 6

Step 3: Complete the Compliance Questionnaire 6

Step 4: Compliance Reports 7

3. Completing Your Merchant Profile 7

4. External Vulnerability Scan 8

Getting Started With Vulnerability Scanning 9

Configuring the Scan Parameters (What to Scan) 10

Scheduling the Scan (When to Scan) 10

Viewing the Results 12

Reading the Detailed Scan Report 13

Viewing Results for Older Scans 15

Requesting an Appeal for a Reported Vulnerability 16

5. Completing the Self-Assessment Questionnaire 18

Which SAQ is Right for me? 18

SAQ Instructions 19

Using Compensating Controls 21

Understanding the Results 22

6. Using the TrustKeeper Agent 23

Downloading the TrustKeeper Agent 24

Assistance with External Vulnerability Scan 24

Assistance with the SAQ 25

7. Documentation and Reports 28

 

1. Program Overview

Since you are a merchant that accepts credit cards for purchases, your acquiring bank or processor has asked you to validate you compliance with the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS

The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International), to help facilitate the adoption of consistent data security measures globally. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to proactively protect customer account data.

As a merchant, you are required to be compliant with the PCI DSS. Your acquiring bank or processor has asked that you validate that compliance -- in other words, provide documentation of your compliance.

(Back to Table of Contents)

Validating Compliance with the PCI DSS

The steps for validating compliance with the PCI DSS vary depending on how large a merchant you are (based on your PCI Level) and whether you have a connection to the Internet. Most merchants are PCI Level 2, 3, or 4, and are therefore required to:

1. Complete a PCI Self-Assessment Questionnaire (SAQ). This is a set of "yes/no" questions that determine whether you meet the PCI DSS requirements for your type of business.  This must be done annually.
2. Have a network vulnerability scan performed on your business. If you have a connection to the Internet -- for example from your point-of-sale (POS) equipment or your e-commerce web site -- you need to have a PCI-licensed Approved Scanning Vendor (ASV) such as Trustwave perform such a scan to determine how secure your business is from threats over the Internet (e.g. hackers).  This is required at least once every three months.

Based on your enrollment, TrustKeeper has identified which steps are applicable to you.  See the sections below for more details on completing these steps.

(Back to Table of Contents)

Documentation of Validation

Once you have completed and passed the necessary steps, TrustKeeper will provide you with several pieces of documentation.

1. Automatic reporting of compliance validation to your acquiring bank or processor.
2. A Certificate of Compliance that you can print out or use for proof that that you completed the process with Trustwave.
3. Access to the Trusted Commerce web site seal, which you can display on your e-commerce web site (if applicable) to show customers that you have completed the process.
4. Several additional reports showing the results of the vulnerability scan and the SAQ.

(Back to Table of Contents)

2. TrustKeeper Overview

The TrustKeeper screen is broken out into three areas.

1.       The Overall Program Status box

2.       The home page or dashboard

3.       The left navigation menu

Overall Program Status

The program status, located at the top of each page within the portal, displays the following information about your account.  Initially, all of these indicators will be gray, indicating you have not yet completed any of the steps required to validate compliance with PCI DSS.

 

1. PCI DSS status.  A green circle indicates that you have completed and passed the required steps and have successfully validated compliance.
2. Questionnaire Results.   A green circle indicates that you have completed and passed the PCI Self-Assessment Questionnaire (SAQ).  Also listed is the last time you completed the SAQ (it expires one year from the date of completion).
3. Vulnerability Scans (if applicable).  A green circle indicates that you have completed and passed your most recent vulnerability scan  The date and time of this scan are listed, as well as the date and time of your next scheduled scan.

When you first enroll, your PCI DSS status will be "Incomplete".  The following is a sample of the program status box once you have completed and passed all of the required steps to validate compliance.

Home Dashboard

The first screen you see when you log in is your "Home" screen or dashboard.  It displays the steps you need to complete in order to validate compliance with PCI DSS.  These steps are described in the remainder of this document:

�         Learn About the Program (opens this document)

�         Merchant Profile - Describe your business to help TrustKeeper recommend your Compliance Questionnaire.

�         Vulnerability Scan - Supply us with information to enable us to conduct periodic vulnerability scans of your network.

�         Compliance Questionnaire - In order to determine your program compliance, we need you to provide us with certain information regarding your business.

