whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "whitepaper 4 Best Practices for Building PCI DSS Compliant Networks"

Transcription

1 4 Best Practices for Building PCI DSS Compliant Networks

2 Cardholder data is a lucrative and tempting target for cyber criminals. Recent highly publicized accounts of hackers breaching trusted retailers and stealing cardholder data serve as powerful examples that any firm that stores, processes, or transmits cardholder data must take strict measures to protect this information. To foster greater protections for cardholder data worldwide, the PCI Security Standards Council was formed. This global council is represented by the major payment card brands, which include American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. In addition, more than 650 merchants, banks, processors, and vendors represent the council. This council also publishes the Payment Card Industry Digital Security Standards (PCI DSS). Payment card brands adopt these standards and mandate them as a condition of utilizing a card brands service. As a result, a payment card brand will also enforce compliance to these standards among its constituent merchants and financial institutions. PCI DSS broadly defines the following security requirements: 1. Build and maintain a secure network and systems 2. Protect cardholder data 3. Maintain a vulnerability management program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy Within each category, PCI DSS offers guidance on recommended operational and technical measures to be taken. These standards are also regularly updated. In late 2013, the PCI Security Standards Council updated the PCI DSS framework to version 3.0, which became effective January 1, Complication While PCI DSS 3.0 defines security specific objectives, it does not specify specific security controls and how these controls are to be implemented. In other words, it defines the what, but not the how. Therefore, each organization must carefully consider how to not only implement PCI DSS 3.0 in their environment, but also demonstrate compliance. Simply using a firewall, intrusion detection, anti-virus, patch management, and related technologies may not be sufficient unless they are used with necessary operational controls. Together they satisfy PCI DSS objectives. Implications The consequences for non-compliance are extremely high. As illustrated by recent security breaches with trusted retailers, consumer backlash is harsh and can result in tremendous erosion to brand and stockholder equity. But this is not all. Violators may also experience severe losses due to business interruption, assessment of fixed and variable penalties, 2

3 obligation to pay investigation, and forensic costs and liability from defending against lawsuits. We recently saw Target become a victim of data theft where criminals accessed the credit and debit card information of an estimated 40 million individuals. Not just that, the attackers also garnered customer names, mailing addresses, addresses, and phone numbers. This incident caused a significant dent in the company s image and business. Prior to Target, Adobe Systems revealed that 2.9 million customers' sensitive and personal data was stolen in a security breach. The extent of the breach included encrypted credit card information and other data that was posted online. Further investigations revealed that Adobe failed to use best practices for securing passwords and had a weak encryption method, making it an easy target for criminals. Breach of confidential data could be from internal or external entities. Employees directly involved in the payment process such as cashiers, bank tellers, and even restaurant staff are often responsible for internal incidents. In networks of multiple critical network devices, the lack of knowledge or policy enforcement results in employees leaving the door open for attacks. Picking weak passwords, clicking on phishing links, or sharing company information on social or public platforms can leave your network vulnerable to external attack. Recommendations Companies and institutions that are required to comply with PCI DSS should constantly be on the lookout for ideas that help them consistently achieve compliance while saving time and cost. The following, often overlooked, best practices can help: 1. Network Segmentation One of the primary requirements of PCI DSS is to Build and Maintain a Secure Network and Systems. You can reduce your exposure to threats and the cost to implement and audit PCI DSS security controls by isolating cardholder data to specific systems and carefully controlling access to those systems. This can be done with internal network partitioning, which is accomplished using firewalls and routers. For example, protecting all cardholder data inside its own security zone with perimeter firewalls and routers enables companies to restrict access to only authorized users. The network administrator can allocate all cardholder data repositories in one network segment identified by a security zone (like Customer Data ). The administrator can then craft security controls that only permit certain authorized users to access the Customer Data zone, thereby preventing unauthorized internal or external access to the data stored in that segment. These network segments can be easily presented via compliance reports. The smaller the scope of an audit, the less effort, documentation, time, resources, and money is required to complete the audit process. 3

