Vormetric Addendum to VMware Product Applicability Guide

Size: px
Start display at page:

Download "Vormetric Addendum to VMware Product Applicability Guide"

Transcription

1 Vormetric Data Security Platform Applicability Guide F O R P A Y M E N T C A R D I N D U S T R Y ( P C I ) P A R T N E R A D D E N D U M Vormetric Addendum to VMware Product Applicability Guide FOR PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) VERSION 3.0 OCTOBER 2014

2 Table of Contents INTRODUCTION... 3 THE CHALLENGE: ESTABLISHING COMPLIANCE AND SUSTAINING IT... 3 THE SOLUTION: VORMETRIC TRANSPARENT ENCRYPTION... 3 HOW VORMETRIC TRANSPARENT ENCRYPTION WORKS... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 6 SUMMARY OF RELEVANT CHANGES FROM PCI DSS 2.0 TO CLOUD COMPUTING... 9 DEPLOYING VORMETRIC SOLUTIONS IN THE CLOUD VORMETRIC PCI COMPLIANCE SOLUTION VORMETRIC PCI REQUIREMENTS MATRIX OVERVIEW PCI REQUIREMENTS MATRIX: HOW VORMETRIC ADDRESSES SPECIFIC CONTROLS SUMMARY ACKNOWLEDGEMENTS TRADEMARKS AND COPYRIGHTS V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 2

3 Introduction The Challenge: Establishing Compliance and Sustaining It For businesses in just about any industry and of any size, sensitive assets continue to be exposed, proving all too susceptible to attacks, breaches, and data loss. While these incidents can be costly for any organization, they re particularly devastating for businesses that manage cardholder data. Beyond the immediate penalties associated with remediation, forensics, and brand damage, these organizations can also be hit with fines levied by the Payment Card Issuers if they are found to have been non-compliant. When it published the Payment Card Industry Data Security Standard (PCI DSS), the association intended to provide organizations with the policies, techniques, and guidelines that would help guard against breaches. However, establishing compliance is no trivial effort, and sustaining compliance continues to be challenging, particularly as threats and the environments that have to be secured continue to evolve. It is within this context that the increased reliance on virtualization technologies and cloud services grows increasingly significant. The PCI DSS requires compliance of all systems and devices that store, transmit, or process cardholder data. Traditionally, a merchant s IT staff could segment the network in order to separate the systems that manage cardholder data from those that do not. This approach can make it easier to apply the specific controls required to safeguard sensitive payment data. This method removes specific systems from the scope of a PCI DSS audit, which can help reduce audit costs and efforts. The introduction of virtualization and cloud computing into cardholder environments can blur the lines of segmentation. To safeguard sensitive cardholder data in virtualized and cloud environments, organizations need to apply consistent, robust, and granular controls. The Solution: Vormetric Transparent Encryption Vormetric Transparent Encryption helps organizations address a number of PCI DSS 3.0 requirements with its capabilities for providing data-at-rest encryption, privileged user access control, and audit logging. The product encrypts and tracks access to structured databases and unstructured files including those residing in physical, big data, private, public and hybrid cloud environments. By leveraging this product s transparent approach to data security, your organization can implement encryption, without having to make changes to your applications, infrastructure, or business practices. Unlike other encryption solutions, Vormetric Transparent Encryption s protection does not end after the encryption key is applied. The product continues to log access and enforce least-privileged user policies to protect against unauthorized access. All access events can be captured in audit logs. These logs are easily integrated into popular Security Information and Event Management (SIEM) tools and other log collection solutions. With these capabilities, you can ensure continuous protection and control of your data as well as meet and support many PCI DSS 3.0 requirements. How Vormetric Transparent Encryption Works Vormetric Transparent Encryption is an agent available for Windows, Linux, and UNIX platforms regardless of the underlying storage technology. All policy and key administration is done through the Vormetric Data Security Manager. The Vormetric Transparent Encryption agent runs in the cardholder data environment as a kernel module within the virtual machine. These agents are installed on each virtual machine in which data requires protection. These agents perform encryption, decryption, access control, and logging. Vormetric Transparent Encryption agents evaluate any attempt to access protected data and either grant or deny such attempts, according to policies specified in the Vormetric Data Security Manager. The agents are transparent to users, applications, databases, file systems, networks, and storage architecture. The agents maintain a strong separation of duties on the server by encrypting files while leaving their metadata in the clear so that Storage and ESX Administrators can perform their jobs without directly accessing encrypted information. Since the agents are kernel modules within virtual machines, the product delivers performance, scalability and eliminates the bottlenecks and latency that plague proxy-based solutions. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 3

