Attaining PCI Compliance Using The PGP Encryption Platform

Transcription

1 PGP White Paper June 2008 Attaining PCI Compliance Using The PGP Encryption Platform

2 2 Table of Contents TABLE OF CONTENTS...2 EXECUTIVE SUMMARY...3 OBJECTIVE: AVOID THE TJX...4 THE PCI STANDARD...5 OVERVIEW... 5 PRINCIPLES AND REQUIREMENTS OF THE PCI STANDARD... 5 Build and Maintain a Secure Network... 5 Protect Cardholder Data... 5 Maintain a Vulnerability Management Program... 6 Implement Strong Access Control Measures... 6 Regularly Monitor and Test Networks... 6 Maintain an Information Security Policy... 6 THE ROLE OF ENTERPRISE DATA PROTECTION IN PCI COMPLIANCE...7 PGP ENCRYPTION AND REQUIREMENT 3: PROTECT STORED CARDHOLDER DATA...9 PGP ENCRYPTION AND REQUIREMENT 4: ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN, PUBLIC NETWORKS...11 PGP ENCRYPTION AND REQUIREMENT 7: RESTRICT ACCESS TO DATA BY BUSINESS NEED-TO-KNOW...13 STATE OF ADOPTION...14 APPENDIX A: HOW PGP SOLUTIONS MEET PCI DSS REQUIREMENTS...15

3 3 Executive Summary Payment account companies (including American Express, MasterCard Worldwide, and Visa Inc.) developed the Payment Card Industry Data Services Standard (PCI DSS) version 1.1, finalized in 2006, to protect customer account data from unauthorized access and misuse. Parties worldwide that process credit card data have been adopting this security standard, but adoption is not yet complete. Encryption solutions assist compliance on a broad range of PCI DSS requirements. Furthermore, PGP encryption solutions, based on the centrally managed PGP Encryption Platform, are the foundation of enterprise data protection and directly enable compliance with PCI DSS Requirements 3, 4, and 7. This white paper is intended for any organization that accepts credit cards and processes credit card data, which could include but is not limited to: merchants, merchant banks, issuing banks, and processors.

4 4 Objective: Avoid the TJX The infamous data breach of The TJX Companies, Inc. resulted from an ineffective enterprise data protection strategy. Network World portrayed the breach as one of 10 of the Worst Moments in Network Security History. 1 Court filings estimate that the credit card and personal information losses affected 94 million customers. 2 Total costs are still being tabulated, but TJX paid nearly US$41M in fines 3 to Visa and settled multiple class action suits filed by its customers. 4 Visa also fined Fifth Third Bank $880,000 5 for security lapses as the acquiring bank associated with the massive breach. Payment account companies including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. developed the Payment Card Industry Data Services Standard (PCI DSS) version 1.1, finalized in 2006, to help organizations worldwide proactively protect customer account data. The standard states, Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. 6 In other words, if TJX had encrypted its credit card transactions, its data would have been safe. And TJX would have avoided huge fines and expensive litigation. Since the TJX breach, Visa has proactively encouraged its member banks and affiliates to implement the PCI standard. PCI DSS compliance is designed to enhance data security, which is in the best interest of merchants, consumers, and the financial services industry alike, says Michael E. Smith, head of Payment System Risk at Visa Inc. 7 Encryption is a component of PCI DSS compliance and the foundation of an enterprise data protection strategy. PGP Corporation is the number one provider of standards-based encryption solutions for enterprise data protection, and offers automated, easy-to-manage encryption solutions that help merchants, banks, and their affiliates comply with the PCI standard. Encryption solutions can assist compliance throughout the standard (as shown in the Appendix of this white paper). The body of this white paper focuses on how PGP solutions facilitate compliance with PCI standard Requirements 3, 4, and 7, and presents best practices and examples that demonstrate the solutions efficacy.