4 2. Network Security Basics Perimeter network defenses are diminished when fundamental weaknesses persist in network security. These can be mitigated by doing the following: Use Secure Protocols Log ACLs Secure Shell or SSH is secure as the SSH client and server uses digital signatures to verify their identity. When sent unencrypted over the network, device username and passwords are very easy to capture by unwarranted users. This security threat can be greatly diminished when SSH is used for remote shell login to network devices. Additionally, when SSH is used, all communication between the client and server systems is encrypted. Therefore, any attempts to spoof the identity of either side of a communication does not work, as each packet is encrypted using a key known only by the local and remote systems. SNMPv3 deals with the problems of simple authentication and enhances the security of SNMP operations over SNMPv1/v2c models. By introducing proper message security, SNMPv3 provides Confidentiality, Integrity, and Authentication, which are required to perform network management operations securely. Therefore, it is advisable to perform SNMP requests using SNMPv3 for increased security and to detect unauthorized connections via monitoring of network devices. Logging access control list (ACL) activity provides insight into traffic as it traverses the network or is dropped by network devices. If a device is attacked, the number of system messages for denied packets can be very large. ACL logs help detect anomalies in network traffic and determine if there has been an attack. Review Vendor Defaults and Disable Unnecessary Services A serious security risk exists when a network device is configured and continues to operate with its default settings. The primary threat is that default passwords are not secure and unauthorized users can easily gain access to your network. Default logins and services are a means to complete the initial setup of the device and it is strongly recommended that once the device is installed, these defaults be immediately changed for security reasons. Regularly Archive Device Configuration Files Device configurations are not easy to build. These configuration files sometimes run into thousands of lines of code and are fine-tuned and perfected over a period of time. Making device configuration changes without a backup and to later discover that the change is the cause of network issues, is a waste of valuable admin time and hard work. Just as any important data is backed up so also configuration files must be archived for disaster recovery purposes, especially for critical network devices. Network Architecture Separating management services from the production/operational segment of the network helps reduce the possibility of an attacker gaining access to critical systems. Designing the network to process management traffic such as SNMP, 4

5 SSH, Syslog, etc. separately helps provide security engineers the flexibility to allow access for informational protocols and deny access to suspicious traffic, therefore reducing the opportunity of breach. 3. Business-as-Usual Meeting PCI DSS objectives is an ongoing process. Technical controls will eventually lose their affect as human errors occur, new vulnerabilities are discovered, and networks evolve. In order to ensure technical controls remain effective, it s important to implement supporting operational controls. Therefore, the following PCI DSS processes should be adopted: Inventory and manage router and switch lifecycles Know what s running in your network. Take an inventory of network devices especially critical routers and switches. Keep IOS and firmware updated and periodically review device configurations for compliance with current security controls. Create configuration baselines against which device configurations can be compared to ensure that regulatory standards are met. Maintain updated device data and confirm that there are no obsolete devices that may potentially open up security vulnerabilities in the network. Properly configure and test new devices prior to deployment Before deployment, all device configuration changes must go through an approval process to ensure recommended guidelines are followed and security controls are satisfied. Test the device with the new configuration and ensure that there is no disruption in network operations as a result of the change. Have the last known good configuration ready so that, in case of an issue, you can restore the network to its previously stable state. Review, approve, and schedule subsequent configuration changes All configuration changes must go through an approval process so that any missed or overseen aspect can be corrected. Having the device configuration reviewed helps ensure that all the necessary policy controls are met, which otherwise stand the chance of being bypassed intentionally or due to negligence. Repetitive tasks like frequent configuration changes and backups can be scheduled to run regularly without the intervention of the administrator. This not only saves time but also reduces human errors. Automate changes for speed and accuracy Repetitive and bulk execution tasks can be automated to save time and increase accuracy. Bulk password changes, SNMP community string changes, VLAN changes, etc. on hundreds of multi-vendor devices can take up all of the administrator s time. Automation solves this problem enabling the administrator to invest time in other network management activities. Eliminate the boring yet important configuration changes that, even with the smallest errors, can bring the entire business operations to a stop. 5

