Comodo Help
Find the desired product help
Comodo Web Inspector

Comodo Web Inspector

Version 1.0

English

Print Help Download Help
The Administrative Interface > Web Inspector PCI FAQs > PCI FAQ
  • Introduction To Comodo Web Inspector
  • The Administrative Interface
    • Logging-in To The Administrative Interface
    • Adding Websites For Daily Blacklist Monitoring And Malware Scanning
    • Managing Websites In Web Inspector
      • Removing A Website From Daily Blacklist Monitoring And Malware Scanning
      • Viewing Last Scanned WI Reports
      • Adding The WI Logo To Your Website
      • Validating Your Website
      • General Website Configuration
        • Disabling / Enabling A Website
        • Changing WI Notification Recipient Email Address
        • Web Inspector Scan Reports
        • False Positives
        • Scanning Options
        • Adding Trust Logo To Your Website
    • Managing Your Account
      • Web Inspector Area
      • My Account
      • Help
      • Contacts
    • PCI Scanning
      • Starting Up With Web Inspector PCI Scanning Service
        • Introduction To The Interface
        • Running Your PCI Scan
        • Viewing Executive Report, Charts And Vulnerability Reports
        • Accessing The Self Assessment Questionnaire
      • PCI Scanning Service - Infrastructure
      • PCI Scan
        • Overview
        • List Of Devices
        • How To Create A New Device
        • Devices Management
        • Start Scanning
        • Viewing A Dashboard Summary Of Scan Results
        • Viewing Executive Report, Charts And Vulnerability Reports
      • Internal Scanning
        • How To Add A New Device
        • Internal Devices Management
        • How To Install The Agent
        • Configuring The Agent
        • Using The Agent - Main Menu
          • HackerGuardian Agent
          • Network Configuration
          • Select A Device For Session Profile
          • Diagnostic Console
          • Shutdown System
        • Start Device Scanning
        • Viewing A Dashboard Summary Of Scan Results
        • View Reports And Statistics
      • Account Preferences And Scan Settings
        • My Account Area
        • Configure Email Alert And Global Alert Options
        • Custom Settings
        • PCI Settings
      • Scheduled Scans
        • Adding A New Scan Schedule
      • Web Inspector PCI Reports
        • Viewing Scan Reports
          • Filtering Options
        • Executive Report
        • Charts Page
        • Vulnerability Report
        • Mitigation Plan
        • Reporting False Positives
        • Downloading Reports Pack
        • Tracking Status Of Submitted False Positives
      • Purchasing Additional IP Packs
    • Web Inspector PCI FAQs
      • Web Inspector PCI Services - General FAQ
      • Web Inspector PCI Services - Technical FAQ
      • PCI FAQ
  • About Comodo Security Solutions

PCI FAQ

 

  • What is PCI DSS?
  • What is the Self Assessment Questionnaire?
  • What are the compliance validation reporting requirements for merchants?
  • To whom does the PCI regulations apply?
  • What is defined as 'cardholder data'?
  • What if a merchant or service provider does not store cardholder data?
  • Are there alternatives, or compensating controls, that can be used to meet a requirement?
  • Are there alternatives to encrypting stored data?
  • What are the compliance validation reporting requirements for merchants?
  • Do merchants need to include their service providers in the scope of their review?
  • What is a network security scan?
  • How often do I have to scan?
  • What reports are provided by Web Inspector PCI scanning service?
  • What criteria causes a Pass or Fail on a PCI scan?
  • What if I fail the PCI scan?
  • Where can I find and complete the Self-Assessment Questionnaire?
  • Where can I find a PCI Approved Scanning Vendor capable of providing quarterly PCI vulnerability scans?
  • What's the deadline for compliance/ When must I begin using the new PCI standards?
  • What are the penalties for non-compliance with the PCI standards?
  • Make it easy for me. What do I have to do to become compliant?

What is PCI DSS?


The Payment Card Industry Data Security Standards (PCI DSS) are a set of 12 requirements developed jointly by Visa, MasterCard, JCB International, Discover and American Express to prevent consumer data theft and reduce online fraud. The PCI DSS represents a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.


Compliance and validation of compliance with some or all of the 12 requirements is mandatory for any organization that stores, transmits or processes credit card transactions.

  • The exact number of requirements (out of the 12) that any one organization need comply with is dependent on that organization's 'Validation Type'. An organization's Validation Type is determined by precisely how that organization handles credit card data. There are 5 such 'Validation Types' and every organization will that needs to be PCI compliant will be categorized as one of these types. (see table 'Validation Types')
  • Once an organization has determined its 'Validation Type' (or the organization has been assigned as a particular validation type by its acquirer) it can complete the Self Assessment Questionnaire (SAQ) and Attestation of Compliance that is appropriate for that 'Validation Type'.