5 5 The PCI Standard Overview The PCI DSS was developed to reconcile differences among payment account brands security guidelines and streamline communications among companies handling credit card information. It aligns the following guidelines: MasterCard Site Data Protection (SDP) security certification Visa Account Information Security (AIS) Visa Cardholder Information Security Program (CISP) American Express Data Security Operating Policy (DSOP) Discover Information Security and Compliance (DISC) The PCI standard was co-written by Visa and MasterCard, announced in January 2005, and endorsed by leading payment account companies. The PCI Standards Council 8, an independent council created by five major payment account companies, is responsible for maintaining the standard and enhancing it with new or modified requirements. The council issued PCI DSS Version 1.1 in September 2006 to provide additional clarity on the standard s requirements and to address emerging security threats; this version supercedes the 2005 version. As the TJX example illustrated, organizations that do not comply with PCI DSS can face sanctions and suffer multiple business consequences. They may lose their privilege to participate in the credit card network and be unable to issue, process, or accept credit cards. This loss would directly impact their ability to collect revenues and sustain their business. They may lose the confidence of customers or investors. They could also be subject to substantial fines. Principles and Requirements of the PCI Standard PCI DSS version prescribes 12 requirements, organized under six principles. PGP encryption solutions pertain most directly to compliance with Requirements 3, 4, and 7 (marked in boldface below). Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks.

6 6 Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security. All entities that participate in the card payment system that is, all entities that process, store, or transmit cardholder account or transaction information must agree to adhere to the requirements of PCI DSS. These entities include: Merchants Also known as acceptors, merchants are businesses that have qualified to accept credit or debit cards as payment for goods and services. Merchant banks Also known as acquirers, merchant banks acquire new merchants and process their credit card transactions. They are licensed members of a credit card brand (such as Visa or MasterCard) as an affiliated bank or bank/processor alliance. Issuing banks These are companies that issue credit cards to the cardholders. The companies are primarily banks, but also could be retail stores that issue store cards. Processors Also known as payment service providers, processors are companies that route an authorization request from a merchant point-of-sale (POS) device (such as a VeriFone credit card terminal) to Visa or MasterCard and then arrange for fund settlement to the merchant.

7 7 The Role of Enterprise Data Protection in PCI Compliance Enterprise data protection is the most effective approach for PCI compliance, because it incorporates all the technologies and processes required to protect credit card and customer data. An enterprise data protection strategy defines a best-practices approach for defending data at rest and in transit. It must include all four of these components to be effective: Protect data itself with standards-based encryption Detect and prevent data leakage Control access to data by permitting or denying access Manage data throughout its lifecycle, from creation through archive Figure 1: Enterprise Data Protection The foundation of enterprise data protection is the Protect component, which is best implemented by using encryption, as called for in the PCI standard. PGP Corporation offers encryption solutions that comprise the Protective foundation of an enterprise data protection strategy. PGP encryption technology is one of two data security standards recommended by NIST 10, delivering the following benefits: Powerful Protection provides central policy and key management Simple to Deploy install once, roll out as needed Easy to Use is automatic and transparent to users Cost-effective reduces total cost of ownership PGP data and encryption applications are deployed and managed through a single or clustered instance of the PGP Universal Server, the central element of the PGP Encryption Platform (see Figure 2).

8 8 Figure 2: PGP Encryption Platform The flexible PGP Encryption Platform enables phased deployments of encryption as needed. For example, an organization may begin with encrypting credit card transactions, and later extend encryption to laptop computers and USB drives, managing all applications from the console. Major features of the PGP Encryption Platform include: Centralized policy and key management Centralized logging and auditing of encrypted devices Standards-based encryption of data in transit and at rest, even beyond the enterprise network Integration with existing IT infrastructures Patented PGP Additional Decryption Key (ADK) technology that ensures access to data protected by lost or forgotten keys PGP encryption applications help protect organizations from credit card and customer information security breaches, and the resulting brand damage, embarrassment, penalties, and costs. These applications include the following: PGP Command Line: Encrypts and signs information for bulk data storage, FTP transfer, and backup PGP Universal Gateway Automatically encrypts messages without requiring client software PGP Desktop Provides automatic end-to-end encryption of messages PGP Support Package for BlackBerry : Extends PGP Desktop functionality to BlackBerry devices PGP NetShare: Encrypts network-based files and folders for collaborating teams PGP Whole Disk Encryption: Enables encryption of files on desktop and laptop computers and removable media PGP Endpoint: Prevents data loss resulting from the use of unauthorized devices and connections