6 Create and maintain configuration archives for disaster recovery No one can prevent a disaster, but preparing for one is just about the next best thing. Having all of your configurations stored, catalogued, and backed up allows you to recover from a hardware failure or a bad configuration change in minutes instead of hours. Major network downtime due to configuration changes can be averted by quickly replacing changes with the previous configuration. Assess device compliance according to operational and regulatory policy Device compliance is not just a onetime task that it is implemented and then forgotten. Compliance with internal and external controls must be maintained throughout and should be assessed and monitored continuously. The network is constantly undergoing change. To stay protected it is mandatory to assess policy effectiveness and compliance with security controls regularly and frequently. 4. Save Time and Improve Results by Using Purpose-built Tools The importance of building and maintaining a secure network is critical to achieving PCI DSS compliance. It requires a mix of operational and technical controls to not only implement and maintain proper network segmentation and compliance, but to also do so within a mature dayto-day IT management framework. An automated solution can provide tremendous value in the following ways: Configure and maintain standardized configurations for routers and switches Consistently enable secure services like SSH, SNMP v3, ACLs, etc. Disable default and unnecessary services Review and approve configuration changes prior to deployment Use re-usable change templates to bulk deploy config changes quickly and consistently Monitor device configurations for unauthorized change Remediate non-compliant changes Archive and organize device configurations Design network architecture for security and ease in manageability Restore or rollback failed devices and bad configuration changes Assess device configurations for compliance to technical controls and facilitate audits and certification 6

7 SolarWinds Network Configuration Manager (NCM) is a Network Change and Configuration Management (NCCM) solution that automates compliance management and saves loads of admin time. NCM facilitates continuous monitoring and replaces point-in-time audits with a continuous view of the state of the network. In line with the four best practices covered above, NCM can help reduce the time and effort needed to complete the following tasks: Ensure that all new devices inducted into the network are compliant Standardized configuration templates Review and approve all configuration changes before they are applied Configuration change request & approval Know whenever there is a configuration change in the network Real-time configuration change detection Quickly rollback bad/unwanted configuration changes before they cause network downtime Configuration archives Easily audit configurations and ensure they are compliant with PCI requirements PCI compliance report Ensure that all new devices inducted into the network are compliant: NCM helps you create standardized configuration templates that can be used as is, or as a baseline for new devices inducted into the network. Frequent configuration changes like VLAN changes, ACL changes, password changes, etc. can also be standardized into a template. This helps eliminate the need to create from scratch, and check the configuration on every occasion. Administrators can execute a new device configuration or a change quickly without errors. Create standard templates for frequent changes Standardize Frequently Used Configurations & Configuration Changes Import templates from thwack for ease of use 7

8 Review & approve all configuration changes before they are applied: Device configurations undergo frequent changes and any bad or unauthorized change can lead to network downtime. PCI requires that all configuration changes be approved before being implemented. This helps avert unwarranted changes and errors that cause security gaps and network downtime. With NCM, you can ensure that all configuration changes go through approval before they are implemented. You can also create permission levels to restrict access and assign rights for certain tasks. NCM gives you a clear picture of who changed what in the network. Set up a work flow to approve configuration changes Assign user roles and permissions to manage tasks Know when there is a configuration change in the network: With so many changes happening in the network, it s important to be aware of what configuration changed where, and if these changes are compliant to regulatory standards. Troubleshooting time is considerably reduced if network downtime can be correlated to a recent change in configurations. However, this is possible only if administrators are notified of all configuration changes in the network. Real-time configuration change detection in NCM throws an alert whenever there is a configuration change. 8

