VMware!EUC!Product!Applicability!Guide! for!payment!card!industry!data!security! Standard!(PCI!DSS)!version!3.0!
|
|
- Gyles Parrish
- 8 years ago
- Views:
Transcription
1 VMware EUCProductApplicabilityGuide forpaymentcardindustrydatasecurity Standard(PCIDSS)version3.0 July2015 v1.0 TECHNICALWHITEPAPER ThisisthefirstdocumentintheComplianceReferenceArchitectureforPCI.You canfindmoreinformationontheframeworkanddownloadtheadditional documentsfromthepcisolutionresourcestabonvmwaresolution Exchangehere. vmwareypciycomplianceyandycyberyriskysolutions#.vwcfyk9vhbc
2 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) TableofContents EXECUTIVE+SUMMARY...4 INTRODUCTION...4 OVERVIEW+OF+PCI+AS+IT+APPLIES+TO+END8USER+COMPUTING+ENVIRONMENTS...6 SUMMARY+OF+RELEVANT+CHANGES+FROM+PCI+DSS+2.0+TO CLOUD+COMPUTING...18 WHERE+TO+START+8+CONSIDERATIONS+FOR+MANAGEMENT,+IT+AND+AUDITORS...19 VMware'Specific-Assessment-Considerations Management/Business-Considerations IT-Considerations Audit-Considerations GUIDANCE+FROM+THE+PAYMENT+CARD+INDUSTRY+SECURITY+STANDARDS+COUNCIL...20 VMWARE+TECHNOLOGIES+AND+PCI...25 VMWARE+PCI+REQUIREMENTS+MATRIX+(OVERVIEW)...27 VMWARE+PCI+REQUIREMENTS+MATRIX+(END+USER+COMPUTING)...29 End-User-Computing VMware-Horizon VMWARE+HORIZON+VIEW TM...31 VMware-Horizon-Mirage Horizon-Workspace-Portal VMware-Horizon-Air SUMMARY...37 ACKNOWLEDGEMENTS:...38 ABOUT+COALFIRE...38 Disclaimer VMwareProductApplicabilityGuide/2 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
3 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) DesignSubjectMatterExperts Thefollowingpeopleprovidedkeyinputintothiswillinaandwillandheandheandwillheandwillawillandyouwill andwillandwillandwillandinaisanandwilldesign. NAME ADDRESS ROLE/COMMENTS NickTrenc Consultant,Coalfire SatnamPurewal Associate,Coalfire Trademarks TheVMwareproductsandsolutionsdiscussedinthisdocumentareprotectedbyU.S.andinternationalcopyrightand intellectualpropertylaws.vmwareproductsarecoveredbyoneormorepatentslistedat Statesand/orotherjurisdictions.Allothermarksandnamesmentionedhereinmaybetrademarksoftheir companies. SolutionArea VMwarevCloud Infrastructure KeyProducts VMwareESXI,VMwarevSphere,VMwarevShieldEndpoint,VMwarevRealize Server andvmwarevclouddirector VMwarevCloud Networkingand Security VMwarevCloud NetworkingandSecurityApp,VMwarevCloud Networkingand SecurityDataSecurity,VMwarevCloud NetworkingandSecurityEdgeGateway, VMwarevCloud NetworkingandSecurityManager VMwareNSX VMwareNSXEdge,NSXFirewall,NSXRouter,NSXLoadBalancer,NSXService Composer VMwarevRealize Operations (formerlyvcenteroperations ManagementSuite) VMwarevRealize OperationsManager,VMwarevRealize Configuration Manager,VMwarevRealize InfrastructureNavigator,VMwarevRealize Orchestrator,VMwarevCenter UpdateManager,VMwarevRealize Automation Center,VMwarevRealize LogInsight,VMwarevRealize Operationsfor Horizon VMware EndUserComputing VMwareHorizon EnterpriseEdition,VMwareHorizon withview Edition,VMware Horizon Client,VMwareMirage,VMwareWorkspace Portal,VMwareApp Volumes VMwareProductApplicabilityGuide/3 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
4 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) VMwareProductApplicabilityGuide/4 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. ExecutiveSummary ThePaymentCardIndustryDataSecurityStandard(PCIDSS)isapplicabletoalltypesofenvironmentsthatstore, process,ortransmitcardholderdata.thisincludesinformationsuchaspersonalaccountnumbers(pan),aswell asanyotherinformationthathasbeendefinedascardholderdatabythepcidss.theuseofcloudcomputing resourcesmustalsobescrutinizedbythepcidssauditprocess,andmanyofthecloud sadvantagesoverearlier paradigmsyysharingofresources,workloadmobility,consolidatedmanagementplane,etc. themselvesnecessitate thatadequatecontrolsareadoptedtohelpmeetpcidsscontrols.pciconsiderationsareessentialforassessorsto helptounderstandwhattheymightneedtoknowaboutanenvironmentinordertobeabletodeterminewhethera PCIDSSrequirementhasbeenmet.Ifpaymentcarddataisstored,processedortransmittedinacloudenvironment, PCIDSSwillapplytothatenvironment,andwilltypicallyinvolvevalidationofboththeinfrastructureandthe applicationsrunninginthatenvironment. AnyenterprisecomputingenvironmentsthatcontainscardholderdataelementsaresubjecttoPCIDSScompliance. Manyofthoseenvironmentsthatdealinanykindoffinancialtransactionforexchanginggoodsandservicesrelyon VMwareandVMwareTechnologyPartnersolutionstodeliverthoseenterprisecomputingenvironments.Assuch, theseenterprisesseekwaystoreduceoverallitbudgetwhilemaintaininganappropriateoverallriskpostureforthe inyscopeenvironment.oneofthegreatestchallengesinhostingthenextgenerationenterprisecomputing environmentisconsolidatingmanymodesoftrustrequiredsuchasthoserequiredforacardholderdata Environment(CDE)andaNonYCardholderDataEnvironment. ForthesereasonsVMwarehasenlisteditsauditpartnerCoalfire,aPCIDSSapprovedQualifiedSecurityAssessor (QSA),toengageinaprogrammaticapproachtoevaluateVMwareproductsandsolutionsforPCIDSScontrol