9 9 PGP Encryption and Requirement 3: Protect Stored Cardholder Data PCI DSS Requirement 3 states: Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN [Primary Account Number] is not needed, and not sending PAN in unencrypted s. 11 To protect stored cardholder data (data at rest), Requirement 3 recommends that an organization truncate or encrypt cardholder account numbers. However, truncated account numbers are not as secure as encrypted ones. Requirement 3 deems the practice of storing unencrypted PAN data as an unacceptable security risk. However, most business applications do store credit card data, briefly, until it has been transmitted to another system or processed. In addition, many applications need to store credit card data to establish a standard method of payment for recurring charges or returning customers. When PAN data must be stored, strong encryption is the logical choice for protecting it. Following are typical examples of the devices and media that store PAN data and the PGP encryption applications can protect it (Figure 3): Computers that are used as a point-of-sales (POS) register or in a call center to enter cardholder data can encrypt cardholder data that is stored on the local hard disk or on a network drive. PGP Whole Disk Encryption and PGP Endpoint can secure this data. Midrange systems that collect and store credit card information in a retail outlet can encrypt stored PAN data, even if it is stored temporarily before being destroyed. PGP Command Line can protect this data. File transfer servers that store and forward cardholder data to connect internal and external systems can encrypt cardholder data in storage. PGP Command Line can protect this data. Mainframes that store cardholder data for billing, future orders, and recurring charges can encrypt stored data. PGP Command Line can protect this data. Business analysts who store database snapshots and reports for data mining on file servers or laptops must encrypt that information. PGP NetShare protects data on file servers, and PGP Whole Disk Encryption and PGP Endpoint protect data on personal computers and on mobile storage devices such as USB drives. Backup tapes containing cardholder data can be encrypted. PGP Command Line can protect this data.

10 10 Figure 3: To comply with Requirement 3, PGP solutions protect data at rest

11 11 PGP Encryption and Requirement 4: Encrypt Transmission of Cardholder Data across Open, Public Networks Encryption applies to both data at rest (Requirement 3) and data in transit over a public or open network (Requirement 4). PCI DSS Requirement 4 states: Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and divert data while in transit. The TJX hackers exploited the failure of the company to protect data in transit. They first intercepted transaction data (including passwords) transmitted in cleartext over an unsecured wireless network. Then they used stolen passwords to penetrate the TJX internal network, gaining access to databases that contained confidential customer data. Had the data in transit been encrypted, the TJX breach may never have occurred. PAN data in transit between systems with stored cardholder data protected in accord with Requirement 3 must be encrypted, especially over wireless networks. PGP Command Line protects transactions in transit over wireless networks, LANs, and the Internet. PGP Command Line automatically encrypts PAN data as it is transmitted between the midrange systems in retail outlets, central file transfer servers at headquarters, the mainframe, and the back-end file transfer server at the credit card processor (Figure 4). Figure 4: To comply with Requirement 4, PGP Command Line automatically protects data in transit, and PGP solutions protect messaging.

12 12 PCI DSS Section 4.2 states, Never send unencrypted PANs by . The PGP encryption applications protect PAN data transmitted through systems. Because architectures vary, PGP Corporation offers several encryption technologies and applications to protect message transmission over public networks. For example, PGP Universal Gateway protects messages between a call center and the payment account company. Or perhaps a customer service representative receives an request from a customer who has questions about a certain credit card charge. The customer service representative must encrypt the return . In this case, PGP Universal Web Messenger (a component of PGP Universal Gateway ) enables the recipient to open the message and read it.