4 Figure 1: Vormetric Transparent Encryption Enabling Encryption, Least Privileged Access, and Logging VMware Approach to PCI Compliance The Payment Card Industry Data Security Standard (PCI DSS) is applicable to all types of environments that Store, Process, or Transmit Card Holder Data. This includes information such as Personal Account Numbers (PAN), as well as any other information that has been defined as Card Holder Data by the PCI DSS v3.0. Cloud computing is no exception to the PCI DSS audit process, and many of the cloud s advantages over earlier paradigms -- sharing of resources, workload mobility, consolidated management plane, etc. themselves necessitate that adequate controls are adopted to help meet the PCI DSS audit. PCI considerations are essential for assessors to help to understand what they might need to know about an environment in order to be able to determine whether a PCI DSS requirement has been met. If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the infrastructure and the applications running in that environment. Many enterprise computing environments in various vertical industries are subject to PCI DSS compliance, and generally those that deal in any kind of financial transaction for exchanging goods and services rely on VMware and VMware Technology Partner solutions to deliver those enterprise computing environments. As such, these enterprises seek ways to reduce overall IT budget while maintaining an appropriate overall risk posture for the in-scope environment. One of the greatest challenges in hosting the next generation enterprise computing environment is consolidating many modes of trust required such as those required for a Cardholder Data Environment (CDE) and a Non-Cardholder Data Environment. For these reasons VMware has enlisted its Audit Partners such as Coalfire, a PCI DSS-approved Qualified Security Assessor, to engage in a programmatic approach to evaluate VMware products and solutions for PCI DSS control capabilities and then to document these capabilities in a set of reference architecture documents. The first of these documents is this Product Applicability Guide, which contains a mapping of the VMware products and features that should be considered for implementing PCI DSS controls. The next two documents in the solution framework series that, together with this Guide, comprise the PCI DSS Reference Architecture are the Architecture Design Guide and the Validated Reference Architecture, which are intended to provide guidance on the considerations to be made when designing a vcloud environment for PCI DSS as well as a lab validation exercise analyzing an instance of this reference architecture which utilizes the concepts and approaches outlined therein. For more information on these documents and the general approach to compliance issues please review VMware's Approach to Compliance. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 4

5 This Product Applicability Guide Addendum builds upon the base VMware control mapping and alignment for PCI DSS 3.0, which is documented in the VMware Product Applicability Guide for PCI-DSS 3.0 on the VMware Solutions Exchange. In addition, VMware and Coalfire are engaged with VMware Technology Partners such as Vormetric, inc.. to analyze their products and solutions (available on VMware Solution Exchange) with the goal of providing continuing examples to the industry. While every environment is unique, together VMware and its partners can provide a solution that potentially addresses over 70% of the PCI DSS technical requirements. Figure 2: PCI Requirements Figure 3: VMware + Partner Product Capabilities for a Trusted Cloud V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 5

6 Figure 4: VMware + Vormetric Product Capabilities for a Trusted Cloud Overview of PCI as it Applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the Payment Card Industry Data Security Standards (DSS). Failure to meet PCI DSS requirements may lead to fines, penalties, or inability to process credit cards, in addition to potential reputational loss. The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud computing environments. Version 3.0 (and version 2.0) of the Data Security Standard (DSS) specifically mentions the term V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 6

7 virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG). Figure 5: Navigating PCI DSS The existing virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions). * VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel. Summary of Relevant Changes from PCI DSS 2.0 to 3.0 With the recent release of the PCI DSS (Data Security Standard) 3.0, while little additional guidance has been released with regard to virtualization specifically, there have been a number of enhancements and clarifications that may potentially have significant design and operational considerations above and beyond those which were required for compliance with the PCI DSS 2.0. It should be noted that none of the new PCI DSS 3.0 requirements or considerations are inconsistent with or materially different from those found in version 2.0, but rather are simply additions, enhancements, and clarifications. An updated Navigating PCI DSS document for version 3.0 has not been released by the PCI SSC (Security Standards Council) as of the time of this writing. With every iteration of the PDI DSS and the associated changes and updates, particularly when new requirements are presented, organizations are given additional time to implement these controls through the Sunrise process. While entities can choose to manage their cardholder data environments under the PCI DSS 2.0 until December 31, 2014 at the latest, after this point all PCI DSS programs and audits must adhere to version 3.0. Additionally, many of the new requirements under the PCI DSS 3.0 are considered best practices until July 1, 2015, giving organizations additional time to prepare to meet these new requirements in an appropriate manner. Many of the new controls and changes in PCI DSS 3.0 reflect the growing maturity of the Payment Card Industry, and the need to focus more on a risk-based approach and deal with the threats and associated risks which most commonly lead to V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 7

8 incidents involving the compromise of cardholder data. Along with the new controls and focus areas, version 3.0 provides PCI organizations and assessors with additional guidance and flexibility around designing, implementing, and validating the requisite PCI DSS controls. It should also be noted that with increased guidance and flexibility in the standard and individual controls, a greatly increased level of stringency is required in the validation of those controls and the risk-based approach to managing PCI DSS requirements. At a high level, the updates to version 3.0 of the DSS include: Providing stronger focus on some of the greater risk areas in the threat environment Providing increased clarity on PCI DSS and PA-DSS requirements Building greater understanding on the intent of the requirements and how to apply them Improving flexibility for all entities implementing, assessing, and building to the Standards Driving more consistency among assessors Helping manage evolving risks / threats Aligning with changes in industry best practices Clarifying scoping and reporting Eliminating redundant sub-requirements and consolidate documentation We also have several key themes around managing PCI DSS 3.0 and taking a proactive business-as-usual approach to protecting cardholder data, and focusing primarily on security, as opposed to pure compliance, which have been updated in the latest version, and for which the PCI Security Standards Council has provided guidance. The following is guidance from the PCI DSS Version 3.0 Change Highlights document regarding these high-level concepts and how they apply to PCI DSS 3.0: Education and awareness Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise too many of the security breaches happening today. Updates to the standards are geared towards helping organizations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA-DSS will help drive education and build awareness internally and with business partners and customers. Increased flexibility Changes in PCI DSS 3.0 focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise such as weak passwords and authentication methods, malware, and poor self-detection providing added flexibility on ways to meet the requirements. This will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organizations drive and maintain controls across their business. Security as a shared responsibility Securing cardholder data is a shared responsibility. Today s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCIDSS focus on helping organizations understand their entities PCI DSS responsibilities when working with different business partners to ensure cardholder data security. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 8