capabilitiesandthentodocumentthesecapabilitiesinasetofreferencearchitecturedocuments.thefirstofthese documentsisthisproductapplicabilityguide,whichcontainsamappingofthevmwareproductsandfeaturesthat shouldbeconsideredforimplementingpcidsscontrols.thenexttwodocumentsthat,togetherwiththisguide, comprisethepcidssreferencearchitecturearethearchitecturedesignguideandthevalidatedreference Architecture,whichwillprovideguidanceontheconsiderationstobemadewhendesigningavCloudenvironmentfor PCIDSSaswellasalabvalidationexerciseanalyzinganinstanceofthisreferencearchitecturewhichutilizesthe conceptsandapproachesoutlinedtherein.formoreinformationonthesedocumentsandthegeneralapproachto complianceissuespleasereviewvmware+compliance+cyber+risk+solutions. Inaddition,VMwareandCoalfireareengagedwithVMwareTechnologyPartnerstoanalyzetheirproductsand solutions(availableonthevmwaresolutionexchange)withthegoalofprovidingcontinuingexamplestothe industry.inanongoingeffort,vmwareandcoalfirewillutilizethisinformationtocreatenew"joint"reference architecturesbasedonthevmwarereferencearchitectureforpcidsswherepartnerproductsandsolutionsare combinedandauditorvalidatedtofurthereaseadoptionforcio s,itmanagers,architects,itauditorsandsecurity practitionersinvolvedwithavmwarevcloudsuitebasedcloudcomputingarchitecture.seefigure2onpage6in thisdocumentforthecompliancesolutioncategories. Thisstudyinvestigateddifferentapplicationsavailabletoorganizationsthatuse(orareconsideringusing) virtualizationandcloudtosupportamixedymodevirtualenvironment.tothatend,coalfirehighlightedthespecific PCIDSSrequirementstheseapplicationsaddress,andrecommendsanapproachfororganizationsandtheirQSA s orinternalsecurityassessors(isa s)totesttheircompliancewithpcidssv.3.0.ithasbeenreviewedandauthored byourstaffofqualifiedsecurityassessorsinconjunctionwithvmware. Ifyouhaveanycommentsregardingthiswhitepaper,wewelcomeanyfeedbackatVMware@coalfire.comor compliancegsolutions@vmware.com. Introduction Complianceandsecurityissuescontinuetobetopconcernsfororganizationsthatplantomoveanyoralloftheir environmenttocloudcomputing.vmwarehelpsorganizationsaddressthesechallengesbyprovidingbundled solutions(suites)thataredesignedforspecificusecases.theseusecasesaddressquestionslike HowtobePCI compliantinavmwareprivatecloud byprovidinghelpfulinformationforvmwarearchitects,thecompliance community,andthirdparties.
5 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) The2013PCIPrivateCloudUseCaseisfocusedonenterpriseswishingtobuildoutaprivatecloudcomputing environmentforhostingapplicationsthatmaybesubjecttoapcidssaudit.thisguideisfocusedon5groupsof technologiesusedtobuildarchitecturesandoperatingmodelsinordertosupportthisgoal.those5groupsare CloudInfrastructure CloudInfrastructureManagement CloudNetworkingandSecurity NetworkandSecurityVirtualization EndUserComputing. TheprivatecloudusecasealsoprovidesreaderswithamappingofthespecificPCI3.0requirementstoVMware s productsuites,products,andpartnersolutionscontainedinthose5groups.whileeverycloudisunique,vmwareand 3 rd partysolutionscanprovidecapabilitiesthataddressapproximately80%ofpcitechnicalrequirementsfor compliance.figure1showstheproportionoftechnicalrequirementsaddressedbyvmwareinrelationtothetotal numberofrequirementsthatarenonytechnicalororganizationalresponsibility. PCIRequirements OrganizationResponsibility VMwareTechnicalProducts PartnerSolutions Figure1:PCIDSSRequirementsandVMware Figure2identifiescapabilitymeasureswithrespecttoprotection,integrity,andavailabilitythatmakeupatrusted cloudimplementation.thegraphicillustratesthespecificcategoriesthatvmwareandpartnersolutionsareableto address.eachsectionofthegraphicrepresentsageneralcategoryofenablement.thealignmentofvmwareand partnertechnologieswiththesecategoriesassistswiththematchingofspecifictechnologiestothecontrolsandthe intentthatthecontrolsaredesignedtoaddress. VMwareProductApplicabilityGuide/5 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
6 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) Figure2:VMware+PartnerProductCapabilitiesforaTrustedCloud DuetothecommoncapabilitiesoftheVMwareproductsandfeaturesacrossallofthePCIusecases,understanding therelationshipoftheseproductsandfeatureswiththepciguidanceandrequirementsisfundamentalandmost broadlyaccommodatedinthisdocument.morespecificguidanceisprovidedinthearchitecturaldesignguide, wheredesignsuggestionsareprovidedtoillustratehowvmwareeucsolutionscanenablecontrolstoaddresspci requirementswithinvarioususecases.thepcidssguidance,requirementsandtestingproceduresaredesigned foruseduringpcidsscomplianceassessmentsaspartofanentity svalidationprocess.theintentionofpcidss istoprovideaminimumsetofrequirementsnecessarywiththeintentionofprotectingcardholderdata.the informationdesignedtobeprotectedbypcidssisspecifictothepcidssrequirements.asitisaminimum requirement,itisrecommendedthatentitiesthathandlecardholderdataimplementadditionalcontrolsandpractices tofurthermitigaterisks.moreover,manyentitiesrequiringadherencetopcirequirementsmayalsoberequiredto