9 Receive alerts on all configuration changes in the network View detailed information of changes made to the device Identify Devices with Changed Configurations In the event of an issue due to a configuration change, administrators can also compare configurations with baselines. NCM highlights the configuration lines changes, added and deleted, so that the error can be quickly located and fixed. Easily compare changes and rectify errors Identify Configuration File Changes Quickly rollback unwanted configuration changes before they cause network downtime: Human errors are common and there is always a chance that something might go wrong after a new configuration or configuration change is executed on a device. In such a case, the easiest and best solution to reduce network downtime is to quickly replace the faulty configuration with the last known good configuration from backup. Maintaining regular and updated backup is also very helpful in the event of device failure. The administrator can quickly stack the new device; simply pick the configuration file from backup and get the device up and running in no time. With NCM you can automate the backup process and the administrator can schedule configuration backups according to requirements. 9

10 Quickly upload a configuration from the archive Rollback Configuration Easily audit configurations and ensure they are compliant with PCI requirements: PCI has a set of requirements specifically for network devices. With tens, hundreds, and sometimes even thousands of devices in the network, it can be a herculean task to manually check for device compliance. With PCI playing a vital role in securing cardholder data, satisfying these mandates is not just a one-time activity, but need to be continuously monitored and followed. A solution like NCM helps automate the audit process and greatly reduces admin involvement and effort in ensuring compliance. The PCI Compliance report can be run on a periodic basis and, instead of manually checking for non-compliance, the report automatically lists all violations. These can be then documented and fixed by the administrator accordingly. PCI Compliance Report lists all devices that are in violation so that they can be documented and fixed 10

11 Summary PCI DSS compliance means providing a level of information/data security for the consumer s payment card data. PCI compliance helps you: Mitigate fundamental security weaknesses with perimeter network defenses Prevent unauthorized internal or external access to confidential data Follow important network device management best practices Proactively prevent security breaches and safeguard company reputation and revenue Cardholder data is an extremely lucrative target for hackers. Experiencing a loss of any cardholder data can be catastrophic. The PCI DSS compliance standard provides reasonable and effective measures to protect this sensitive data while it s stored on a corporate network. Commensurate with the growing frequency and sophistication of threats, security measures and attitudes must likewise evolve. Accordingly, the new PCI DSS 3.0 standard expands both the scope and type of controls to implement for securing an IT environment. Organizations must acknowledge that PCI security is more than locking down a server, installing a firewall, and passing a perfunctory audit. Adopting mature network security practices and incorporating these practices into day-to-day IT operations is critical. As this approach takes hold, network and security administrators will appreciate how network configuration tools can provide them with consistent network security baselines and enable them to apply security measures with less effort SolarWinds, Inc. All rights reserved. SolarWinds, the SolarWinds logo, ipmonitor, LANsurveyor, and Orion are among the trademarks or registered trademarks of the company in the United States and/or other countries. All other trademarks are property of their respective owners. WP

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI WHITEPAPER Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI About PCI DSS Compliance The widespread use of debit and credit cards in retail transactions demands

More information

Network Configuration Manager

Network Configuration Manager Network Configuration Manager AUTOMATED NETWORK CONFIGURATION & CHANGE MANAGEMENT Download a free product trial and start in minutes. SolarWinds Network Configuration Manager (NCM) simplifies managing

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

Automate Configuration Management with SolarWinds NCM

Automate Configuration Management with SolarWinds NCM Automate Configuration Management with SolarWinds NCM Learn how SolarWinds Network Configuration Manager (NCM) can help reduce human errors and result in savings Share: 82% of IT Pros have experienced

More information

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards

More information

How to Eliminate the No: 1 Cause of Network Downtime. Learn about the challenges with configuration management, solutions, and best practices.

