DataStealth and your PCI-DSS audit

Transcription

1 Because Intruders Cannot Steal What Is Not There DataStealth and your PCI-DSS audit Datex Inc North Sheridan Way Suite 200 Mississauga ON L5K 1A DATEX

2 Executive Summary Payment Card Industry (PCI) Data Security Standard (DSS) compliance audits are expensive and expansive. These audits require time, resources, capital, and potentially large amounts of remediation. And they are required annually by all organizations that store, process or transmit credit cards. There is good news; As an industry, compliance rates are going up. But there is also bad news; The ability of organizations to sustain compliance is going down. The 2015 Verizon PCI Compliance Report stated that 93.8 % of companies are validated as compliant during their PCI assessment, however, 80% of these organizations fail to sustain the security controls that they put in place to maintain their compliance between annual audits. Intruders know this, and the number of security breaches keeps going up each year as intruders find more ways to monetize stolen payment card information. Complicating matters, the threat landscape is changing at unprecedented speed. Newer vulnerabilities such as Poodle, Logjam and Heartbleed are surfacing at an alarming rate. Being compliant yesterday does not mean that you are compliant today. Not being compliant with the PCI-DSS standard, aside from risking your organizations ability to accept payment cards as a method of payment, is a clear sign that your infrastructure is susceptible to vulnerabilities. The responsibility for ensuring that an organization is not breached has worked its way all the up to the CEO office and to the Board of Directors, and executives are being held to the highest standard. This was evidenced by the departure of two high profile CEOs following the breach of their respective organizations; a significant retailer that had 70 million payment cards stolen, and a government agency after what has been described as one of the largest breaches of government data in history. Organizations that have suffered a breach have seen their loyal customers leave, their revenues eroded, and their share prices fall, not to mention the actual hard and soft costs of the breach. All of these outcomes have had catastrophic effects on the financial health and shareholder value of these organizations. DataStealth has taken a completely different approach to solving this challenge. DataStealth removes payment card information entirely from your organization s network, both in transit, and at rest. In the event of a breach, whether external or internal in nature, there is no payment card information in your network. With DataStealth, intruders cannot steal what is not there. 01

3 The traditional approach It has been said that it is not a matter of if your network will be breached, but rather when your network will be breached. Intruders will gain access to your network. User credentials will be compromised. Employees will make mistakes. And when any of these occurrences happen, your payment card information is no longer private and secure. Virtually all traditional data security solutions attempt to prevent intruders from gaining access to our network in one way or another. Common approaches to solving the challenge include: Perimeter and endpoint protection Access controls including strong passwords Intrusion detection Logging, monitoring, patching, and maintaining Employee training Encryption and tokenization All of these approaches have inherent weaknesses and significant implementation efforts including; Infrastructure changes Application and code development Resource requirements to manage change, operation and support Encryption key management It is clear that the traditional approach is no longer working. One of the biggest reasons for PCI-DSS releasing a new standard just 3 months after the last major release was due to a recently discovered vulnerability in the secure socket layer (SSL) technology that is used to protect the majority of website security. All versions of SSL have been deemed to be weak encryption. Early versions of TLS have suffered the same fate. Many applications, both commercial and proprietary, will require significant heavy lifting just to get them ready for the next annual audit. Albert Einstein once said Doing the same thing over and over, and expecting a different result, is the definition of insanity. A new and different solution is required. Enter DataStealth. 02

4 DataStealth in a PCI Environment Imagine what would happen if your network was breached, but there was no payment card information anywhere inside your network to steal. Welcome to DataStealth. DataStealth is a paradigm-changing technology that will significantly reduce the scope of your PCI audit by completely removing payment card information from your network, both in transit, and at rest. As a matter of fact, we remove the entire Cardholder Data Environment (CDE) as well. The implementation is stunningly simple. DataStealth sits between your users and your network. It inspects network traffic, looking for PCI (Payment Card Information) data. It doesn t matter if the data is flowing in real-time or in a batch, HTTP(S) or (S)FTP, unstructured data or inside a document, DataStealth will find it. Once identified in the network traffic, DataStealth extracts the PCI data on the fly, in real-time. It then replaces the original data with a smart substitute, one that will not break the underlying applications or integrations. Lastly, once removed, the PCI data that was removed is stored in a way that is computationally infeasible to breach. The only PCI data that traverses your network, is used by your applications, and is stored in your primary and other databases, is the substitute data. PCI data never touches your network. NEVER. DataStealth uplifts the security on all of your web assets to the most current standards from NIST, CIS, and PCI-DSS 3.1. With DataStealth in front of your websites, you are no longer susceptible to vulnerabilities such as Poodle, Logjam and Heartbleed, which are surfacing at an alarming rate. At Datex, we recognize the challenge of building and sustaining a PCI Compliant network. We also realize that getting PCI Compliance is only the first step to securing your entire network. It is a great place to start. But the end of the day, if your network were to be breached, whether by an external or internal source, with DataStealth the data is just not there. Intruders cannot steal what is not there. DataStealth is a simple plug and play solution that just works. Plug it in. Power it on. Your PCI-DSS problems are gone! 03

5 Myths about PCI-DSS PCI Compliance is the law. PCI Compliance is not the law. It is mandated by the PCI Council, which was created by the major card brands, Visa, Mastercard, and American Express, in an attempt to stop payment card fraud. The PCI Council has the power to levy sanctions on non-compliant merchants ranging from fines, to holding merchants responsible for fraud losses, to having merchant accounts suspended. Compliance and Security are the same thing. Not true. Being PCI compliant does not equate to having a secure payment network. According to insiders, most if not all of the larger retail organizations that have been breached in the recent past were PCI Compliant at the time of their breach. PCI Compliance is designed to be best practices and to force organizations to be proactive when it comes to securing payment card information. I passed my audit. I am secure. Just because you are validated as being compliant, does not ensure that there were unidentified areas of non-compliance. And it certainly does not ensure your sustained compliance going forward. Nobody can state with any degree of certainty that a breach cannot occur. I have not been breached. I don t have to worry. James Carney, Director of the FBI stated recently There are only two kinds of companies. Those who have been hacked, and those who don t know they have been hacked. Not being breached just proves that you are unaware if you have been breached. Nothing more. 04

6 DataStealth is different With DataStealth there is: No hardware or software to install No changes required to applications or user behaviour No encryption keys to manage No databases, agents, browser plugins or APIs to install The best part about DataStealth in a PCI environment is that payment card information, although nowhere in your infrastructure, remains 100% available and useable to authorized users without any changes to existing processes or applications. DataStealth is 100% transparent to both users and to the underlying applications and infrastructure. At the end of the day, if your network were to be breached, whether by an external or internal source, with DataStealth the data is just not there. Intruders cannot steal what is not there. Plug it in. Power it on. And say goodbye to long, expensive and time consuming PCI Compliance audits. Contact Us w. p DATEX e. info@datex.ca 05