�         View Compliance Reports - Download Proof of Compliance Validation Reports and certificates are available when you have completed and passed the above steps (your overall PCI status is "Compliant").

Navigation Menu

The menu on the left sidebar contains shortcut links to the various areas within TrustKeeper.  The link at the top, "Home," will bring you back to your main dashboard screen.

(Back to Table of Contents)

What You Need to Do (Quick Start Guide)

The steps you see on the home page describe what you need to do to complete the compliance validation process.  This section gives an overview of the steps while the remainder of this document goes into more detail on each of these steps.

(Back to Table of Contents)

Step 1: Complete your Merchant Profile

The merchant profile is a short survey about your business.  It is not required for compliance validation, but completing it helps TrustKeeper better customize the process for you.  One of the benefits of completing this is that TrustKeeper will be able to recommend which Self-Assessment Questionnaire (SAQ) you need to complete when you start Step 3.

(Back to Table of Contents)

Step 2: Setup and Schedule your Vulnerability Scan

An external vulnerability scan is a security probe of your store, web site, or business office performed by TrustKeeper.  It is an automated, non-intrusive scan that assesses your network and web applications from the Internet.  If you see this step listed in your home page and Overall Program Status bar, then TrustKeeper requires that you complete this step.

 

Click the "Edit Scan Profile" link to get started.  The first time you edit this, TrustKeeper will guide you through two steps:

1.       Configuring your scan parameters (i.e. telling TrustKeeper what to scan)

2.       Scheduling your scan (i.e. telling TrustKeeper when to do its scan)

The "External Vulnerability Scan" section below contains more details, but for small merchant businesses:

�         E-commerce merchants need to enter the domain names of all of their web sites (e.g. www.mywebsite.com)

�         Small brick-and-mortar merchants who have installed the TrustKeeper Agent at each store can just select those agents to set up the scan.

Once you have setup the scan you have completed the step, but you still need to wait for the scan to occur and review the results.  You can do this by accessing the "View Results" link in the left menu once the scan has completed (you will receive an e-mail notification prior to the scan starting and when it is complete).

(Back to Table of Contents)

Step 3: Complete the Compliance Questionnaire

Required for all except the very largest merchants, the Self-Assessment Questionnaire (SAQ) is a set of questions that test whether your business is in compliance with the PCI DSS.  There are actually four forms of the SAQ, and you need to complete the one that is appropriate for your business.  SAQ A, B, and C are all reduced forms of SAQ D -- the full questionnaire with over 200 questions.  In order to take SAQ A, B, or C, you need to be eligible, meaning you need to have a less complex business environment.  Completing your Merchant Profile can help TrustKeeper guide you to the most appropriate SAQ, or if you know which one to take you can simply select it.

To get started, click the "Edit Compliance Questionnaire" link in step 3.  You can either begin the SAQ that TrustKeeper recommends, or select an alternate one from the list.

(Back to Table of Contents)

Step 4: Compliance Reports

Once you have completed all of the above steps, you can see the results in the Overall Program Status bar.  If you pass both the scan and the SAQ, then you have fulfilled your PCI DSS validation requirement.  This section contains three confirmation documents you may want to use:

�         The Certificate of Compliance is a one-page printable attestation of your achievement.

�         The Executive Summary gives summary results for both your SAQ and Scan.

�         The Trusted Commerce seal can be displayed on your web site to demonstrate to customers that your online business is secure.

(Back to Table of Contents)

3. Completing Your Merchant Profile

Before you begin the compliance validation steps, Trustwave recommends that you complete a Merchant Profile. This is a short survey that will ask you questions about how you accept and process credit cards. The information you provide will be used by TrustKeeper to help customize the rest of your PCI DSS compliance validation process.

To help you collect the type of information necessary to complete your Merchant Profile, refer to the following checklist.