13 13 PGP Encryption and Requirement 7: Restrict Access to Data by Business Need-to-Know PCI DSS Requirement 7 requires all constituents to restrict access to computing resources and cardholder information only to those individuals whose job requires such access. 12 Accordingly, the default access policy denies system access to any user who is not specifically authorized. While Requirement 7 primarily addresses the Access component of enterprise data protection, encryption supports its implementation. For example, a business analyst may store reports based on PAN data mining. Even if an unauthorized user gains access to a device with encrypted reports, he can t read them. As another example, if the business analyst loses a laptop or USB stick, encrypted files are useless to potential identity thieves. To protect such files and cardholder information from unauthorized access, an organization can use the following applications (Figure 5): PGP Virtual Disk Encryption (a component of PGP Whole Disk Encryption) protects data on shared workstations or laptops. PGP NetShare can encrypt specific files and control file access on file servers or PCs. Authorized parties may send reports to one another using end-to-end encrypted . PGP Desktop can protect these communications, even within an internal network. Figure 5: To comply with Requirement 7, PGP encryption restricts access to authorized users.

14 14 State of Adoption Visa leads efforts to protect cardholder data with PCI DSS. To motivate its customers to implement PCI DSS requirements, Visa set PCI DSS compliance deadlines of September 30, 2007 for level one members and December 31, 2007 for level two members. After those deadlines, noncompliant members are fined up to $25,000 per month until they comply, with the potential for losing membership if they do not act. The effect: Visa raised its compliance rate among its level one membership from 12 percent in December 2006 to 77 percent by the end of 2007, the highest level of any credit card processor. 13 In January 2008, a Gartner Research report stated: The PCI Security Council and the other card brands have not, however, kept pace [with Visa]. The PCI Security Council's communications processes remain poor, and retailers still have far too many unanswered questions about PCI DSS requirements. For example, there is considerable confusion about the implications of outsourcing arrangements on the scope of PCI compliance efforts and how to adequately segment networks to reduce the scope of compliance activities. Moreover, the PCI DSS remains unworkable for smaller merchants with limited payment-card related infrastructure. 14 A crucial first step toward PCI DSS compliance is implementing encryption. The PGP Encryption Platform is the foundation of a practical enterprise data protection strategy, and its standards-based platform interoperates with most processor systems. The PGP Encryption Platform is an easy-toinstall, affordable solution even for small merchants, and most importantly, operates automatically, defending data at rest and in transit without user intervention. PGP Corporation invites peer review of its source code, which is available online for download at

15 15 Appendix A: How PGP Solutions Meet PCI DSS Requirements This Appendix illustrates how PGP solutions help meet each PCI Requirement. The full text of PCI DSS Version 1.1 is available online: Section PCI DSS Requirement How PGP Solutions Help Meet the Requirement 1 Install and maintain a firewall configuration to protect data The installation of PGP Universal Server automatically sets up a preconfigured firewall that allows only the traffic necessary for server functionality. This on-board firewall complements an organization s own firewall practices used to segment its network. 2.1 Always change vendor-supplied defaults before installing a system on the network; for example, include passwords, simple network management protocol [SNMP] community strings, and elimination of unnecessary accounts Implement only one primary function per server; for example, Web servers, database servers, and DNS [Domain Name System] should be implemented on separate servers Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices specified function) Remove all unnecessary functionality such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers. PGP software does not use default passwords but prompts users for passwords when setting up systems or generating keys. PGP Universal Server managed clients can force use of strong passwords or second-factor authentication to protect encryption keys. PGP Universal Server is a software appliance that requires its own hardware platform and does not share the platform with other applications or services. PGP Universal Server is based on a hardened operating system that does not include any unnecessary components. PGP Universal Server and PGP Universal Gateway are based on a hardened operating system that does not include any unnecessary components.