9 Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing. There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage.. Figure 6: Cloud Computing There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise. Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services. Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 9

10 Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off premise. To learn more about VMware s approach to cloud computing, review the following: VMware Cloud Computing Overview VMware s vcloud Architecture Toolkit When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing, including safely deploying business critical applications. Figure 7: VMware Software Defined Data Center Products V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 10

11 Figure 8: VMware End User Computing VMware provides an extensive suite of products designed to help organizations support security and compliance needs. The solutions collective functionality features, and specific PCI DSS requirements are addressed in the VMware Applicability Guide for PCI, which provide detail information about VMware s support for PCI DSS v3. If you are an organization or partner that is interested in more information on the VMware Compliance Program, please us at Deploying Vormetric Solutions in the Cloud With Vormetric, you can fully support all the above outlined cloud computing deployment models (Private, Public, Hybrid and Community), while retaining the control you need to stay compliant with PCI DSS and other relevant security policies and mandates. Available as a physical or virtual appliance, Vormetric Data Security Manager (DSM) offers policy based security and compliance support for the underlying Infrastructure. The DSM features a flexible deployment model that enables you to retain custodianship of keys, whether they re on- or off-the merchant s premise. The DSM can also be deployed using automated provisioning scripts in a multi-tenant environment. It is important to note that the Vormetric Data Security Manager is the key and policy manager, but cardholder data and other sensitive data never passes through the appliance. Figure 9: Vormetric Securing Data VMware Private, Public, Hybrid and Community Clouds V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 11

12 Vormetric PCI Compliance Solution By leveraging the products and capabilities of Vormetric Transparent Encryption, outlined above, your organization can secure cardholder data, and do so with simplicity, efficiency, and low total cost of ownership. Whether an organization s sensitive data stored in virtualized, cloud, big data, or traditional data center environments; Vormetric can help safeguard it. The sections that follow detail how encryption, key management, privileged user access control and Vormetric Security Intelligence address a number of specific PCI DSS v 3.0 requirements. Table 2: Vormetric Solutions SOLUTION DESCRIPTION Encryption of data-at-rest for VMware Environments Using Vormetric Transparent Encryption, standards based AES256 encryption is applied to files and databases that contain cardholder or other sensitive data. The solution includes integrated key management that meets or supports PCI DSS requirements. Because the solution is transparent, no application or infrastructure changes are required. It is very high-performance encryption as it leverages Intel AES-NI hardware support and optimized engineering. Performance results can be reviewed in the VCE vblock certification test report. This capability helps satisfy PCI DSS requirements found in section 3. Privileged User Access Control Vormetric s unique ability to enforce least privileged access through privileged user access control policies assures that unauthorized users don t have access to cardholder data. This capability helps satisfy PCI DSS requirements found in section 7. Vormetric Transparent Encryption Vormetric Security Intelligence Logs Vormetric Security Intelligence logs produce an auditable trail of permitted and denied data access attempts from users and processes, delivering unprecedented insight into file access activities. The logs are granular to help you efficiently track and report on file access activities, including whom accessed files, which files were accessed, what application or process was used and when they were accessed. Logging occurs at the file system level, removing the threat of an unauthorized user gaining stealthy access to sensitive data. These logs can inform administrators of unusual or improper data access and accelerate the detection of insider threats, hackers, and APTs that go undetected by perimeter security. In addition, Vormetric logs are easy to integrate with your security information and event management (SIEM) systems, so you can efficiently produce compliance and security reports. This capability helps satisfy PCI DSS requirements found in section 10. Centrally Manage Keys for Multiple Encryption Products With the Vormetric Data Security Manager, an organization can centrally manage the entire Vormetric Data Security Platform product offerings. As an example, the Vormetric Data Security Manager delivers integrated key management for Vormetric Transparent Encryption; as discussed in this paper, and a column-level encryption solution, Vormetric Application Encryption. In addition, if your organization is running third-party encryption products, you can use Vormetric Key Management to centrally store the associated keys and certificates. The product provides a high availability, standards-based, FIPS validated key management platform that can secure keys for Microsoft Transparent Data Encryption (TDE), Oracle TDE, and KMIP-compliant devices. By consolidating key management from multiple encryption products, Vormetric enables more consistent key management policy implementation across the organization and reduces training and maintenance costs. This capability helps satisfy PCI DSS requirements found in section 3. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 12

13 Vormetric PCI Requirements Matrix Overview When properly deployed and configured, the Vormetric solution can help you address a number of PCI DSS requirements. The table below details the number of requirements the solution can support. Table 3: Vormetric PCI DSS Requirements Matrix PCI DSS REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters NUMBER OF PCI REQUIREMENTS NUMBER OF CONTROLS MET OR AUGMENTED BY VORMETRIC Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict Access to cardholder data by business need to know Requirement 8: Identify and authenticate access to system components Requirement 9: Restrict physical access to cardholder data 44 1 Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment TOTAL V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 13

