In addition to providing secure equipment and configuration options for making your network PCI-compliant, Mako now offers Merchant PCI services to assist you with completing quarterly network vulnerability scans and annual Self-Assessment Questionnaire (SAQ) submissions that are necessary for demonstrating compliance.
Follow this guide to prepare your company to deploy Merchant PCI services to Mako devices at distributed merchant locations using the Mako Central Management System (CMS).
First you will configure company-wide settings and templates, and then you (or your colleagues) will configure the Mako devices for each merchant location.
Once the initial setup is completed, each merchant location can use Merchant PCI services to run vulnerability scans, review their configuration, and complete and file SAQs, while central managers can monitor the PCI Dashboard to ensure that all PCI-compliance activities are occurring as intended throughout your company.
Configure Your Company
Before deploying to merchant locations, it is greatly beneficial to first configure your company. Creating templates at the company level allows you to apply the same settings to multiple Mako devices, i.e. multiple merchant locations.
Step 1. Purchase and Apply Licenses
Each Mako device must have both an active PCI DSS License and an active PCI Enhanced Services License in order to access Merchant PCI services.
You may choose to apply licenses to the distributed Mako devices yourself. See the Licenses documentation for details regarding adding licenses. Alternatively, you may choose to have a user at each merchant location apply the licenses for you.
After the licenses have been applied to a Mako device, you may have access to several new items in the left navigation menu of the Mako CMS that are relevant to Merchant PCI services:
- PCI Dashboard
- [Selected Mako] >> Configure >> Review
- [Selected Mako] >> Configure >> PCI DSS
- Vulnerability Scans
- AP Scans
- Management >> Company >> Manage [Company Name] >> PCI DSS
The exact items available to you will depend on your user account type and access settings.
Step 2. Apply PCI Template
In order to access Merchant PCI services, you must first apply the PCI Template to a Mako device in your network to create an end-to-end, secure network chain in compliance with PCI DSS.
Applying the PCI Template to any Mako in your network will alter your company’s settings to require that all users have multi-factor authentication enabled. It will also alter the Mako’s settings to require multi-factor authentication for all remote VPN access.
It is likely that your company has already applied the PCI Template to Mako devices in your network. If not, use the PCI DSS Wizard (Fig. 2) on the PCI Template page to apply the PCI Template.
Step 3. Create SAQ Templates and SAQ Groups
The Company PCI DSS page (Fig. 3) allows you to manage your company’s SAQ Templates and SAQ Groups to make pre-populated responses and settings available to merchant locations. See the Company PCI DSS documentation for details.
SAQ Templates allow you to pre-fill settings and answers to apply to multiple SAQs, eliminating the need to enter these responses every time you create an SAQ. Also, having multiple templates means you can segment your SAQ responses. For example, you can create separate templates for locations using Gilbarco and for those using Verifone.
SAQ Groups allow you to group related SAQ Templates together, as well as to specify additional settings for submitting SAQs. For example, you can create separate groups of templates for locations using Gilbarco and for those using Verifone and loop in your appropriate compliance personnel for each of those systems.
Using SAQ Templates and SAQ Groups minimizes the effort needed for each merchant location to maintain PCI-compliance.
Step 4. Install and Configure Scanning Devices
Merchant PCI services require installation of a dedicated scanning device in each merchant location’s network and application of firewall settings that allow it to scan restricted zones.
Mako Networks can install and configure these scanning appliances for your company.
Alternatively, your company can elect to self-install the scanning appliances. In this case, Mako Networks will preconfigure and ship a scanning appliance to each merchant location. All a merchant has to do is plug it into the specified port, then call Mako to confirm successful installation.
Configure Each Merchant Location
After you have configured your company, each merchant location’s Mako devices must be configured, as well. See the Deploying Merchant PCI Services to a Merchant Location How To Guide for details.
If you are still building your network and the Mako device have not been registered in the Mako CMS yet, you can save time by creating a “template” Mako that is fully configured to your specifications, then copying that “template” Mako when registering each new device. See the Copy Mako documentation.
Monitor PCI Dashboard
Once you have your company and merchant locations configured, you can use the PCI Dashboard page (Fig. 4) to monitor the status of Merchant PCI activity for merchant locations throughout your company. See the PCI Dashboard documentation for details.
Use the Map View filter dropdown above the map to change the type of data that is displayed in the map and to populate the dynamic secondary filter. Then use the secondary filter links to filter the map data. The data icons on the map are color-coded to match the options in the secondary filter.
The map data is also displayed in the PCI Dashboard Data List below the map. The Customize Columns chooser allows you to customize this list to display a summary of Merchant PCI status.
The filters and columns most relevant to Merchant PCI activity are:
- PCI Template (Applied | Broken | Not Configured | All)
- Scan Status (Pass | Fail | Not Configured | All)
- Config Review Status (Up to date | Nearly expired | Expired | Not Applicable | All)
- SAQ Status (Submitted | Incomplete | Not Started | All)
Using these filters and columns, you can see at a glance whether or not your merchant locations need to take any actions to maintain compliance.
PCI Template Status
In order to access Merchant PCI services, each merchant location’s Mako device must first have the PCI Template applied using the PCI Template page. Any status other than “Applied” requires action.
Vulnerability Scan Status
Each merchant location must pass quarterly network vulnerability scans to be PCI-compliant. See the Vulnerability Scans documentation for details. Any status other than “Pass” requires action.
Configuration Review Status
Each merchant location must review their Mako’s configuration at least once every six months to be PCI-compliant. See the Configuration Review documentation for details. Only Makos with a status of “Expired” or “Nearly Expired” require action.
Each merchant location must submit an annual SAQ to be PCI-compliant. See the SAQ documentation for details. Any status other than “Submitted” requires action.