implementcontrolsrelevanttootherregulatoryandgovernancerequirements.thecombiningofcapabilitiesof VMwareandtheVMwarePartnernetworkprovidethemeansoftoaddresstherequirementsinacohesiveway.The PCIrequirementsimplementedinacommonVMwareEndUserComputingarchitectureopensupopportunitiesfor tightercontrolandgreateragility. OverviewofPCIasitAppliestoEndGUserComputing Environments ThePCISecurityStandardsCouncil(SSC)wasestablishedin2006byfiveglobalpaymentbrands(American Express,DiscoverFinancialServices,JCBInternational,MasterCardWorldwide,andVisaInc.).Thepayment brandsrequirethroughtheiroperatingregulationsthatanymerchantorserviceprovidermustbepcicompliant. Merchantsandserviceprovidersarerequiredtovalidatetheircompliancebyassessingtheirenvironmentagainst nearly300specifictestcontrolsoutlinedinthepaymentcardindustrydatasecuritystandards(dss).failureto meetpcidssrequirementsmayleadtofines,penalties,orinabilitytoprocesscreditcards,inadditiontopotential reputationalloss. ThePCIDSShassixcategorieswithtwelvetotalrequirementsasoutlinedbelow: VMwareProductApplicabilityGuide/6 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
7 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) Figure3:PCIDataSecurityStandard+ ThePCISSCspecificallybeganprovidingformalizedguidanceforcloudandvirtualenvironmentsinOctober,2010. Theseguidelineswerebasedonindustryfeedback,rapidadoptionofvirtualizationtechnology,andthemovetocloud computingenvironments.version3.0(andversion2.0)ofthedatasecuritystandard(dss)specificallymentions theterm virtualization (previousversionsdidnotusetheword virtualization ).Thiswasfollowedbyanadditional documentexplainingtheintentbehindthepcidssv2.0, NavigatingPCIDSS.Thesedocumentswereintendedto clarifythatvirtualcomponentsshouldbeconsideredas components forpci,butdidnotgointothespecificdetails andrisksrelatingtovirtualenvironments.instead,theyaddressvirtualandcloudspecificguidanceinaninformation Supplement, PCIDSSVirtualizationGuidelines, releasedinjune2011bythepcissc svirtualizationspecial InterestGroup(SIG). Figure4:NavigatingPCIDSS+ Theexistingvirtualizationsupplementwaswrittentoaddressabroadsetofusers(fromsmallretailerstolargecloud providers)andremainsproductagnostic(nospecificmentionsofvendorsandtheirsolutions). Note:VMwaresolutionsaredesignedtohelporganizationsaddressvariousregulatorycompliancerequirements. ThisdocumentisintendedtoprovidegeneralguidancefororganizationsthatareconsideringVMwaresolutionsto helpthemaddresssuchrequirements.vmwareencouragesanyorganizationthatisconsideringvmwaresolutionsto engageappropriatelegal,business,technical,andauditexpertisewithintheirspecificorganizationforreviewof regulatorycompliancerequirements.itistheresponsibilityofeachorganizationtodeterminewhatisrequiredtomeet anyandallrequirements.theinformationcontainedinthisdocumentisforeducationalandinformationalpurposes only.thisdocumentisnotintendedtoprovidelegaladviceandisprovided ASIS.VMwaremakesnoclaims, VMwareProductApplicabilityGuide/7 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
8 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) promisesorguaranteesabouttheaccuracy,completeness,oradequacyoftheinformationcontainedherein.nothing thatyoureadinthisdocumentshouldbeusedasasubstitutefortheadviceofcompetentlegalcounsel. SummaryofRelevantChangesfromPCIDSS2.0to3.0 WiththerecentreleaseofthePCIDSS(DataSecurityStandard)3.0,whilelittleadditionalguidancehasbeenreleased with regard to virtualization specifically, there have been a number of enhancements and clarifications that may potentially have significant design & operational considerations above and beyond those which were required for compliancewiththepcidss2.0.itshouldbenotedthatnoneofthenewpcidss3.0requirementsorconsiderations are inconsistent with or materially different from those found in version 2.0, but rather are simply additions, enhancements,andclarifications.anupdated NavigatingPCIDSS documentforversion3.0hasnotbeenreleased bythepcissc(securitystandardscouncil)asofthetimeofthiswriting. WitheveryiterationofthePCIDSSandtheassociatedchanges&updates,particularlywhennewrequirementsare presented,organizationsaregivenadditionaltimetoimplementthesecontrolsthroughthe Sunrise process.while entitiescanchoosetomanagetheircardholderdataenvironmentsunderthepcidss2.0upuntildecember31, 2014,afterwhichallPCIDSSprogramsandauditsmustadheretoversion3.0.Additionally,manyofthenew requirementsunderthepcidss3.0areconsideredbestpracticesuntiljuly1,2015,givingorganizationsadditional timetopreparetomeetthesenewrequirementsinanappropriatemanner. Figure5:PCIDSS3.0ChangesandUpdates ManyofthenewcontrolsandchangesinPCIDSS3.0reflectthegrowingmaturityofthePaymentCardIndustry,and theneedtofocusmoreonariskybasedapproachanddealwiththethreatsandassociatedriskswhichmost commonlyleadtoincidentsinvolvingthecompromiseofcardholderdata.alongwiththenewcontrolsandfocus areas,version3.0providespciorganizationsandassessorswithadditionalguidanceandflexibilityaround