What is the Self Assessment Questionnaire?


The PCI Data Security Standard Self Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).


Comodo has simplified this often confusing process with the Web Inspector PCI Compliance Wizard - an intuitive web-based application guides merchants through every step of the PCI Self Assessment Questionnaire. Each question is accompanied by expert advice to help the merchant interpret and appropriately answer each question. At the end of the wizard you will find out immediately whether or not your answers qualify your organization as PCI compliant.


The wizard will provide:

  • A Questionnaire Summary - Listing security control areas on which you failed compliance
  • A custom 'Remediation Plan' for your company containing:
  • A comprehensive list of remedial actions that you need to take to attain full PCI compliance
  • A remediation planning tool enabling task prioritization and project management
  • Links to recommended products and services that will help you cost-effectively resolve non-compliant areas
  • A 'ready-to-submit' PCI DSS Self Assessment Questionnaire

To access the wizard

  • Click the SAQ tab in the Navigation bar of the Web Inspector PCI interface.




The wizard is a four-step process, where you have to register, select theSAQ type and complete the questionnaire. The final step provides the summary of SAQ.

 

Your progress is automatically saved after each question - allowing you to log out and return at a later date to complete the questionnaire. Your free account and responses are retained, giving you an opportunity to revise and modify any of your answers. This also allows you to update, schedule and track the progress of outstanding remediation tasks.


What are the compliance validation reporting requirements for merchants?


Under the new PCI standard, the compliance validation requirements of the old VISA CISP and MasterCard SDP programs have been aligned so that merchants need only validate their compliance once to fulfill their obligation to all payment cards accepted. Merchants will provide compliance validation documentation to their Acquirer(s). Compliance validation documentation consists of the appropriate annual self assessment questionnaire (and accompanying attestation of compliance) and possibly the quarterly PCI scan compliance report.


To whom does the PCI regulations apply?


The PCI DSS standards apply to all entities that process, store or transmit cardholder data. This includes all merchants and service providers with external-facing IP addresses handle, store or transmit credit card data. Even if your website does not offer website based transactions (for example, you link to a payment gateway) there are other services that may make card data accessible. Basic functions such as e-mail and employee Internet access will result in the Internet accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.


What is defined as 'cardholder data'?


Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.


What if a merchant or service provider does not store cardholder data?


If a merchant or service provider does not store cardholder data, the PCI requirements still apply to the environment that transmits or processes cardholder data.


Are there alternatives, or compensating controls, that can be used to meet a requirement?


If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined by the PCI DSS. Compensating controls should meet the intention and rigor of the original PCI requirement, and should be examined by the assessor as part of the regular PCI compliance audit.


Are there alternatives to encrypting stored data?


Stored cardholder data should be rendered unreadable according to requirement 3 of the PCI Security Audit Procedures document. If encryption, truncation, or another comparable approach cannot be used, encryption options should continue to be investigated as the technology is rapidly evolving. In the interim, while encryption solutions are being investigated, stored data must be strongly protected by compensating controls.


An example of compensating controls for encryption of stored data is complex network segmentation that may include the following:

  • Internal firewalls that specifically protect the database
  • TCP wrappers or firewall on the database to specifically limit who can connect to the database
  • Separation of the corporate internal network on a different network segment from production, fire- walled away from database servers.

What are the compliance validation reporting requirements for merchants?


Under the new PCI standard, the compliance validation requirements for merchants of the VISA CISP and MasterCard SDP programs have been aligned so that merchants need only validate their compliance once to fulfill their obligation to all payment cards accepted. Merchants will provide compliance validation documentation to their Acquirer(s). Compliance validation documentation consists of the annual self assessment questionnaire and the quarterly PCI scan compliance report.


Do merchants need to include their service providers in the scope of their review?


No. Service providers are responsible for validating their own compliance with PCI regulations independent of their customers.


What is a network security scan?


A Network Security Scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As provided by qualified scan vendors such as Comodo the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.


How often do I have to scan?


Every 90 days / once per quarter. Merchants and Service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI Approved Scanning Vendor (ASV). Comodo is a PCI Approved Scanning Vendor.


What reports are provided by Web Inspector PCI scanning service?


Web Inspector PCI  Scan Control service provides two reports after each scan - the Audit Report and the PCI Compliance report. The PCI Compliance report is the one you need to submit to your acquiring bank to demonstrate compliance. The Audit Report is a more technical document used to identify and re mediate any security holes.


