NewRocket PCI Program Manager for ServiceNow is an out of the box configured PCI Management solution designed for PCI Level 1 Merchant organizations. It allows organizations to rapidly organize, manage and store annual PCI Assessments by Internal Security Assessors (ISA) in collaboration with their Qualified Security Assessor (QSA). It provides continuous management and PCI compliance reporting through actionable remediation alerts by the Internal Security Assessor (ISA) and the team. By readily providing complete visibility into corporate PCI Program compliance status the organization can provide accurate and detailed communication to all stakeholders.
The PCI 4.0 Program Manager application assists customers with identifying the various assets that make up their PCI Cardholder Data Environment (CDE) and preparing for an annual report on compliance, by organizing all the information related to actively managing the inventory of assets that comprise the PCI CDEs within a client organization. This active management includes leveraging an authoritative inventory of IT assets, People and Processes from either the full CMDB implementation within the clients ServiceNow instance, or from a Temporary Asset Inventory provided as part of our application.
Only because ServiceNow dominates the CMDB space is this solution even possible. No solution existed in the market because any solution before developed a proprietary asset database and failed as quickly. The NewRocket’s PCI Application solves this in two ways:
- First, we have introduced a Temporary Asset Inventory to allow clients to load their existing spreadsheet-based inventory directly into one table and get their solution running within weeks (this is also due in large part because we have shipped with the latest PCI DSS Content) when a full CMDB is not available. Of course, they can start with the full CMDB if they have one populated in ServiceNow.
- With a full inventory of assets within a CDE, the client’s internal PCI team can collect evidence that can be shared across multiple CDEs, making the auditors’ (QSA) job much faster and defensible. All related Assessments and testing activities are traceable to each PCI requirements and applicable asset(s), allowing organization to demonstrate better levels of compliance than exist today (estimated that only 29% of organizations remain PCI compliant after first becoming compliant using spreadsheet methods) and have a plan for sustainment.
The PCI Environment module allows customers to:
- Identify the various assets, processes, and people that make up their PCI CDE(s).
- Collect all the various metadata of the environment within a central location for the various assets, and processes for easier retrieval.
- Scoping the various assets and providing justification on whether the asset is in scope.
- The collection of evidence associated with CDE environment.
The PCI Assessment module allows customers to:
- Perform sampling on various asset types to test controls in place for a subset of those devices.
- Generate test instances from repeatable test templates for selected PCI controls, based on PCI DSS test procedures, as well as custom tests.
- Validate controls using both defined and customized approach, for implementing and validating PCI DSS.
- Document and remediate any issues identified during the testing procedures.
- Prepare for an external PCI Audit.
This version of PCI Program manager deals with the changes introduced by version 4.0 of the PCI Data Security Standard (DSS).
PCI DSS is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) that could impact the security of the Cardholder Data Environment (CDE).
This application will assist customers with identifying the various assets that make up their PCI CDE and preparing for an annual Report on Compliance (RoC). It also solves the needs for a program that manages a living environment (ever-changing) and evolving security requirements (PCI DSS).
The solution has a dependency on the following plugins –
- GRC: Policy and Compliance Management
- Knowledge Document
PCI 4.0 application is custom application where NewRocket has upgraded previously built PCI 3.2.1 application to support the latest PCI DSS.