designing,implementing,andvalidatingtherequisitepcidsscontrols.itshouldalsobenotedthatwithincreased guidanceandflexibilityinthestandardandindividualcontrols,agreatlyincreasedlevelofstringencyisrequiredin thevalidationofthosecontrolsandtheriskybasedapproachtomanagingpcidssrequirements.atahighlevel,the updatestoversion3.0ofthedssinclude: Providingstrongerfocusonsomeofthegreaterriskareasinthethreatenvironment ProvidingincreasedclarityonPCIDSS&PAYDSSrequirements Buildinggreaterunderstandingontheintentoftherequirementsandhowtoapplythem Improvingflexibilityforallentitiesimplementing,assessing,andbuildingtotheStandards Drivingmoreconsistencyamongassessors Helpingmanageevolvingrisks/threats Aligningwithchangesinindustrybestpractices VMwareProductApplicabilityGuide/8 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
9 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) Clarifyingscopingandreporting EliminatingredundantsubYrequirementsandconsolidatedocumentation WealsohaveseveralkeythemesaroundmanagingPCIDSS3.0andtakingaproactivebusinessYasYusualapproach toprotectingcardholderdata,andfocusingprimarilyonsecurity,asopposedtopurecompliance,whichhavebeen updatedinthelatestversion,andforwhichthepcisecuritystandardscouncilhasprovidedguidance.the followingguidancehasbeenreleasedbythecouncilregardingthesehighylevelconceptsandhowtheyapplytopci DSS3.0.Fromthe PCIDSSVersion3.0ChangeHighlights document: Educationandawareness Lackofeducationandawarenessaroundpaymentsecurity,coupledwithpoorimplementationandmaintenance ofthepcistandards,givesrisetomanyofthesecuritybreacheshappeningtoday.updatestothestandardsare gearedtowardshelpingorganizationsbetterunderstandtheintentofrequirementsandhowtoproperly implementandmaintaincontrolsacrosstheirbusiness.changestopcidssandpaydsswillhelpdrive educationandbuildawarenessinternallyandwithbusinesspartnersandcustomers. Increasedflexibility ChangesinPCIDSS3.0focusonsomeofthemostfrequentlyseenrisksthatleadtoincidentsofcardholder datacompromise suchasweakpasswordsandauthenticationmethods,malware,andpoorselfydetection providingaddedflexibilityonwaystomeettherequirements.thiswillenableorganizationstotakeamore customizedapproachtoaddressingandmitigatingcommonrisksandproblemareas.atthesametime,more rigoroustestingproceduresforvalidatingproperimplementationofrequirementswillhelporganizationsdriveand maintaincontrolsacrosstheirbusiness. Securityasasharedresponsibility Securingcardholderdataisasharedresponsibility.Today spaymentenvironmenthasbecomeevermore complex,creatingmultiplepointsofaccesstocardholderdata.changesintroducedwithpcidssfocuson helpingorganizationsunderstandtheirentities PCIDSSresponsibilitieswhenworkingwithdifferentbusiness partnerstoensurecardholderdatasecurity. VMwareProductApplicabilityGuide/9 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
10 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) VMwareProductApplicabilityGuide/10 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. ThefollowingtablepresentsthehighYlevelsummaryofspecificchanges,updates,andclarificationsfromPCIDSS 2.0to3.0: GENERALCHANGESIMPLEMENTEDTHROUGHOUTTHEPCIDSSREQUIREMENTS TYPE Newcolumntodescribetheintentofeachrequirement,withcontentderivedfromformerNavigatingPCI DSSguidancedocument. Theguidanceinthiscolumnisintendedtoassistunderstandingofthe requirementsanddoesnotreplaceorextendthepcidssrequirementsandtestingprocedures. Additional Guidance Forthesecuritypoliciesanddailyoperationalprocedures(formerlyrequirements12.1.1and12.2),assigneda newrequirementnumberandmovedrequirementsandtestingproceduresintoeachofrequirements1y11. Clarification Updatedlanguageinrequirementsand/orcorrespondingtestingproceduresforalignmentandconsistency. Clarification Separatedcomplexrequirements/testingproceduresforclarityandremovedredundantoroverlapping testingprocedures. Clarification Enhancedtestingprocedurestoclarifylevelofvalidationexpectedforeachrequirement. Clarification Othergeneraleditingchangesinclude: Removedthefollowingcolumns: InPlace, NotinPlace and TargetDate/Comments. Renumberedrequirementsandtestingprocedurestoaccommodatechanges Reformattedrequirementsandtestingproceduresforreadability e.g.contentfromparagraphreformattedtobulletpoints,etc. Mademinorwordingchangesthroughoutforreadability Correctedtypographicalerrors Table1:GeneralChangesImplementedThroughoutthePCIDSSRequirements Table2outlinesthesummarychangesfromPCIDSSversion2.0toversion3.0. SECTION CHANGE TYPE PCIDSSV2.0 PCIDSSV3.0 PCIDSSApplicability Information PCIDSSApplicability Information ClarifiedthatSADmustnotbestoredafterauthorization evenifthereisnopanintheenvironment. Clarification Relationshipbetween PCIDSSandPAYDSS Relationshipbetween PCIDSSandPAYDSS Clarifiedthatallapplicationsthatstore,process,or transmitcardholderdataareinscopeforanentity spci DSSassessment,evenifPAYDSSvalidated. ClarifiedPCIDSSapplicabilitytopaymentapplication vendors. Clarification ScopeofAssessment forcompliancewithpci DSSRequirements ScopeofPCIDSS Requirements Addedexamplesofsystemcomponents,andadded guidanceabouthowtoaccuratelydeterminethescope oftheassessment. Clarifiedtheintentofsegmentation. Clarifiedresponsibilitiesofboththethirdpartyandtheir customersforscopingandcoverageofpcidss requirements,andclarifiedtheevidencethatthirdparties areexpectedtoprovidefortheircustomerstobeableto verifythescopeofthethirdparty spcidss assessment. Additional Guidance