16 Encrypt all non-console administrative access. Use technologies such as SSH [Secure Shell], VPN, or SSL [Secure Sockets Layer]/Transport Layer Security (TLS) for Web-based management and other non-console administrative access. PGP Universal Server and PGP Universal Gateway use SSL/ TLS to protect access to the Web-based management console and to the PGP Universal Web Messenger portal. Access to the underlying operating system is available only through SSH. 3 Protect stored data PGP Endpoint has granular permissions that enable policy enforcement by user, user group, machine, time constraints, encryption, volume of data, data transfer and more criteria. For example, it enables an organization to: Centrally manage policies to force users to encrypt external media, such as flash drives, to reduce the risk of a data breach, when integrated with PGP Whole Disk Encryption. Restrict the amount of data that is copied from an endpoint to a device per day and per user. Reduce the risk of keylogger attacks that capture passwords and other confidential information. Record data read from and/or written to removable media, to prevent data loss. Control the types of files moved to and from storage devices, to keep unwanted files from entering the network and sensitive files from leaving it. Enforce policies for online and offline use on a temporary or scheduled basis.

17 Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches: strong one-way hash functions (hashed indexes); truncation; index tokens and pads (pads must be securely stored); or strong cryptography with associated key management processes and procedures If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts Restrict access to keys to the fewest number of custodians necessary Store keys securely in the fewest possible locations and forms Fully document and implement the generation of strong keys. PGP Whole Disk Encryption encrypts an entire hard drive or removable media to restrict access to authorized users. PGP NetShare encrypts files stored on a file server to restrict access to authorized users. s encrypted with PGP Universal Gateway or PGP Desktop use strong cryptography to encrypt s so that they can only be accessed by authorized recipients. Messages delivered through PGP Universal Web Messenger can be configured for storage in an encrypted form. PGP Whole Disk Encryption encrypts the entire drive and requires authentication, independent of the operating system, to gain access to the drive. Decryption keys can be configured to be independent of user accounts. Role-based administration ensures division of power. Encryption keys are specific to individual users. Use of the Additional Decryption Key (ADK) to enable corporate access to encrypted data requires participation of multiple administrators to prevent unauthorized access. PGP products protect each key with strong symmetric encryption to prevent abuse. The key must be stored only where it is needed for encryption. Keys on the PGP Universal Server are encrypted with an Ignition Key that can be stored on a secure hardware token. Clientstored encryption keys can be protected using strong passphrases or secure hardware tokens. PGP products provide strong encryption using standard algorithms (TripleDES, AES, RSA, Diffie-Hellman) with proven random-number generators.

18 Fully document and implement a process for secure key distribution Fully document and implement a process for secure key storage Fully document and implement a process for periodic key changes Fully document and implement a process for destruction of old keys Split knowledge and dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key) Fully document and implement a process for prevention of unauthorized substitution of keys Fully document and implement a process for replacement of known or suspected compromised keys. PGP Universal Server and PGP Universal Server managed clients provide secure key exchange mechanisms for key distribution. PGP applications protect each key with strong symmetric encryption to prevent abuse; keys can optionally be stored on hardware devices (smart cards, tokens). PGP applications use a random symmetric key for each encrypted message or file. Server-managed asymmetric keys also can be assigned an expiration date. Clientmanaged asymmetric keys can be revoked by the user to change the key used for encryption. The PGP Universal Server administrator can also remove keys from the server, preventing partners from encrypting to old keys. PGP Universal Server s management platform supports the ability to centrally invalidate server-managed keys. A user can revoke client-managed keys to prevent the key from being trusted for future encryption operations. The PGP Universal Server administrator can also remove keys from the server, preventing partners from encrypting to old keys. PGP solutions support the ability to split specific keys so that n of m named persons must be present to reconstruct a key. Certification signature on public keys ensures that substitution of keys is not possible (for example, man-in-the-middle attack). An administrator can revoke and replace server-managed keys if compromised. A user can revoke and replace client-managed keys if compromised. A PGP Universal Server administrator can also delete the key from the server to prevent partners from being able to retrieve a key that should no longer be used.