How to Eliminate the No: 1 Cause of Network Downtime. Learn about the challenges with configuration management, solutions, and best practices. How to Eliminate the No: 1 Cause of Network Downtime Learn about the challenges with configuration management, solutions, and best practices Share: Through 2015, 80% of outages impacting mission-critical

More information

Beef O Brady's. Security Review. Powered by

Beef O Brady's. Security Review. Powered by Beef O Brady's Security Review Powered by Why install a Business Class Firewall? Allows proper segmentation of Trusted and Untrusted computer networks (PCI Requirement) Restrict inbound and outbound traffic

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

Achieving Compliance with the PCI Data Security Standard

Achieving Compliance with the PCI Data Security Standard Achieving Compliance with the PCI Data Security Standard June 2006 By Alex Woda, MBA, CISA, QDSP, QPASP This article describes the history of the Payment Card Industry (PCI) data security standards (DSS),

More information

PCI DSS COMPLIANCE DATA

PCI DSS COMPLIANCE DATA PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities

More information

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

More information

Verizon 2014 PCI Compliance Report

Verizon 2014 PCI Compliance Report Executive Summary Verizon 2014 PCI Compliance Report Highlights from our in-depth research into the current state of PCI Security compliance. In 2013, 64.4% of organizations failed to restrict each account

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

The Business Case for Security Information Management

The Business Case for Security Information Management The Essentials Series: Security Information Management The Business Case for Security Information Management sponsored by by Dan Sullivan Th e Business Case for Security Information Management... 1 Un

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Franchise Data Compromise Trends and Cardholder. December, 2010

Franchise Data Compromise Trends and Cardholder. December, 2010 Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Conquering PCI DSS Compliance

Conquering PCI DSS Compliance Any organization that stores, processes or transmits information related to credit and debit card payments has a responsibility to protect each cardholder s personal data. To help accomplish this goal,

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Net Report s PCI DSS Version 1.1 Compliance Suite

Net Report s PCI DSS Version 1.1 Compliance Suite Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements SolarWinds Security Information Management in the Payment Card

More information

SecurityMetrics Introduction to PCI Compliance

SecurityMetrics Introduction to PCI Compliance SecurityMetrics Introduction to PCI Compliance Card Data Compromise What is a card data compromise? A card data compromise occurs when payment card information is stolen from a merchant. Some examples

More information

PCI v2.0 Compliance for Wireless LAN

PCI v2.0 Compliance for Wireless LAN PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki

More information

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure. Payment Card Industry Security Standards Over the past years, a series of new rules and regulations regarding consumer safety and identify theft have been enacted by both the government and the PCI Security

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

A Decision Maker s Guide to Securing an IT Infrastructure

A Decision Maker s Guide to Securing an IT Infrastructure A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program

Visa Account Information Security Tool Kit. Welcome to the Visa Account Information Security Program Visa Account Information Security Tool Kit Welcome to the Visa Account Information Security Program 2 Contents 1. Securing cardholder data is everyone s concern 4 2. Visa Account Information Security (AIS)

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

The Comprehensive Guide to PCI Security Standards Compliance

The Comprehensive Guide to PCI Security Standards Compliance The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

CorreLog Alignment to PCI Security Standards Compliance

CorreLog Alignment to PCI Security Standards Compliance CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008 Cyber - Security and Investigations Ingrid Beierly August 18, 2008 Agenda Visa Cyber - Security and Investigations Today s Targets Recent Attack Patterns Hacking Statistics (removed) Top Merchant Vulnerabilities

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security for NERC CIP Version 5 Compliance GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...

More information

SecurityMetrics. PCI Starter Kit

SecurityMetrics. PCI Starter Kit SecurityMetrics PCI Starter Kit Orbis Payment Services, Inc. 42 Digital Drive, Suite 1 Novato, CA 94949 USA Dear Merchant, Thank you for your interest in Orbis Payment Services as your merchant service

More information

PCI Data Security Standards

PCI Data Security Standards PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS) What is PCI DSS? The 12 Requirements Becoming compliant with SaferPayments Understanding the jargon SaferPayments Be smart.