14 PCI Requirements Matrix: How Vormetric Addresses Specific Controls The following matrix maps specific PCI DSS controls to the functionality of the Vormetric Data Security Platform. Table 4: Applicability of PCI DSS v3.0 Controls to the Vormetric Data Security Platform PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data CONTROLS ADDRESSED N/A DESCRIPTION No controls in this PCI requirement are addressed by Vormetric. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters N/A No controls in this PCI requirement are addressed by Vormetric. It should be noted, that Vormetric components were developed to enforce the requirement that default passwords to its product are not allowed at implementation. Requirement 3: Protect stored cardholder data 3.2.b, 3,4,a, 3.4.b, 3.4.d, 3.5.1, b, c, 3.5.3, a, a, a, a, a, a, Vormetric s ability to encrypt structured and unstructured data means that it can protect the data whether it is in files or in databases. Using Vormetric Transparent Encryption an organization can encrypt application data files and log files that might have sensitive data such as cardholder payment data, as required in DSS Requirement 3. Vormetric Transparent Encryption directly supports secure storage of sensitive authentication data (SAD) as required by 3.2.b, for those issuers or others that must store SAD, by using strong cryptography with associated key management for encrypting files or volumes where SAD reside. Vormetric s ability to encrypt structured and unstructured data means that it can protect the data whether it is in flat files or in databases. While issuers and companies supporting issuers, may have a legitimate business need for storing data, merchants, service providers supporting merchants, and acquirers must never store sensitive authentication after the payment transactions authorization is processed. Vormetric Transparent Encryption directly supports 3.4 by protecting stored data using strong cryptography with associated key-management for encrypting files or volumes where PANs reside (3.4.a). Databases are encrypted at the volume level (3.4.b). An organization can use Vormetric Transparent Encryption to encrypt log files (3.4.d) with sensitive data, including PAN. The Vormetric solution eliminates the need for Full Disk Encryption (3.4.1) by encrypting at the volume level. However, if Full Disk If encryption that supports standards based KMIP (key management interoperability protocol) is deployed, the decryption keys can be securely stored with the Vormetric solution as outlined in 3.5 and 3.6 below. While the user will need to document key managements procedures, V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 14

15 PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric supports an organization s key management procedures (3.5) by ensuring that encryption keys are protected by: Ensuring cryptographic keys are centrally generated and stored in the Data Security Manager (3.5.3). The actual keys are never visible to anyone, including key custodians or systems administrators (3.5.1). By restricting access to keys and key management activities and managing access within the Vormetric Data Security Manager, Vormetric decouples access rights from central access management systems such as Active Directory, thus restricting access by privileged users such as system administrators and root unless explicitly granted by policy within Vormetric s Data Security Manager. Encrypting the data encryption keys with an AES 256-bit key. This encrypted key is stored securely on the Data Security Manager (DSM) (3.5.2.b), which is separate from the location where the data encryption key is used. If the option to cache data encryption keys on the local server is selected, in order to eliminate network latency, the local keys are also encrypted with an AES 256-bit key (3.5.2.c). Vormetric also offers an HSM option (3.5.2.b). While the user must document the key-management processes used within their organization and ensure that key custodians understand and acknowledge their responsibilities, Vormetric Data Security Platform supports compliance of the technical requirements associated 3.6. The Vormetric Data Security Platform architecture is designed for strong crypto-key management using a secure web management console or through APIs providing 3.6 compliance: Cryptographic keys are centrally generated by the Data Security Manager appliance and are fully compliant with FIPS standards (3.6.1.a). Clear text keys never leave the DSM. When keys are distributed to agents, they are encrypted with a one-time-use AES 256 key and sent over a mutually authenticated TLS connection (3.6.2.a). Providing a secure central repository for cryptographic keys and policies. Customers have the option to cache cryptographic keys on the host server. Vormetric s agents protect these keys from unauthorized access, even from root administrators. When keys are cached locally, the keys are protected with a wrapper key and are not assessable by any systems user (3.6.3,a). Crypto-key can be changed by key custodians based upon the organization s crypto-period policies. When a key is retired by a custodian it can be permanently deleted. Key change procedures will need to include a process for re-encrypting data with new keys before making old keys obsolete (3.6.4.a). Crypto-key can be changed by key custodians when key has been weakened or compromised; when a key is changed by a custodian it can be permanently deleted. Key change procedures will need to V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 15