11 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) VMwareProductApplicabilityGuide/11 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. SECTION CHANGE TYPE PCIDSSV2.0 PCIDSSV3.0 ImplementingPCIDSS intobusinessyasyusual Processes Newsectiontoprovide businessasusual guidancefor implementingsecurityintobusinessyasyusual(bau) activitiestomaintainonygoingpcidsscompliance. Notethatthissectionincludesrecommendationsand guidanceonly,notnewpcidssrequirements. Additional Guidance AssessmentProcedures AddednewheadingtoseparatePCIDSSscoping sectionfromsamplingsection. Clarification SamplingofBusiness Facilities/System Components ForAssessors:Sampling ofbusiness Facilities/System Components Enhancedsamplingguidanceforassessors. Additional Guidance InstructionsandContent forreporton Compliance InstructionsandContent forreporton Compliance Formercontentrelocatedtoseparatedocuments PCI DSSROCTemplateandPCIDSSROCReporting Instructions. Clarification PCIDSSCompliance CompletionSteps PCIDSSAssessment Process Updatedsectiontofocusonassessmentprocessrather thandocumentation. Clarification DetailedPCIDSS Requirementsand SecurityAssessment Procedures DetailedPCIDSS Requirementsand SecurityAssessment Procedures Atthestartofthissection,addedlanguagetodefinethe columnheadingsinthissection,andremovedreferences to InPlace, NotInPlace and Target Date/Comments columns. Clarification Table2:SummaryChanges Table3outlinestherequirementchangesfromPCIDSSversion2.0toversion3.0 REQUIREMENT CHANGE TYPE PCIDSSV2.0 PCIDSSV3.0 PCIDSSGREQUIREMENT1 1.1.x 1.1.x Clarifiedthatfirewallandrouterstandardshavetobebothdocumented andimplemented. Clarification Clarifiedwhatthenetworkdiagrammustincludeandaddednew requirementat1.1.3foracurrentdiagramthatshowscardholderdata flows. Evolving Requirement Clarifiedexamplesofinsecureservices,protocols,andportstospecify SNMPv1andv2. Clarification Clarifiedthattheintentofsecuringrouterconfigurationfilesistosecure themfromunauthorizedaccess. Clarification Clarifiedthattheintentofcontrollingtrafficbetweenwirelessnetworksand thecdeisto permitonlyauthorizedtraffic. Clarification ClarifiedtheintentoftherequirementisthatantiYspoofingmeasures areimplementedtodetectandblockforgedsourceipaddresses fromenteringthenetwork. Clarification Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. Clarification PCIDSSGREQUIREMENT2
12 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) PCIDSSV2.0 REQUIREMENT PCIDSSV CHANGE Clarifiedthatrequirementforchangingvendordefaultpasswordsapplies toalldefaultpasswords,includingsystems,applications,security software,terminals,etc.andthatunnecessarydefaultaccountsare removedordisabled. Clarifiedthattheintentoftherequirementisforallwirelessvendor defaultstobechangedatinstallation. Clarifiedthatsystemconfigurationstandardsincludeproceduresfor changingofallvendorysupplieddefaultsandunnecessarydefault accounts. Splitrequirementat2.2.2intotworequirementstofocusseparately onnecessaryservices,protocolsandports(2.2.2),andsecure services,protocols,andports(2.2.3). TYPE Clarification Clarification Clarification Clarification 2.4 Newrequirementtomaintainaninventoryofsystemcomponentsin scopeforpcidsstosupportdevelopmentofconfigurationstandards. Evolving Requirement PCIDSSGREQUIREMENT Combinedrequirement3.1.1andtestingproceduresinto requirement3.1toclarifyandreduceredundancy. Clarification Clarified,ifsensitiveauthenticationdataisreceived,thatitisrendered unrecoverableuponcompletionoftheauthorizationprocess.clarified testingproceduresforcompaniesthatsupportissuingservicesandstore sensitiveauthenticationdata. ClarifiedintentofrequirementformaskingPANsbyconsolidating formernoteintobodyoftherequirement,andenhancingtesting procedures. Clarifiedthatlogicalaccessfordiskencryptionmustbemanaged separatelyandindependentlyofthenativeoperatingsystem authenticationandaccesscontrolmechanisms,andthatdecryption keysmustnotbeassociatedwithuseraccounts. Clarifiedthatkeymanagementprocedureshavetobeboth implementedanddocumented. Clarification Clarification Clarification Clarification Splitrequirement3.5.2intotworequirementstofocusseparatelyon storingcryptographickeysinasecureform(3.5.2),andinthefewest possiblelocations(3.5.3).requirement3.5.2alsoprovidesflexibility withmoreoptionsforsecurestorageofcryptographickeys. Clarification 3.6.x 3.6.x Addedtestingprocedurestoverifyimplementationof cryptographickeymanagementprocedures. Clarification Clarifiedprinciplesofsplitknowledgeanddualcontrol. Clarification PCIDSSGREQUIREMENT Requirement5YGeneral Alignedlanguagebetweenrequirementandtestingproceduresfor consistency.alsoexpandedtheexamplesofopen,publicnetworks. PCIDSSGREQUIREMENT5 Titleupdatedtoreflectintentoftherequirement(toprotectallsystems againstmalware). Clarification Clarification VMwareProductApplicabilityGuide/12 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