More information

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015. Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines

More information

PCI Compliance in Multi-Site Retail Environments

PCI Compliance in Multi-Site Retail Environments TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Making Your Network Safe

Making Your Network Safe Making Your Network Safe Key Differentiator NetVanta Security Audit Investing in Secure Networking Solutions is Key to Prevention It is critical that your communications network provides the security necessary

More information

Network Segmentation

Network Segmentation Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Cyber Security for Non- Profit Organizations. Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3

Cyber Security for Non- Profit Organizations. Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit

More information

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id

PCI DSS. Payment Card Industry Data Security Standard. www.tuv.com/id PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the

More information

BSM for IT Governance, Risk and Compliance: NERC CIP

BSM for IT Governance, Risk and Compliance: NERC CIP BSM for IT Governance, Risk and Compliance: NERC CIP Addressing NERC CIP Security Program Requirements SOLUTION WHITE PAPER Table of Contents INTRODUCTION...................................................

More information

Improving PCI Compliance with Network Configuration Automation

Improving PCI Compliance with Network Configuration Automation Improving PCI Compliance with Network Configuration Automation technical WHITE PAPER Table of Contents Executive Summary...1 PCI Data Security Standard Requirements...2 BMC Improves PCI Compliance...2

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

PCI DSS Reporting WHITEPAPER

PCI DSS Reporting WHITEPAPER WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts

More information

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs White Paper Meeting PCI Data Security Standards with Juniper Networks SECURE ANALYTICS When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright 2013, Juniper Networks,

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

PCI Solution for Retail: Addressing Compliance and Security Best Practices

PCI Solution for Retail: Addressing Compliance and Security Best Practices PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment

More information

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600 Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle

More information

NERC CIP VERSION 5 COMPLIANCE

NERC CIP VERSION 5 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining

More information

www.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

www.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on! Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100

More information

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,

More information

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Platform as a Service and PCI www.engineyard.com

Platform as a Service and PCI www.engineyard.com Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance Table of Contents 3 10 Essential Steps 3 Understand the Requirements 4 Implement IT Controls that Affect your

More information

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Whitepaper. PCI Compliance: Protect Your Business from Data Breach Merchants often underestimate the financial impact of a breach. Direct costs include mandatory forensic audits, credit card replacement, fees, fines and breach remediation. PCI Compliance: Protect Your

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Closing Wireless Loopholes for PCI Compliance and Security

Closing Wireless Loopholes for PCI Compliance and Security Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop

More information

SecurityMetrics Vision whitepaper

SecurityMetrics Vision whitepaper SecurityMetrics Vision whitepaper 1 SecurityMetrics Vision: Network Threat Sensor for Small Businesses Small Businesses at Risk for Data Theft Small businesses are the primary target for card data theft,

More information

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

Teradata and Protegrity High-Value Protection for High-Value Data

Teradata and Protegrity High-Value Protection for High-Value Data Teradata and Protegrity High-Value Protection for High-Value Data 03.16 EB7178 DATA SECURITY Table of Contents 2 Data-Centric Security: Providing High-Value Protection for High-Value Data 3 Visibility:

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

Navigate Your Way to PCI DSS Compliance

Navigate Your Way to PCI DSS Compliance Whitepaper Navigate Your Way to PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) is a series of IT security standards that credit card companies must employ to protect cardholder

More information

Active Directory Auditing The Need and Result

Active Directory Auditing The Need and Result Jai hanumaan www.lepide.com Active Directory Auditing The Need and Result Whitepaper 2013 What are IT Audits? Increasing number of cases of malpractices and lackadaisical approach towards handling sensitive

More information

Need to be PCI DSS compliant and reduce the risk of fraud?

Need to be PCI DSS compliant and reduce the risk of fraud? Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

PCI Compliance: Protection Against Data Breaches

PCI Compliance: Protection Against Data Breaches Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

PCI DSS Top 10 Reports March 2011

PCI DSS Top 10 Reports March 2011 PCI DSS Top 10 Reports March 2011 The Payment Card Industry Data Security Standard (PCI DSS) Requirements 6, 10 and 11 can be the most costly and resource intensive to meet as they require log management,

More information