16 PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT Requirement 4: Encrypt transmission of cardholder data across open, public networks CONTROLS ADDRESSED N/A DESCRIPTION include a process for re-encrypting data with new keys before making old keys obsolete (3.6.5.a). Manual clear-text cryptographic key management is not required by Vormetric. Custodians can create keys, but key values are not visible to the custodian. DSM protects keys from any one person having access to key material by following a no knowledge and configurable split knowledge/dual control policies (3.6.6.a). The DSM supports an m of n sharing scheme for backing up keys. A specific number of shares must be provided in order to restore the encrypted contents of the Data Security Manager archive into a new or replacement Data Security Manager. Access control policies defined within the DSM control access to key creation and other key management activities, restricting access to authorized key custodians only (3.6.7.a). No controls in this PCI requirement are addressed by Vormetric. Requirement 5: Protect all systems against malware and regularly update antivirus software or programs N/A No controls in this PCI requirement are addressed by Vormetric. The Vormetric DSM is an appliance with a hardened Linux kernel and is generally not considered commonly affected by malicious software. However, when the software version of DSM is deployed anti-virus technology may be required. The Vormetric user should consult their QSA regarding their architecture and the appropriate technology for protecting against malware. Requirement 6: Develop and maintain secure systems and applications N/A No controls in this PCI requirement are addressed by Vormetric. The use of Vormetric should be taken into account when developing software that stores, processes, or transmits cardholder data. However, the controls surrounding the software development life cycle and systems vulnerability management are outside of the scope of the paper. Requirement 7: Restrict access to cardholder data by business need to know 7.1.a, 7.1.1, a, 7.1.3, 7.1.4, 7.2.2, Vormetric directly supports 7.1.a by adding a layer of access control on top of the native operating system access control. It also can strengthen the access control defined at the OS layer and prevent root administrators and privileged users from accessing or viewing cardholder data. The solution enables least privileges access without interfering with normal administrative operations by: Ensuring that cardholder data cannot be viewed by system administrators who do not have a need to know, while simultaneously ensuring that there is no interruption to data backup and other administrative processes. By leaving metadata in the clear, V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 16

17 PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT CONTROLS ADDRESSED DESCRIPTION but encrypting the underlying data, administrators can identify the files that require backup without providing them access to the file itself (7.1.1). Enforcing policies that ensure privileged users, such as Administrator or Root, are granted access needed for their job responsibilities but restricted from accessing cardholder data unless explicated granted to meet a business need, thereby restricting access based on need to know (7.1.2.a). Enforcing policies that ensure individuals, applications and processes are provided least privileged access to the cardholder data based on their job classification and business responsibilities, thereby restricting access based on need to know (7.1.3). While the user will need to implement processes for approving requests for access, Vormetric supports by providing a granular, policy-based system that restricts access based on individual, role, process, time of day, and location of data. With an organization s documented approval process Vormetric policies can be configured to include release of encrypted contents for backup, decryption of contents based on need to know, and control of rights to the data file. Available audit records can be used to monitor granted or changed privileges to ensure documented process for granting access to cardholder data is enforced. Vormetric directly supports 7.2 by setting access control parameters that define through policies which authorize users and applications are granted access to cardholder data storage on any server or storage device. Only users and applications that are part of authorized policies, which can be assigned based upon role or group assignments (7.2.2), can access the data in clear text. (Administrators can be given access to the files containing cardholder data, but data is not decrypted for them.). Default policy is to deny all without explicit authorization through policies (7.2.3). Requirement 8: Identify and authenticate access to systems components c, e, 8.7.a, 8.7.b, 8.7.c, 8.7.d Vormetric is independent of the system and network account and password controls required. Vormetric integrates with existing directory services (LDAP, Active Directory) to authenticate user IDs. All transmission of Vormetric authentication and key material takes place over a mutually authenticated TLS channel. (8.2.1.c & e) With Vormetric, direct access to data and database queries can be limited to only database administrators (8.7.c). Vormetric provides control at the file system-level, below the database. When a database is protected with Vormetric, all access to the data in the database must come from the database process (8.7.b). All other sources are denied access (8.7.a and 8.7.d). For example, an operating system super-user can have a policy preventing file copies and the ability to view the database contents. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 17

18 PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement 9: Restrict access to cardholder data by business need to know While not directly supporting requirement 9.8.2, Vormetric supplements other controls introduced to render retired hard drives unreadable. Should data not be adequately cleaned from media, the data will not be viewable unless the Vormetric Data Security Manager is available to authorize the release of the decryption key for the data on that media. Requirement 10: Track and monitor all access to network resources and cardholder data 10.1, , , , , , 10.3, , , , , , , a, , , , , b Vormetric directly supports 10.1 by providing a detailed logging at the File System level. Any read/write and other access requests for sensitive data can be audited and the audit records contain information to track access back to a host machine, directory, file or resource accessed, specific user, user group, policy invoked, application and time. Vormetric provides a detailed auditing at the File System level. Any read/write or other request for sensitive data can be audited and the trails contain information to track access back to a specific user, application and time, including: Policies can be constructed to monitor individual access to cardholder data. (10.2.1) By constructing policies to monitor individual access to cardholder data individuals with root or administrative privileges is logged. Both failed and successful attempts to view card data are logged. (10.2.2) By enabling administrators of the Data Security Manager that are assigned the role of audit officer to access audit trails, which are centrally stored. Vormetric recommends that audit/log data be sent to a centralized log server safeguarded by Vormetric. All access and access attempts to Vormetric logs are audited. (10.2.3) Through configuration to audit all denied access requests. (10.2.4) By logging all key custodian activity. (10.2.7) Vormetric provides a detailed auditing at the File System level, by generating audit entries that include: Username and group membership. (10.3.1) Type of event. (10.3.2) Date and time. (10.3.3) Success or failure indication. In the case of a permitted action, the event data also includes whether the access was to clear text or to encrypted data. (10.3.4) Origination of the event. (10.3.5) Host and the full path to the file that was the target of the access request. (10.3.6) The DSM can be configured to synchronize with the organization s NTP server. ( a) Vormetric secures audit trails generated by: Ensuring that audit trails cannot be modified while they reside on the V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 18