13 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) REQUIREMENT PCIDSSV2.0 PCIDSSV x 6.5.x CHANGE Newrequirementtoevaluateevolvingmalwarethreatsforany systemsnotconsideredtobecommonlyaffectedbymalicious software. Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. NewrequirementtoensurethatantiYvirussolutionsareactivelyrunning (formerlyin5.2),andcannotbedisabledoralteredbyusersunless specificallyauthorizedbymanagementonaperycasebasis. PCIDSSGREQUIREMENT6 Switchedtheorderofrequirements6.1and6.2.Requirement6.1isnow foridentifyingandriskrankingnewvulnerabilitiesand6.2isforpatching criticalvulnerabilities.clarifiedhowriskrankingprocess(6.1)alignswith patchingprocess(6.2). Seeaboveexplanationfor6.1.Also,clarifiedthatthis requirementappliesto applicable patches. Addedanotetoclarifythattherequirementforwrittensoftware developmentprocessesappliestoallinternallyydevelopedsoftware andbespokesoftware. Changed preyproduction to development/test toclarify intentofrequirement Enhancedtestingprocedurestoincludedocumentreviewsforall requirementsat6.4.1through Alignedlanguagebetweenrequirementandtestingprocedurestoclarify thatseparationofproduction/developmentenvironmentsisenforcedwith accesscontrols. Updateddevelopertrainingtoincludehowtoavoidcommoncoding vulnerabilities,andtounderstandhowsensitivedataishandledin memory. Updatedrequirementstoreflectcurrentandemergingcoding vulnerabilitiesandsecurecodingguidelines.updatedtesting procedurestoclarifyhowthecodingtechniquesaddressthe vulnerabilities. Newrequirementforcodingpracticestoprotectagainstbroken authenticationandsessionmanagement. EffectiveJuly1,2015 Increasedflexibilitybyspecifyingautomatedtechnicalsolutionthat detectsandpreventswebnbasedattacksratherthan webyapplication firewall. Addednotetoclarifythatthisassessmentisnotthesameas vulnerabilityscansrequiredat11.2. PCIDSSGREQUIREMENT7 TYPE Evolving Requirement Clarification Evolving Requirement Clarification Clarification Clarification Clarification Clarification Clarification Clarification Clarification Evolving Requirement Clarification Rewordedtestingproceduretoclarifywhatthepolicyincludes,based onchangestorequirements7.1.1through New7.1.1tocoverdefinitionofaccessneedsforeachrole,tosupport requirements7.1.2through RefocusedrequirementonrestrictionofprivilegeduserIDstoleast privilegesnecessary,andenhancedtestingprocedures. Refocusedrequirementonassignmentofaccessbasedonindividual sjob classificationandfunction. Clarification Clarification Clarification Clarification VMwareProductApplicabilityGuide/13 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
14 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) PCIDSSV2.0 REQUIREMENT PCIDSSV3.0 CHANGE TYPE Removedformerrequirement7.1.4(coveredinRequirement7.2) Clarification PCIDSSGREQUIREMENT8 Requirement8YGeneral Titleupdatedtoreflectintentoftherequirement(identifyandauthenticate allaccesstosystemcomponents). Updatedandreorganizedrequirementstoprovideamoreholistic approachtouserauthenticationandidentification: Focused8.1onuseridentification Focused8.2onuserauthentication o Updatedrequirementstoconsidermethodsofauthentication otherthanpasswords o Changed passwords to passwords/phrases where requirementonlyappliestopasswords/phrases o Changed passwords to authenticationcredentials where requirementappliestoanytypeofauthenticationcredential o Clarifiedthatpasswordsecurityrequirementsapplyto accountsusedbythirdpartyvendors Clarification Clarifiedtherequirementforremotevendoraccessappliestovendors whoaccess,supportormaintainsystemcomponents,andthatitshould bedisabledwhennotinuse. Clarifiedthatstrongcryptographymustbeusedtorenderauthentication credentialsunreadableduringtransmissionandstorage. Clarifiedthatuseridentifymustbeverifiedbeforemodifying authenticationcredentials,andaddedprovisioningnewtokensand generatingnewkeysasexamplesofmodifications. Clarification Clarification Clarification Combinedminimumpasswordcomplexityandstrengthrequirementsinto singlerequirement,andincreasedflexibilityforalternativesthatmeetthe equivalentcomplexityandstrength. Evolving Requirement ClarifiedrequirementfortwoYfactorauthenticationappliestousers, administrators,andallthirdparties,includingvendoraccessforsupport ormaintenance. Enhancedrequirementtoincludedocumentingandcommunicating guidanceforhowusersshouldprotecttheirauthenticationcredentials, includingpassword/phrasereuseandchangingpassword/phraseifthere issuspicionthatithasbeencompromised. Newrequirementforserviceproviderswithremoteaccesstocustomer premises,touseuniqueauthenticationcredentialsforeachcustomer. EffectiveJuly1,2015 Clarification Clarification Evolving Requirement 8.6 Newrequirementwhereotherauthenticationmechanismsareused(for example,physicalorlogicalsecuritytokens,smartcards,certificates, etc.)thatthemechanismsmustbelinkedtoanindividualaccountand ensureonlytheintendedusercangainaccesswiththatmechanism. Evolving Requirement Alignedlanguagebetweenrequirementandtesting proceduresforconsistency. Clarification VMwareProductApplicabilityGuide/14 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