_X_	Merchant Profile Checklist
___	Which card brands you accept (Visa, MasterCard,Discover, Amex, etc)
___	How you accept them (in person/card-present, e-commerce, telephone, mail order)
___	Your credit card transaction volume -- you may want to have a recent merchant statement available
___	Whether or not you store credit card data in an electronic format (transaction logs, electronic copies of receipts, reports, etc.)
___	How you send credit card transactions to your acquiring bank or processor
___	How you connect to the Internet, if applicable (Dial-up, Cable modem, DSL, etc.)
If you use a Point-of-sale (POS) terminal or application to read credit card information (e.g. from a card swipe), you will need:
___	The manufacturer/vendor name and model/version information (e.g. Verifone Omni 3750, Micros RES 4.1)
___	How this equipment communicates to your acquiring bank or processor (dial-up line, Internet, through a back-of-the-house system, etc.)
___	Information on whether a third-party (such as a vendor or reseller) maintains your equipment, and whether they do so securely
If you have an e-commerce website, you will need:
___	Which shopping cart software you use (if applicable)
___	Which hosting provider you use to host your website
___	Which third-party service provider or payment gateway handles the processing of credit card transactions for you

You can update your Merchant Profile at any time after completing it by clicking on the Merchant Profile link on your TrustKeeper home page.

(Back to Table of Contents)

4. External Vulnerability Scan

What is an External Vulnerability Scan?

An external vulnerability scan is a security probe of your store, web site, or business office performed by TrustKeeper.  It is an automated, non-intrusive scan that assesses your network and web applications from the Internet. The scan will identify any vulnerabilities that may allow an unauthorized or malicious user (such as a hacker) to break in over the Internet and steal your customers' credit card data.  TrustKeeper will run vulnerability scans periodically -- usually monthly or quarterly -- in order to ensure you are aware of the latest threats against your business from such attackers. 

Do I need a Vulnerability Scan?

Depending on your business environment, you may or may not need to have an external vulnerability scan performed on your business as part of the compliance validation process.  Generally, a scan is required if any of the following apply to you.

�         You are an e-commerce merchant with a web site that accepts credit cards for purchases.  (Exceptions to this may include merchants who completely outsource all web site functions related to checkout and payment to a PCI DSS-compliant 3rd-party service provider.)

�         You are a brick-and-mortar, mail-order, or telephone-order merchant who has Internet connectivity at your business.  (Exceptions to this may include merchants who only connect to the Internet through dial-up connections.)  For example:

-          A merchant with point-of-sale (POS) terminals that connect through a cable or DSL modem to the Internet for sending credit card transaction to your acquiring bank or processor.

-          A merchant using simple POS terminals that connect to a computer running a payment application, which is connected through a cable or DSL modem to the Internet.

-          A merchant using POS terminals or payment software that uses a phone line to send credit card transactions, but which is also connected to the Internet or to other systems in the business that are connected to the Internet.

-          A merchant that uses a "virtual POS terminal" -- a computer that connects to a 3^rd-party service provider over the Internet, where you swipe cards or key in card numbers directly on the service provider's systems.

(Back to Table of Contents)

Getting Started With Vulnerability Scanning

There are two steps to getting started with vulnerability scans:

1.       Configure the Scan Parameters -- this tells TrustKeeper what to scan for your business

2.       Schedule the Scan -- this tells TrustKeeper when you would like it to scan your business

After the scan completes (it will usually take less than an hour unless you have a large network), you can review the results in TrustKeeper.  If you did not pass, you can fix the problems and then request another scan.

To get started, click the "Edit Scan Profile" link on your TrustKeeper home page.

(Back to Table of Contents)

Configuring the Scan Parameters (What to Scan)

Configuring the scan parameters tells TrustKeeper what it needs to scan.  If you are using TrustKeeper to perform vulnerability scans required by the PCI DSS, you should set up your Scan Profile so that you include all systems (to include firewalls, servers, PC's, etc.) that store, process or transmit cardholder data. The PCI DSS also requires that you scan systems that are "connected to" your payment-related systems, as they could provide a path for an attacker to use to steal cardholder data.

The Scan Profile link on your TrustKeeper home page will take you to a form you can use to list out your scan parameters.  Detailed help is available in the form for how to fill this out depending on your business environment.

Once you have completed the form, you need to enter your initials at the bottom and click the "Schedule Scan" button.

(Back to Table of Contents)

Scheduling the Scan (When to Scan)

Next, you need to schedule your scan.  TrustKeeper offers two types of scheduled scans:

1. Periodic Scheduled Scans -- These are your regularly scheduled scans, usually monthly or quarterly.
2. Directed (One-Time) Scans -- These are scans you schedule outside of your periodic scans.  For example, if you fail a monthly scan but subsequently fix the problem, you can run a directed scan to verify the fix (as opposed to waiting a month for your next periodic scan).

 

If you are not already on the schedule page, click "Vulnerability Scan" from the left navigation menu, then click "Schedule First Scan" near the top of the Manage Scans screen.