19 PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric Data Security Manager. If log and audit files are sent to a centralized log server, this external log repository can be protected and safeguarded with Vormetric Transparent Encryption and access control ( & ). Providing an extensive set of log and audit capabilities to track and monitor access to cardholder data. These files can be sent to a customer s centralized log server or event management solution via syslog. In addition, this external log repository can be protected and safeguarded with the Vormetric solution (10.5.3). Ensuring log files cannot be modified while they reside on the Vormetric Data Security Manager. Further, customers may use the Vormetric solution to block or monitor changes to log files and other audit trails (10.5.5). Vormetric Data Security Platform supports monitoring requirements by generating log reports for monitoring of daily activity of users accessing cardholder data. ( b) Requirement 11: Regularly test security systems and processes a, 11.5.b While not file integrity management software that can be used to alert changes to all operating system and execution files, Vormetric generates audit information for unintended direct access to cardholder data and can be configured to generate alerts thus providing integrity monitoring for cardholder data under its control and thus augments support for file integrity monitoring (11.5.a & 11.5.b). Requirement 12: Maintain a policy that addresses the information security for all personnel. N/A No controls in this PCI requirement are addressed by Vormetric. Requirement A.1: Shared hosting providers must protect the cardholder data environment A.1.2.a, A.1.2.b, A.1.2.d Vormetric can support a shared hosted providers efforts for compliance with requirement A.1.2 to restrict each entities access to its own cardholder data environment only by: Providing shared hosting provider the capability to block all access not explicitly granted to cardholder data and other sensitive data; thus forbidding access to data by applications that might run as a privileged user. (A.1.2.a). While Vormetric cannot enforce access controls for shared systems or directories, Vormetric partially addresses requirement A.1.2.b by allowing the organization to establish read/write permissions that restrict access to sensitive data to only the owning entity. Providing the shared hosting provider the ability to protect log files of various applications to restrict access to only approved user accounts within the owning entity (A.1.2.d) V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 19

20 Summary Cloud computing and threats to sensitive data such as that covered by the Payment Card Industry under their Data Security Standards are both evolving. The benefits and maturity of cloud computing led by VMware and the Software Defined Data Center have led VMware's customers and partners to host most and approaching all of the enterprise applications on this platform. To answer that need VMware, its Technology and Audit partners have delivered a set of documentation pertinent to mainstream regulations such as PCI DSS version 3.0. Internalizing the information in this document is the first step in understanding which VMware products can be leveraged along with which features and capabilities must be considered. This also provides the format with which VMware Technology Partners will publish Applicability Guides of their own further completing the picture of total controls addressed. VMware and select Technology Partners will co-author Architecture Design Guides highlighting the products asserted as 'Applicable' in this Guide and providing further guidance on how to design, configure and operate these products to mitigate risks. As a final step VMware's audit partners will validate an environment built on these products and architectural design concepts to help ease the burden of QSA audits. Acknowledgements VMware would like to recognize the efforts of the VMware Center for Policy and Compliance, VMware Partner Alliance, and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program. VMware would also like to recognize the Coalfire Systems Inc. VMware Team for their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v. 3.0 and the Reference Architecture described herein. The information provided by Coalfire Systems and contained in this document is for educational and informational purposes only. Coalfire Systems makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. About Coalfire Coalfire Systems is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, visit V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 20

21 Trademarks and Copyrights The VMware products and solutions discussed in this document are protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their companies. SOLUTION AREA VMware vcloud Infrastructure VMware vcloud Networking and Security VMware NSX VMware vrealize Operations (formerly vcenter) KEY PRODUCTS VMware ESXi, VMware vsphere, VMware vshield Endpoint, VMware vrealize Server and VMware vcloud Director VMware vcloud Networking and Security App, VMware vcloud Networking and Security Data Security, VMware vcloud Networking and Security Edge Gateway, VMware vcloud Networking and Security Manager VMware NSX Edge, NSX Firewall, NSX Router, NSX Load Balancer, NSX Service Composer VMware vrealize Operations Manager, VMware vrealize Configuration Manager, VMware vrealize Infrastructure Navigator, VMware vrealize Orchestrator, VMware vrealize Update Manager, VMware vrealize Automation Center, VMware vrealize Log Insight VMware, Inc Hillview Avenue, Palo Alto, CA USA Tel Fax Copyright 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW_1404_WP_Vormetric Addendum PAG-PCIv3.0 10/14 V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 21

Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard Partner Addendum Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified

More information

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified

More information

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3. Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 April 2015 v1.0 Product Applicability Guide Table of Contents INTRODUCTION...

More information

Vormetric and PCI Compliance in AWS A COALFIRE WHITE PAPER

Vormetric and PCI Compliance in AWS A COALFIRE WHITE PAPER A COALFIRE WHITE PAPER Using Encryption and Access Control for PCI DSS 3.0 Compliance in AWS Implementing the Vormetric Data Security Platform in a Payment Card Environment running in Amazon Web Service

More information

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 February 2014 V3.0 DESIGN DO CU MENT Table of Contents EXECUTIVE SUMMARY... 4 INTRODUCTION... 5

More information

Tenable Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0

Tenable Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0 Tenable Product Applicability Guide For Payment Card Industry (PCI) Partner Addendum VMware Compliance Reference Architecture Framework to VMware Product Applicability Guide for Payment Card Industry Data

More information

VMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3

VMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3 VMware Solution Guide for Payment Card Industry (PCI) September 2012 v1.3 VALIDATION DO CU MENT Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 GUIDANCE