15 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) PCIDSSV2.0 REQUIREMENT PCIDSSV3.0 CHANGE PCIDSSGREQUIREMENT9 TYPE Clarifiedintentoftherequirementistoimplementphysicaland/or logicalaccesscontrolstoprotectpublicallyyaccessiblenetworkjacks. Clarification 9.2.x 9.2.x Clarifiedtheintentoftherequirementtoidentify,distinguishbetween, andgrantaccesstoonsitepersonnelandvisitors,andthatbadgesare justoneoption(theyarenotrequired). Clarification 9.3 Newrequirementtocontrolphysicalaccesstosensitiveareasforonsite personnel,includingaprocesstoauthorizeaccess,andrevokeaccess immediatelyupontermination. Evolving Requirement 9.3.x 9.4.x Alignedlanguagebetweenrequirementandtestingproceduresfor consistencyandtoclarifythatvisitorsmustbeescortedatalltimes, andthattheaudittrailofvisitoractivitymustincludeaccesstothe facility,computerroom,and/ordatacenter. Clarification Formerrequirement9.6movedandrenumberedto9.5,andformer requirement9.5renumberedassubyrequirement Formerrequirement9.7renumberedto9.6,andformerrequirement 9.8renumberedassubYrequirement Formerrequirement9.9renumberedto9.7,andformerrequirement 9.10renumberedto9.8. Clarification 9.9.x Newrequirementstoprotectdevicesthatcapturepaymentcarddata viadirectphysicalinteractionwiththecardfromtamperingand substitution. EffectiveJuly1,2015 PCIDSSGREQUIREMENT10 Clarifiedthataudittrailsshouldbeimplementedtolinkaccessto systemcomponentstoeachindividualuser,ratherthanjust establishingaprocess. Clarifiedtheintentisforallindividualuseraccesstocardholder datatobeincludedintheaudittrails. Enhancedrequirementtoincludechangestoidentificationand authenticationmechanisms(includingcreationofnewaccounts,elevation ofprivileges),andallchanges,additionsanddeletionstoaccountswith rootoradministrativeaccess. Evolving Requirement Clarification Clarification Evolving Requirement Enhancedrequirementtoincludestoppingorpausingoftheauditlogs x PCIDSSGRequirement x 11.1.x Clarifiedtheintentoflogreviewsistoidentifyanomaliesorsuspicious activity,andprovidedmoreguidanceaboutscopeofdailylogreviews. Alsoallowedmoreflexibilityforreviewofsecurityeventsandcritical systemlogsdailyandotherlogseventsperiodically,asdefinedbythe entity sriskmanagementstrategy. Enhancedrequirementtoincludeaninventoryofauthorizedwireless accesspointsandabusinessjustification(11.1.1)tosupportscanning forunauthorizedwirelessdevices,andaddednewrequirement toalignwithanalreadyyexistingtestingprocedure,forincident responseproceduresifunauthorizedwirelessaccesspointsare detected. Evolving Requirement Clarification Evolving Requirement VMwareProductApplicabilityGuide/15 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
16 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) REQUIREMENT PCIDSSV2.0 PCIDSSV CHANGE Addedguidanceoncombiningmultiplescanreportsinordertoachieve anddocumentapassingresult. Clarifiedthatquarterlyinternalvulnerabilityscansincluderescansas neededuntilall high vulnerabilities(asidentifiedbypcidss Requirement6.1)areresolved,andmustbeperformedbyqualified personnel. Clarifiedthatexternalvulnerabilityscansincluderescansasneeded untilpassingscansareachieved,andaddedanotetorefertotheasv ProgramGuide. TYPE Additional Guidance Clarification Clarification Clarifiedthatinternalandexternalscansperformedaftersignificant changesincluderescansasneededuntilall high vulnerabilities(as identifiedbypcidssrequirement6.1)areresolved,andmustbe performedbyqualifiedpersonnel. Clarification 11.3 Newrequirementtoimplementamethodologyfor penetrationtesting. EffectiveJuly1,2015.PCIDSSv2.0requirementsforpenetration testingmustbefolloweduntilv3.0isinplace. Evolving Requirement Splitformerrequirement11.3into11.3.1forexternalpenetration testingrequirementsand11.3.2forinternalpenetrationtesting requirements. Clarification Newrequirementcreatedfromformertestingprocedure(11.3.b)to correctexploitablevulnerabilitiesfoundduringpenetrationtestingand repeattestingtoverifycorrections. Clarification Newrequirement,ifsegmentationisusedtoisolatetheCDEfromother networks,toperformpenetrationteststoverifythatthesegmentation methodsareoperationalandeffective.. Evolving Requirement IncreasedflexibilitybyspecifyingintrusionNdetectionand/orintrusion preventiontechniquestodetectand/orpreventintrusionsinthenetwork ratherthan intrusionydetectionsystemsand/orintrusionyprevention systems. Increasedflexibilitybyspecifyingchangedetection mechanismratherthan fileintegritymonitoring. Clarification Clarification Newrequirementtoimplementaprocesstorespondtoanyalerts generatedbythechangeydetectionmechanism(supports11.5) PCIDSSGREQUIREMENT12 Evolving Requirement ,2.5, 3.7,4.3, 5.4,6.7, 7.3,8.8, 9.10,10.8, 11.6 Combinedformerrequirementsat12.1.1(fortheinformationsecurity policytoaddressallpcidssrequirements)and 12.2(foroperationalsecurityprocedures),andmovedtheminto Requirements1through11,asarequirementineach. Clarification Movedformerrequirement12.1.3to Clarification Movedformerrequirement12.1.2foranannualriskassessmentprocess to12.2,andclarifiedthattheriskassessmentshouldbeperformedat leastannuallyandaftersignificantchangestotheenvironment. Evolving Requirement VMwareProductApplicabilityGuide/16 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