The first time you schedule a scan (after filling out the Scan Profile form described above) TrustKeeper uses the date and time as your preference to schedule the rest of your scans.  For example, if your TrustKeeper service allows monthly scans and you schedule your first on March 15 at 2:00am, then the second scan will automatically be scheduled for April 15 at 2:00am, the third on May 15 at 2:00am, etc.

Viewing or Modifying a Scheduled Scan

To view your complete scan schedule click on the "Vulnerability Scan" link in the left navigation menu.

This screen shows you your scan parameters (from the Scan Profile) along with your forthcoming scan schedule.  If you wish to alter this schedule, you can use the following functions.

To	Click
Cancel a Scan	The STOP icon () next to the scan you want to cancel will remove it from the schedule.
Reschedule a Single Scan	The calendar icon () next to the scan you want to reschedule will bring up the schedule scan page.
Reschedule all Future Scans	The calendar icon () next to a scan, and on the schedule scan page check the box that says "Use this time for ALL pending scans."
Schedule a Directed Scan	The "Directed Scan Request" link near the top of the page will allow you to schedule a one-time scan outside of your normal schedule.

(Back to Table of Contents)

Viewing the Results

You will receive e-mail notifications prior to a vulnerability scan, as well as an e-mail when a scan has completed and the results are available.  Once logged in to TrustKeeper, the easiest way to view the scan results is to consult your Overall Program Status bar at the top of the screen.

The status of the scan will be displayed on the right, either "Pass" or "Fail".  Beneath the status you will see the date and time of the last scan that ran.  You can click on this link to open the detailed Scan Report.

(Back to Table of Contents)

Reading the Detailed Scan Report

The scan report is organized as follows:

Section	Description
Dashboard Results	Near the front of the report is a page that lists a summary of the results by vulnerability severity.  (See below for an example.)
Scan Parameters	A list of the parameters you specified as targets of the scan, from your Scan Profile.
Scan Results	A detailed listing, per each computer/system, of all of the findings for that computer/system.  (See below for an example of how to read the findings.)
System Information	Supplemental information from the scan, including an inventory of what computers/systems the TrustKeeper scanner discovered, a list of web sites found, and a list of SSL certificates discovered on these web sites.

Vulnerabilities discovered during the scan are assigned two important scores:

1. The severity of the vulnerability indicates a measure of risk that the vulnerability could be exploited and how much damage could be done (in other words, how important is this vulnerability to fix).
2. The PCI impact of the vulnerability indicates whether or not it is important from a PCI DSS perspective to fix.  This may differ from the above since the focus of PCI DSS is on protecting cardholder data, not necessarily protecting your business.

 

An example of the Dashboard Results page follows.  It contains a summary count of vulnerabilities by severity and PCI impact.

For each listed vulnerability, the detailed scan report lists:

�         The computer or device with the vulnerability.

�         The severity of the vulnerability, based on an industry standard scoring methodology that incorporates how difficult it would be for an attacker to exploit the vulnerability and what the impact of an attack would be.

�         The PCI impact, where a red "PCI" icon indicates that this vulnerability is relevant for PCI DSS and will therefore cause the scan to fail.  These are the vulnerabilities you are required to remediate in order to pass the scan.

�         The affected ports and services.

�         The specifics of the vulnerability, along with any evidence needed to reproduce it and links to resources describing it in more detail.

�         The suggested remediation action, usually advice on disabling the affected area, applying a patch, or upgrading a software application.

(Back to Table of Contents)

Viewing Results for Older Scans

If you wish to see previous scan results for comparison with the most recent, use the "View Results" menu link in the left navigation menu.  This will take you to a listing of all of your scan (and SAQ) reports in order of date, with the most recent first.

 

From here, you can:

1.      Access the same report you opened from the Overall Program Status bar at the top of the screen by clicking on the most recent scan result.

2.      Access older scan reports by clicking on them.

3.      Download the results of any scan in a text format (CSV) which can be opened in spreadsheet software like Microsoft Excel.

4.      Open the page where you can submit requests for appeals (see below).

(Back to Table of Contents)

Requesting an Appeal for a Reported Vulnerability

If TrustKeeper has identified a vulnerability for which you would like an exception, you may submit a request for an appeal.  There are several reasons why you may do this, for example:

1.      The finding may be a "false positive", where TrustKeeper believes the vulnerability exists but you know it does not (for example you have applied a patch to the computer to address it already).  Because TrustKeeper does not actually try to exploit any vulnerabilities it finds, it can sometimes recognize signs that a vulnerability exists when the computer is not really vulnerable.