More information

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

Vormetric Encryption Architecture Overview

Vormetric Encryption Architecture Overview Vormetric Encryption Architecture Overview Protecting Enterprise Data at Rest with Encryption, Access Controls and Auditing Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732

More information

Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric

Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric Table of Contents Table of Contents... 2 Overview... 3 PIN Transaction Security Requirements... 3 Payment Application

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard Partner Addendum BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified

More information

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition VMware vcloud Architecture Toolkit Version 2.0.1 October 2011 This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS) Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS) How Financial Institutions Can Comply to Data Security Best Practices Vormetric, Inc. 2545 N. 1st Street,

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

Public Cloud Service Definition

Public Cloud Service Definition Public Version 1.5 TECHNICAL WHITE PAPER Table Of Contents Introduction... 3 Enterprise Hybrid Cloud... 3 Public Cloud.... 4 VMware vcloud Datacenter Services.... 4 Target Markets and Use Cases.... 4 Challenges

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security

More information

Thoughts on PCI DSS 3.0. September, 2014

Thoughts on PCI DSS 3.0. September, 2014 Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction

More information

Alliance Key Manager Solution Brief

Alliance Key Manager Solution Brief Alliance Key Manager Solution Brief KEY MANAGEMENT Enterprise Encryption Key Management On the road to protecting sensitive data assets, data encryption remains one of the most difficult goals. A major

More information

Securing and protecting the organization s most sensitive data

Securing and protecting the organization s most sensitive data Securing and protecting the organization s most sensitive data A comprehensive solution using IBM InfoSphere Guardium Data Activity Monitoring and InfoSphere Guardium Data Encryption to provide layered

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

Safeguarding the cloud with IBM Dynamic Cloud Security

Safeguarding the cloud with IBM Dynamic Cloud Security Safeguarding the cloud with IBM Dynamic Cloud Security Maintain visibility and control with proven security solutions for public, private and hybrid clouds Highlights Extend enterprise-class security from

More information

Virtualization Impact on Compliance and Audit

Virtualization Impact on Compliance and Audit 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance

More information

Network Segmentation in Virtualized Environments B E S T P R A C T I C E S

Network Segmentation in Virtualized Environments B E S T P R A C T I C E S Network Segmentation in Virtualized Environments B E S T P R A C T I C E S ware BEST PRAC TICES Table of Contents Introduction... 3 Three Typical Virtualized Trust Zone Configurations... 4 Partially Collapsed

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

VMware vcloud Service Definition for a Public Cloud. Version 1.6

VMware vcloud Service Definition for a Public Cloud. Version 1.6 Service Definition for a Public Cloud Version 1.6 Technical WHITE PAPER 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.

More information

Windows Least Privilege Management and Beyond

Windows Least Privilege Management and Beyond CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has

More information

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World

More information

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has

More information

Need to be PCI DSS compliant and reduce the risk of fraud?

Need to be PCI DSS compliant and reduce the risk of fraud? Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Effective End-to-End Cloud Security

Effective End-to-End Cloud Security Effective End-to-End Cloud Security Securing Your Journey to the Cloud Trend Micro SecureCloud A Trend Micro & VMware White Paper August 2011 I. EXECUTIVE SUMMARY This is the first paper of a series of

More information

Cloud Data Security. Sol Cates CSO @solcates scates@vormetric.com

Cloud Data Security. Sol Cates CSO @solcates scates@vormetric.com Cloud Data Security Sol Cates CSO @solcates scates@vormetric.com Agenda The Cloud Securing your data, in someone else s house Explore IT s Dirty Little Secret Why is Data so Vulnerable? A bit about Vormetric

More information

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,

More information

Using Encryption and Access Control for HIPAA Compliance

Using Encryption and Access Control for HIPAA Compliance A Fortrex Using Encryption and Access Control for HIPAA Compliance Page 1 Introduction On January 25, 2013, the final HIPAA Omnibus Rule was published. It expanded to business associates the obligation

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Teleran PCI Customer Case Study

Teleran PCI Customer Case Study Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data

More information

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...

More information

Trend Micro Cloud Protection

Trend Micro Cloud Protection A Trend Micro White Paper August 2015 Trend Micro Cloud Protection Security for Your Unique Cloud Infrastructure Contents Introduction...3 Private Cloud...4 VM-Level Security...4 Agentless Security to

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0 Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally

More information

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Thoughts on PCI DSS 3.0 D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director Agenda 1 2 3 Global Payment Card Statistics and Trends PCI DSS Overview PCI DSS Version 3.0: Important Timelines

More information

www.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

www.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on! Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100

More information

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015. Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines

More information

Net Report s PCI DSS Version 1.1 Compliance Suite

Net Report s PCI DSS Version 1.1 Compliance Suite Net Report s PCI DSS Version 1.1 Compliance Suite Real Security Log Management! July 2007 1 Executive Summary The strict requirements of the Payment Card Industry (PCI) Data Security Standard (DSS) are

More information

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319

More information

PCI DSS COMPLIANCE DATA

PCI DSS COMPLIANCE DATA PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities

More information

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0 Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

VMware vcloud Powered Services

VMware vcloud Powered Services SOLUTION OVERVIEW VMware vcloud Powered Services VMware-Compatible Clouds for a Broad Array of Business Needs Caught between shrinking resources and growing business needs, organizations are looking to

More information

PowerBroker for Windows

PowerBroker for Windows PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 5 Sample Regulatory Requirements...