19 Fully document and implement a process for revocation of old or invalid keys (mainly RSA keys). 4.1 Use strong cryptography and security protocols such as Secure Sockets Layer (SSL) / Transport Layer Security (TLS) and Internet Protocol Security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks For wireless networks transmitting cardholder data, encrypt transmissions by using Wi-Fi Protected Access (WPA) technology if WPA-capable or VPN or SSL at 128 bits. Never rely exclusively on WEP [Wireless Encryption Protocol] to protect confidentiality and access to a wireless Local Area Network (LAN). Use one of the above methodologies in conjunction with WEP at 128 bits and rotate shared WEP keys quarterly and whenever there are personnel changes. 4.2 Never send cardholder information in unencrypted Ensure that all system components and software have the latest vendorsupplied security patches. PGP Universal Server s management platform supports the ability to centrally invalidate server-managed keys. A user can revoke client-managed keys to prevent the key from being trusted for future encryption operations. PGP solutions use strong cryptography and encryption with up to 256 bits for symmetric algorithms and 4,096 bits for asymmetric encryption, exceeding PCI DSS requirements. Protecting wireless LANs as described is good practice for general IT security as well as PCI DSS, so it is recommended that organizations follow these requirements by configuring their wireless routers accordingly. Data protected using PGP encryption is also protected when broadcast over insecure wireless access, adding another layer of security. The PGP Encryption Platform offers several applications to encrypt and supports all widely used standards to ensure that organizations can communicate securely both within the company and with business partners. PGP solutions use centrally configured, policy-based encryption that ensures critical messages are automatically encrypted without user intervention. PGP Universal Server automatically downloads and optionally installs patches for its applications and operating system. PGP clients managed by PGP Universal Server can be configured to automatically retrieve updates from the PGP Universal Server.

20 Develop Web software and applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. See The Ten Most Critical Web Application Security Vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes. 7 Restrict access to data by business need-to-know. PGP Corporation has an excellent track record in the security industry and makes its source code available for peer review to increase the security of the software and trust in the PGP Encryption Platform. PGP Endpoint ensures that strong access control measures are in place by enforcing policies that control device and application use to prevent unauthorized access of sensitive data. By employing a whitelist approach, PGP Endpoint enables only authorized applications to run and only authorized devices to connect to a desktop, laptop, server, terminal services server, or thin client. PGP Endpoint enables an organization to: Use granular permissions that enable policies by user, user group, machine, time, encryption, volume of data, data transfer, and more criteria. Centrally manage policies to force users to encrypt external media such as flash drives, to reduce the risk of a data breach, when integrated with PGP Whole Disk Encryption. Authorize DVD/CD-ROM collections, grant access to users or user groups, and encrypt removable media with unique IDs to limit access to proprietary information and avoid unauthorized access or use of content. Restrict the amount of data that is copied from an endpoint to a device per day and per user. Reduce the risk of keylogger attacks that capture passwords and other confidential information. Record data read from and/or written to removable media, to prevent data loss.

21 21 Control the types of files moved to and from storage devices, to keep unwanted files from entering the network and sensitive files from leaving it. Enforce policies for online and offline use on a temporary or scheduled basis. 7.1 Limit access to computing resources and cardholder information to only those individuals whose job requires such access. 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. 8.1 Identify all users with a unique username before allowing them to access system components or cardholder data. Encrypted data is accessible only to users who own the correct decryption key. Data owners or administrators first deny access to all users and then specify users who have access to the data. This approach applies to data in transit and in storage. Data owners can exclude access by system management, enforcing an effective role separation. PGP Universal Server and PGP Universal Gateway require user/password logins from administrators and PGP Universal Web Messenger users who access Web-based interfaces. PGP client applications use a strong passphrase or a secure hardware token to retrieve a user-specific key used to encrypt data. 8.2 Employ at least one of the methods below to authenticate all users (in addition to unique identification): Password Token devices (for example, SecureID, certificates, or public key) PGP solutions use passwords, certificates, and public keys to encrypt data and to authenticate users. Public keys and certificates are usually stored on the hard disk, but can also be stored on hardware tokens to increase security. Biometrics 8.4 Encrypt all passwords during transmission and storage on all system components. PGP solutions never transmit or store unencrypted passwords.