2.      The finding may be mitigated by other controls in place in the environment.  If you can justify that the vulnerability cannot be exploited by a hacker because of other security measures in place, you can request an appeal.

To request an appeal, go to the "View Results" page, find the most recent scan in the list, and click "Appeal/Manage Findings".  You will see a list of all of the vulnerabilities from the scan.  Select the one you wish to appeal by clicking the "Appeal" link in the Actions column.

Select the reason for the appeal and provide your explanation or evidence in the box provided.

If your appeal request is approved, two things will happen:

�         Depending on the type of appeal and explanation provided, the appeal may be approved either for a single scan, or for the current scan and all future scans for the next twelve months (for the specific computers or devices that had the appeal -- it will not cover other devices)

�         Your scan report will be regenerated and rescored.  The appealed vulnerability will no longer impact the score, but will be listed in the appendix of the detailed Scan Report for audit purposes.

(Back to Table of Contents)

5. Completing the Self-Assessment Questionnaire

The Self-Assessment Questionnaire (SAQ) is required for all but the largest (Level 1) merchants. The SAQ is derived directly from the PCI DSS requirements, essentially asking whether each specific requirement is met by your organization. There are more than 220 questions in the full SAQ, but not all merchants are required to answer all questions.

Prior to beginning the SAQ, it is strongly recommended that you complete or update your Merchant Profile. This will help to:

• Identify which version of the SAQ is right for your business (see next section). In many cases this will dramatically reduce the number of questions you need to answer.
• Identify portions of the SAQ that can be pre-filled for you based on applicability to your business.

 

Note: This section of the TrustKeeper Getting Started Guide contains instructions specific to how TrustKeeper presents the SAQ and the functionality provided.  For the official instructions, including guidance on which SAQ to complete, see the Instructions and Guidelines published by the PCI Security Standards Council.

(Back to Table of Contents)

Which SAQ is Right for me?

The PCI SAQ actually has four versions. Some organizations' business environments are less complex than others and so the validation requirements are correspondingly simplified. Note that, according to payment brand rules, all merchants are required to comply with the PCI DSS in its entirety. The reduced questionnaires are intended to simplify the validation process by focusing on areas particularly relevant to less-complex businesses. The four versions of the SAQ and the intended business types are listed in the following table.

 

SAQ	Description
A	Card-not-present (e-commerce or mail/telephone-order) merchants, with all cardholder data functions outsourced to a PCI DSS-compliant service provider. This would never apply to face-to-face merchants.
B	Imprint-only merchants with no electronic cardholder data storage. OR Stand-alone dial-up terminal merchants with no electronic cardholder data storage.
C	Merchants with POS systems connected to the Internet, and with no electronic cardholder data storage.
D	All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.

 

When you begin the SAQ, TrustKeeper allows you to select from the four SAQ versions.  TrustKeeper will indicate which SAQ has been recommended for you based on your Merchant Profile.    If you have not updated your Merchant Profile lately, TrustKeeper may not be able to accurately recommend a SAQ and will default to SAQ D.  You may update your Merchant Profile to correct this.

 

SAQ A, B, and C each have a set of eligibility criteria that must be met in order to qualify for them.  TrustKeeper lists these eligibility criteria as the first page of the SAQ as "True/False" questions.

 

(Back to Table of Contents)

SAQ Instructions

TrustKeeper presents the SAQ in several sections:

 

Section	SAQ	Description
Eligibility Criteria	A, B, C	The set of statements to which a merchant must attest in order to qualify for one of the reduced SAQ versions (see previous section)
Requirements 1-12	A, B, C, D	The detailed SAQ questions based on the PCI DSS requirements.  SAQ D has the full set of questions in all twelve sections, whereas the other SAQ versions will have a subset of the twelve sections and within those only a subset of the full question list.
Confirmation and Acknowledgement	A, B, C, D	An affirmation that the SAQ was answered truly, along with an electronic signature to be completed by an executive officer of the company.

 

As you progress through the SAQ, you can skip over questions you do not have the answer to at that time.  However, the SAQ will not be complete (submitted and scored by TrustKeeper) until all questions are answered.  If at any point you wish to stop working for a time to collect more information, you may use the "SAVE" button to preserve your answers.  When you resume the SAQ later, you can pick up where you left off.