More information

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

VORMETRIC CLOUD ENCRYPTION GATEWAY Enabling Security and Compliance of Sensitive Data in Cloud Storage

VORMETRIC CLOUD ENCRYPTION GATEWAY Enabling Security and Compliance of Sensitive Data in Cloud Storage VORMETRIC CLOUD ENCRYPTION GATEWAY Enabling Security and Compliance of Sensitive Data in Cloud Storage Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732 United Kingdom:

More information

VMware Solutions for Small and Midsize Business

VMware Solutions for Small and Midsize Business SOLUTION BRIEF VMware Solutions for Small and Midsize Business Protect Your Business, Simplify and Save on IT, and Empower Your Employees AT A GLANCE VMware is a leader in virtualization and cloud infrastructure

More information

The Sumo Logic Solution: Security and Compliance

The Sumo Logic Solution: Security and Compliance The Sumo Logic Solution: Security and Compliance Introduction With the number of security threats on the rise and the sophistication of attacks evolving, the inability to analyze terabytes of logs using

More information

Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard Partner Addendum Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware certified

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard Partner Addendum RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals

More information

McAfee Acquires NitroSecurity

McAfee Acquires NitroSecurity McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security

More information

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A

Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)

More information

VMware vcloud Networking and Security Overview

VMware vcloud Networking and Security Overview VMware vcloud Networking and Security Overview Networks and Security for Virtualized Compute Environments WHITE PAPER Overview Organizations worldwide have gained significant efficiency and flexibility

More information

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

CyberSource Payment Security. with PCI DSS Tokenization Guidelines CyberSource Payment Security Compliance The PCI Security Standards Council has published guidelines on tokenization, providing all merchants who store, process, or transmit cardholder data with guidance

More information

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns

More information

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

What s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application

More information

VMware Integrated Partner Solutions for Networking and Security

VMware Integrated Partner Solutions for Networking and Security VMware Integrated Partner Solutions for Networking and Security VMware Integrated Partner Solutions for Security and Compliance VMware vcloud Networking and Security is the leading networking and security

More information

Achieving PCI Compliance Using F5 Products

Achieving PCI Compliance Using F5 Products Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity

More information

Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security

Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security WHITE PAPER August 2011 Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security HYTRUST AND TREND MICRO DEEP SECURITY TOC Contents Virtualization

More information

Navigate Your Way to PCI DSS Compliance

Navigate Your Way to PCI DSS Compliance Whitepaper Navigate Your Way to PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) is a series of IT security standards that credit card companies must employ to protect cardholder

More information

HIPAA/HITECH Compliance Using VMware vcloud Air

HIPAA/HITECH Compliance Using VMware vcloud Air Last Updated: September 23, 2014 White paper Introduction This paper is intended for security, privacy, and compliance officers whose organizations must comply with the Privacy and Security Rules of the

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

PROTECTING DATA IN MULTI-TENANT CLOUDS

PROTECTING DATA IN MULTI-TENANT CLOUDS 1 Introduction Today's business environment requires organizations of all types to reduce costs and create flexible business processes to compete effectively in an ever-changing marketplace. The pace of

More information

Adyen PCI DSS 3.0 Compliance Guide

Adyen PCI DSS 3.0 Compliance Guide Adyen PCI DSS 3.0 Compliance Guide February 2015 Page 1 2015 Adyen BV www.adyen.com Disclaimer: This document is for guidance purposes only. Adyen does not accept responsibility for any inaccuracies. Merchants

More information

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief RSA Encryption and Key Management Suite The threat of experiencing a data breach has never been greater. According to the Identity Theft Resource Center, since the beginning of 2008, the personal information

More information

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE ebook Series 2 Headlines have been written, fines have been issued and companies around the world have been challenged to find the resources, time and capital

More information

Vormetric Data Security Platform Data Sheet

Vormetric Data Security Platform Data Sheet Vormetric Data Security Platform Data Sheet The makes it efficient to manage data-at-rest security across an entire organization. The Vormetric Data Security Platform is a broad set of products that share

More information

PCI DSS and the A10 Solution

PCI DSS and the A10 Solution WHITE PAPER PCI DSS and the A10 Solution How Cloud Service Providers Can Achieve PCI Compliance with A10 Thunder ADC and vthunder Table of Contents The Challenge of PCI Compliance... 3 Overview of PCI

More information

PCI Compliance Overview

PCI Compliance Overview PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

WHITE PAPER. PCI Basics: What it Takes to Be Compliant WHITE PAPER PCI Basics: What it Takes to Be Compliant Introduction A long-running worldwide advertising campaign by Visa states that the card is accepted everywhere you want to be. Unfortunately, and through

More information

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions Product Datasheet The governance IT needs Easy user adoption Trusted Managed File Transfer solutions Full-featured Enterprise-class IT Solution for Managed File Transfer Organizations today must effectively

More information

Feature. Log Management: A Pragmatic Approach to PCI DSS

Feature. Log Management: A Pragmatic Approach to PCI DSS Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who

More information

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By: Peter Spier Managing Director PCI and Risk Assurance Fortrex Technologies Agenda Instructor Biography Background On

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Introduction to PCI DSS

Introduction to PCI DSS Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?

More information