22 22 10 Track and monitor all access to network resources and cardholder data. PGP Endpoint has detailed auditing capabilities that can be used to track and monitor what data that users, applications, and devices accessed or attempted to access; or when users, applications, and devices connect to network resources and cardholder data. PGP Endpoint enables tracking of data that is read from and/or written to a removable device so that an organization can monitor what data is being moved to and from the network, and it controls the types of files that are moved to and from removable devices to reduce the risk of unwanted files from entering the network and sensitive files from leaving the network. For further control, separate policies can be defined when the user is online or offline, and permissions can be set temporarily or on a scheduled basis. 12 Maintain a policy that addresses information security. PGP Endpoint ensures that information security policies are enforced by controlling application and device use, to maintain secure networks and to prevent unauthorized access of data. By employing a whitelist approach, PGP Endpoint enables only authorized applications to run and only authorized devices to connect to a desktop, laptop, server, terminal services server or thin client. Any user, user group, application and/or device not authorized is denied by the system, eliminating unknown or unwanted applications and devices in our network, thus reducing the risk of data loss and malware, ultimately improving network stability Ensure the security policy and procedures clearly define information security responsibilities for all employees and contractors. Administrators can create policies so that sensitive messages are automatically encrypted to reduce human error and to simplify enforcement of corporate security policy.

23 Assign an individual or a team to administer user accounts, including additions, deletions, and modifications Educate employees (for example, through posters, letters, memos, meetings, and promotions). PGP Universal Server intelligently adds, deletes, and modifies user accounts automatically, reducing operational cost. PGP solutions are designed with automation and ease of use in mind. As a result, users require minimal or no training to comply with security guidelines. End Notes 1 Ellen Messmer, 10 of the Worst Moments in Network Security History, Network World, 03/11/08. 2 Banks: TJX lost twice as much data as reported, SC Magazine US, October 24, TJX agrees to $41 million settlement with Visa, SC Magazine US, November 30, TJX customers to claim eligibility for breach settlement, SC Magazine US, March 3, Visa fines TJX credit card processor, SC Magazine US, October 29, Payment Card Industry Data Security Standard, PCI Security Standards Council, Release 1.1 (Full Text), September 2006, section PCI Compliance Continued to Grow in 2007, Visa Inc., Payment Card Industry Data Security Standard, PCI Security Standards Council, Release 1.1 (Full Text), September 2006, page Guidelines on Electronic Mail Security, NIST, February 2007, page Payment Card Industry Data Security Standard, PCI Security Standards Council, Release 1.1 (Full Text), September 2006, section Ibid, section PCI Compliance Continued to Grow in 2007, Visa Inc., 14 PCI Compliance Grows but Major Industry Problems Remain, Avivah Litan, Gartner Research, ID Number: G , 25 January 2008, page 2.

24 24 PGP Corporation 200 Jefferson Drive Menlo Park, CA 94025, USA Tel: Fax: Sales: Support: Website: PGP Corporation All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form by any means without the prior written approval of PGP Corporation. The information described in this document may be protected by one or more U.S. patents, foreign patents, or pending applications. PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners. The information in this document is provided as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. All strategic and product statements in this document are subject to change at PGP Corporation's sole discretion, including the right to alter or cancel features, functionality, or release dates. Changes to this document may be made at any time without notice.