 

 

When you resume a saved session TrustKeeper will present you with a shortened list of all of the unanswered questions -- the items that remain for you to complete.  A tab at the top will show you the entire questionnaire, including the questions you have answered and those you have not.

 

Note: if you completed the Merchant Profile, you may also see some questions which TrustKeeper has pre-answered for you.  These will be indicated by a blue arrow, as in the following example.  These answers are recommended by TrustKeeper based on information you provided in your Merchant Profile, but you should review them to make sure they properly reflect your organization.

 

The following give detailed instructions on how to complete the different sections listed above.

Eligibility Criteria

If you choose SAQ A, B, or C, the first section you will see will be the eligibility criteria mentioned in the previous section.  If for any reason you cannot answer "True" to all of the questions in this section, you may not be eligible for that SAQ.  Please CANCEL the questionnaire and either choose another, or else revisit your Merchant Profile in order to have TrustKeeper recommend the appropriate SAQ.

Requirements 1-12

The questions in sections 1-12 are derived from the PCI DSS.  Next to each question, there is a specific numeric reference to the PCI DSS requirement to which you can refer for more information.

 

For each of the questions in sections 1-12, there are four possible answers:

• Yes -- indicates that your business complies with the requirement
• No -- indicates that your business does not fully comply with the requirement
• Not Applicable -- indicates that the requirement does not apply to your business.  NOTE: If you choose this answer, you must provide an explanation in the "Comments" area for the question to explain why the requirement is not applicable.
• Compensating Control -- indicates that your organization cannot meet the requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.  NOTE: If you choose this answer, you must provide an explanation in the "Comments" area that meets the guidelines for Compensating Controls (see next section).

 

Also with each question TrustKeeper provides help and guidance through the blue question mark icon.  This guidance was developed by Trustwave's Compliance Validation team, and is specifically designed for the SAQ version.  Thus, the help displayed for a merchant completing SAQ A, B, or C will be somewhat different (simplified) than that displayed for a merchant using SAQ D.

Confirmation and Acknowledgement

This section consists of a few statements that must be answered to confirm that you are compliant, and that you have completed the SAQ in accordance with the instructions.  There are two additional fields for the "electronic signature", where your organization needs to have an executive officer provide his name and title indicating that the questionnaire is accurate.

(Back to Table of Contents)

Using Compensating Controls

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.  Compensating controls must satisfy the following criteria:

 

1.       Meet the intent and rigor of the original PCI DSS requirement.

2.       Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.)

3.       Be "above and beyond" other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.)

4.       Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

 

When you select "Compensating Control" as the answer to a question in the SAQ, you are required to provide a description in the "Comments" area for that question.

 

	Information Required
Constraints	List constraints precluding compliance with the original requirement.
Objective	Define the objective of the original control; identify the objective met by the compensating control.
Identified Risk	Identify any additional risk posed by the lack of the original control.
Definition of Compensating Controls	Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
Validation of Compensating Controls	Define how the compensating controls were validated and tested.
Maintenance	Define process and controls in place to maintain compensating controls.

 

(Back to Table of Contents)

Understanding the Results

 Once you have completed the SAQ in its entirety -- answered every question and clicked "Submit" -- your SAQ is scored.  It will result in either a "Pass" or "Fail" result, which will be indicated immediately in the status bar at the top of your screen.  To view the full report from your SAQ, click on the underlined date of when you submitted the completed SAQ.

 

 

This will launch Adobe Acrobat Reader and display the PDF report.  You will see your overall score (Pass or Fail) from the SAQ, as well as a detailed analysis of all of the answers you provided.  For each question in the SAQ, you will find:

• The question text
• The answer you provided
• The best answer
• Any detail you provided in the "Comments" area for the question
• A Pass/High status for the specific requirement
• If the status is "High", you will see suggested remediation advice on how to address the failure.

 

If your overall score for the SAQ is:	Then:
	You have completed this step.  Your passing SAQ will be valid for one year from the date you completed it.   NOTE: You must come back to TrustKeeper within 12 months and complete another SAQ in order to maintain a passing score.
	Your overall PCI DSS status will be "Non-Compliant" until you address the requirements you missed.  Once you have resolved any outstanding issues, you can either edit your previous SAQ to modify the answers, or you can "Restart" a new copy of the SAQ and submit it.   TIP: If a lot of time has passed since you originally submitted the failing SAQ, it may be better to "Restart" so that once you pass it you have a year from that date before it expires.