What criteria causes a Pass or Fail on a PCI scan?


Each post-scan Web Inspector PCI vulnerability report states a PCI compliance status of 'Compliant' or 'Not Compliant' based on the discovery of potential security flaws on your systems.


If no vulnerabilities with a CVSS base score greater than 4.0 are detected then the scanned IP addresses, hosts and Internet connected devices have passed the test and the report can be submitted to your acquiring bank.


If the report indicates 'Non Compliant' then the merchant or service provider must re mediate the identified problems and re-run the scan until compliancy is achieved.


What if I fail the PCI scan?


If your Web Inspector PCI Scan Compliance Report indicates 'NOT COMPLIANT' then vulnerabilities with CVSS base score greater than 4.0 were discovered on your externally facing IP addresses. The accompanying Audit Report contains a detailed synopsis of each vulnerability prioritized by threat severity. Each discovered vulnerability is accompanied with solutions, expert advice and cross referenced links to help you fix the problem. You should fix all vulnerabilities identified as a 'Security Hole'.


Furthermore, each report contains a condensed, PCI specific, 'Mitigation Plan' - a concise, bulleted list of actions that you need to take to achieve compliance.


After completing the actions specified in the Mitigation Plan you should run another scan until the report returns a 'COMPLIANT' status.


Where can I find and complete the Self-Assessment Questionnaire?


Web Inspector PCI, in partnership with Panoptic Security, provide a free wizard that guides merchants and service providers through each stage of self-assessment questionnaire. More details on the wizard can be found here.


Merchants have to answer all questions with 'Yes' or 'N/A to be considered PCI compliant. Answering 'No' to any question means the merchant or service provider is not compliant. The risk(s) identified by the questionnaire must be re mediated and the questionnaire retaken. After creating a user name and password, merchants can save their progress at any time. Following successful completion of the questionnaire, merchants will be provided with official certification that can be submitted to their acquirer.


Where can I find a PCI Approved Scanning Vendor capable of providing quarterly PCI vulnerability scans?


Right here!! Comodo Web Inspector PCI offers a range of PCI compliance services designed for merchants and service providers of all sizes. Click here to find out more.


What's the deadline for compliance/ When must I begin using the new PCI standards?


The Payment Card Industry Standards, Security Audit Procedures, Self-Assessment Questionnaire, and Security Scanning Requirements are effective immediately.


What are the penalties for non-compliance with the PCI standards?


Validation and enforcement is the responsibility of the acquiring financial institution or payment processor.


For each instance of non-compliance, these organizations levy various penalties onto merchants and service providers which can include:

  • Increased transaction processing fees
  • Fines of more than $500,000 for serious breaches
  • Suspension of credit card transaction processing abilities

Comodo Web Inspector provides a range of services that make PCI compliance easy. Find out which service is right for you at http://www.webinspector.com/


Make it easy for me. What do I have to do to become compliant?


1. Complete the PCI Self-Assessment Questionnaire using our freeonline wizard after logging-in into Web Inspector PCI service.

  • Preliminary questions will help you to determine which 'validation type' your company fits into and therefore of the 4 self assessments questionnaires you need to complete.
  • Each of the questions is accompanied by expert help, information and advice that will help you to both interpret the question correctly and provide the appropriate answer
  • Once the wizard is complete, you will receive:
  • A questionnaire summary detailing any control areas on which you failed compliance
  • A custom 'Remediation Plan' for your company containing a list of remedial actions that you need to take alongside links to recommended products and services that will help you resolve non-compliant areas.
  • A 'ready - to - submit' PCI DSS Self Assessment Questionnaire which will include your completed 'Attestation of Compliance'

2. Conduct a quarterly vulnerability scans on your externally facing IP addresses


If your organization is required to be compliant with section 11.2 of the PCI standard then you will also need to obtain quarterly vulnerability scans on your network.


Web Inspector PCI  will conduct an in-depth audit of your network to detect vulnerabilities on your network and web-server. If your servers fail the test, you will find lots of helpful advisories in the scan report that will help you patch the security holes.


After your infrastructure passes the scan, Web Inspector PCI will automatically generate the PCI Compliance report that you need to send your acquiring bank as to demonstrate your compliance.

Find out more about Web Inspector PCI Scanning Services


3. Send the completed questionnaire, attestation and the Scan Compliance report to your acquirer.


Both the PCI Scan Compliant report and the Annual Self Assessment Questionnaire should be turned into your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.


Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • EDR Services
  • Ransomware Prevention
  • Managed IT Support Services
  • EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2023. All rights reserved.