 

(Back to Table of Contents)

6. Using the TrustKeeper Agent

The TrustKeeper Agent is a component of Trustwave's TrustKeeper solution.  It enables some advanced features of TrustKeeper by extending TrustKeeper's security and compliance services to your own systems.   For example, the TrustKeeper Agent can:

1.                  Help you set up compliance and vulnerability scans, such as those required by the Payment Card Industry Data Security Standards (PCI DSS), and make managing those scans much easier.

2.                  Monitor systems to ensure their security settings meet the requirements described in the PCI DSS.

3.                  Inspect systems for storage of prohibited data, such as credit card magnetic-stripe data (or what is sometimes referred to as track data).

4.                  Detect installed point-of-sale (POS) payment applications and identify whether they are compliant with the PCI security standards for payment applications.

 

The TrustKeeper Agent is a small software application that is installed on Windows-based systems, such as desktop computers, servers, and POS or back-of-house (BOH) applications that use Microsoft Windows 2000, Windows XP, Windows 2003, or Windows Vista (32-bit only).

 

This section describes how you can use the TrustKeeper Agent to assist you with the compliance validation process.

 

(Back to Table of Contents)

Downloading the TrustKeeper Agent

You can download the TrustKeeper Agent directly from within your TrustKeeper account.  To do this, use the "TrustKeeper Agents" link in the left navigation menu.  This will take you to the main TrustKeeper Agent configuration page.  Here, you can download the TrustKeeper Agent as well as configure the checks that the agent runs nightly, and view the reports.

 

In addition to the information described in the following sections, there are three documents available with more details on installing and configuring the TrustKeeper Agent.  These can all be accessed from the TrustKeeper Agents page.

• Frequently-Asked Questions -- a short document with some answers to common questions about what the TrustKeeper Agent is.
• Quick Start Guide -- a two-page document intended to quickly help you understand how to install the TrustKeeper Agent and enable the various features of the agent.
• TrustKeeper Agent User Guide -- a much more detailed manual that describes how to install the TrustKeeper Agent (with screenshots and command-line options), how to configure the features and view the results, as well as advanced configuration and troubleshooting tips.

 

(Back to Table of Contents)

Assistance with External Vulnerability Scan

The TrustKeeper agent can be used to simplify the setup and ongoing management of TrustKeeper's external vulnerability scans.

• If you need help setting up your account for a TrustKeeper vulnerability scan (e.g. you do not know how to find your IP address for scanning, or how to fill out the Network Questionnaire in TrustKeeper), the TrustKeeper Agent can help.
• If you have one or more locations that have dynamic IP addresses, the TrustKeeper Agent will report back to TrustKeeper what IP addresses to use prior to a scan.  This is often the case for smaller retail outlets or remote offices which use a cable modem or DSL line for Internet connectivity.
• If you have multiple locations or systems that will be scanned and want an automated method of keeping your scan targets in the Network Questionnaire complete, deploying TrustKeeper Agents will provide this automated update.

 

The TrustKeeper Agent is installed on a system running Microsoft Windows, and it communicates back to the TrustKeeper portal its status.  When it does this, TrustKeeper keeps track of the address of the agent, and uses that address when it performs a vulnerability scan.

 

 

Once you have installed one or more TrustKeeper Agents, you can open the Network Questionnaire from your TrustKeeper home page, and simply check the TrustKeeper Agents that should be used to configure the vulnerability scan.  These will be in the top section of the Network Questionnaire.  Once selected, save the questionnaire and schedule your scans per the instructions in the "Getting Started With Vulnerability Scanning" section above.  For more information on using the TrustKeeper Agent for scanning, refer to the TrustKeeper Agent User Guide available through the TrustKeeper Agents page in TrustKeeper.

(Back to Table of Contents)

Assistance with the SAQ

The TrustKeeper agent can be used to provide assistance when filling out the Self-Assessment Questionnaire (SAQ).  It does this through the Compliance Monitoring functionality, which provides an easy way to compare a computer's local security settings against the minimum security requirements specified in the PCI DSS, alerting you to any gaps you may have.   The Compliance Monitoring reports highlight which parts of PCI DSS the computer meets or fails to meet, and can direct you to the relevant portions of the SAQ.

 

To use this to help you, perform the following steps.

1.      Install the TrustKeeper Agent on all computers in your store or company that are in scope for PCI DSS compliance.  For smaller merchants such as those having only a few retail locations this will likely be all computers, including those running payment application or point-of-sale software.  Note that the TrustKeeper Agent is only supported on Windows-based computers -- it will not function on terminals (such as handheld card-swipes or pin pad devices) or on computers that use Macintosh- or Unix-based payment software.

2.      Enable the Compliance Monitoring feature on these agents.  To do this, use the TrustKeeper Agents link in the left navigation menu, and select all of the agents you want to perform Compliance Monitoring, and click "Update" to save the settings.

 

 

3.      Once enabled, the TrustKeeper Agents run a nightly inspection on the computers on which they are installed and report the findings back to TrustKeeper, where you can access the findings in daily reports.  These reports are detailed for each individual system, as well as consolidated to get a summary report for all systems at a location.  To access the reports, use the TrustKeeper Agents link in the left navigation menu, then select the "Agent Status" tab on the top of the screen.  You will see a table listing all of your installed agents.  You can click on the Compliance Report () to open an individual agent report, or if you have multiple agents installed on different computers you can use the summary report.

 

 

(For more information on configuring the TrustKeeper Agent for Compliance Monitoring or accessing the reports, refer to the TrustKeeper Agent User Guide available through the TrustKeeper Agents page in TrustKeeper.)

4.      The Compliance Report contains multiple sections.  For completing the SAQ, it is the "Policy Compliance" section of the report that you can reference.  There are actually multiple parts to the Policy Compliance section, including System Configuration, User and Password, and System Audit.  Each section has a list of requirements, as shown in the following illustration.

 

 

For each line you can see: the "Name" and "Requirement" detail, as well as the "System Setting" in place on your computer.  The first column, "Status" indicates whether this particular computer passes or fails that requirement.  In the example above, the "Audit Invalid Access Attempts" and "Audit Administrator Activity" settings on this computer do not meet the PCI DSS requirements.  The last column, "PCI Requirement" is a reference to the actual DSS (as well as the SAQ) that you can use to identify the areas these pass/fail scores would impact.  Using this same example, the merchant would not be able to answer "Yes" to questions 10.2.2 and 10.2.4 until he addressed the failed requirements on this computer.

(Back to Table of Contents)

7. Documentation and Reports

There are three things TrustKeeper provides as proof that you have completed and passed the necessary steps -- i.e. that you have validated compliance with PCI DSS.  These can be accessed on the bottom of the Home page.

 

	Compliance Document	Availability and Description
	Certificate of Compliance	Available when you have completed and passed all necessary steps (SAQ and if applicable an external vulnerability scan).   A one-page, printable certificate issued by Trustwave that affirms that you have completed the necessary steps to validate compliance with the PCI DSS.  This is the simplest document to share with business partners or others who want to see proof of validation.
	Executive Summary	Available when you have completed and passed an external vulnerability scan, if applicable.   A two-to-three page executive summary of both your SAQ score (if available) and your vulnerability scan results.  This mainly contains the overall score for the scan (pass/fail) and individual pass/fail scores for the individual computers and systems scanned.  It does not provide detailed findings or descriptions.
	Trusted Commerce Seal	Available always (if you are required to have a vulnerability scan).   Intended for e-commerce merchants, this is a web site seal that you can post on your web site to reassure customers that your site is secure. When a customer clicks the seal, a window pops up and asserts that you are: �         "Enrolled" in a PCI DSS compliance program (if you are not yet compliant) �         "Validated" for PCI DSS (if you have completed and passed the required steps)

 

In addition to these reports, there are several other reports in TrustKeeper.

�         Compliance Questionnaire Report -- available on the Home page and in the "View Results" page when you have completed a SAQ.  This is described in the SAQ section above.

�         Vulnerability Scan Report -- available on the Home page and in the "View Results" page when you have completed a vulnerability scan.  This is described in the Scan section above.

�         Detailed Audit Report -- available on the top of the "View Results" page, it contains findings (failed items) from both the Compliance Questionnaire Report and Vulnerability Scan Report.

�         TrustKeeper Agent Report -- available through the "TrustKeeper Agents" page as described in the TrustKeeper Agents section above.

 

(Back to Table of Contents)