17 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) PCIDSSV2.0 REQUIREMENT PCIDSSV3.0 CHANGE TYPE Clarifiedthat labeling isanexampleofamethodtobeused. Clarification Newtestingproceduretoverifypolicyisimplementedfor disconnectingremoteaccesssessionsafteraspecificperiodof inactivity. Alignedlanguagebetweenrequirementandtestingproceduresto clarifythat,wherethereisanauthorizedbusinessneedforpersonnelto accesscardholderdataviaremoteyaccesstechnologies,thedatamust beprotectedinaccordancewithallapplicablepcidssrequirements. Clarification Clarification Clarifiedintenttoimplementandmaintainpoliciesandproceduresto manageserviceproviderswithwhichcardholderdataisshared,orthat couldaffectthesecurityofcardholderdata. Clarification Clarifiedtheapplicableresponsibilitiesfortheserviceprovider swritten agreement/acknowledgement. NewrequirementtomaintaininformationaboutwhichPCIDSS requirementsaremanagedbyeachserviceprovider,andwhichare managedbytheentity. Newrequirementforserviceproviderstoprovidethewritten agreement/acknowledgmenttotheircustomersasspecifiedat requirement12.8. EffectiveJuly1,2015 Clarification Evolving Requirement Evolving Requirement 12.9.x x Renumberedrequirementandupdated toclarifytheintentisfor alertsfromsecuritymonitoringsystemstobeincludedintheincident responseplan. Clarification Table3:RequirementChanges VMwareProductApplicabilityGuide/17 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
18 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) CloudComputing Cloudcomputingandvirtualizationhavecontinuedtogrowsignificantlyeveryyear.Thereisarushtomove applicationsandevenwholedatacenterstothe cloud,althoughfewpeoplecansuccinctlydefinetheterm cloud computing. Thereareavarietyofdifferentframeworksavailabletodefinethecloud,andtheirdefinitionsare importantastheyserveasthebasisformakingbusiness,security,andauditdeterminations.vmwaredefinescloud orutilitycomputingasthefollowing( CloudcomputingisanapproachtocomputingthatleveragestheefficientpoolingofonNdemand,selfNmanaged virtualinfrastructure,consumedasaservice.sometimesknownasutilitycomputing,cloudsprovideasetof typicallyvirtualizedcomputerswhichcanprovideuserswiththeabilitytostartandstopserversorusecompute cyclesonlywhenneeded,oftenpayingonlyuponusage.. Figure6:CloudComputing Therearecommonlyaccepteddefinitionsforthecloudcomputingdeploymentmodelsandthereareseveralgenerally acceptedservicemodels.thesedefinitionsarelistedbelow: PrivateCloud Thecloudinfrastructureisoperatedsolelyforanorganizationandmaybemanagedbythe organizationorathirdparty.thecloudinfrastructuremaybeonpremiseoroffypremise. PublicCloud Thecloudinfrastructureismadeavailabletothegeneralpublicortoalargeindustrygroupandis ownedbyanorganizationthatsellscloudservices. HybridCloud Thecloudinfrastructureisacompositionoftwoormoreclouds(privateandpublic)thatremain uniqueentities,butareboundtogetherbystandardizedtechnology.thisenablesdataandapplicationportabilityr forexample,cloudburstingforloadbalancingbetweenclouds.withahybridcloud,anorganizationgetsthebest VMwareProductApplicabilityGuide/18 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
19 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) VMwareProductApplicabilityGuide/19 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies. ofbothworlds,gainingtheabilitytoburstintothepubliccloudwhenneededwhilemaintainingcriticalassetsony premise. CommunityCloud Thecloudinfrastructureissharedbyseveralorganizationsandsupportsaspecific communitythathassharedconcerns(forexample,mission,securityrequirements,policy,andcompliance considerations).itmaybemanagedbytheorganizationsorathirdparty,andmayexistonypremiseoroffpremise. CloudGBased EndUserComputing CloudYBasedEndUserComputinginfrastructureisbasedonan underlyingcloudinfrastructuremodel,andprovidesfororganizationstoleverageanyofthepreviouslydescribed cloudinfrastructuremodelstodeliverenduserdesktops,mobiledevice&contentmanagement,andsecure accesstodata&applications. TolearnmoreaboutVMware sapproachtocloudcomputing,reviewthefollowing: VMwareCloudComputingOverview VMware svcloudarchitecturetoolkit Whenanorganizationisconsideringthepotentialimpactofcloudcomputingtotheirhighlyregulatedandcritical applications,theymaywanttostartbyasking: Isthearchitectureatruecloudenvironment(doesitmeetthedefinitionofcloud)? Whatservicemodelisusedforthecardholderdataenvironment(SaaS,PaaS,andIaaS)? Whatdeploymentmodelwillbeadopted? Isthecloudplatformatrustedplatform? Thelastpointiscriticalwhenconsideringmovinghighlyregulatedapplicationstoacloudplatform.PCIdoesnot endorseorprohibitanyspecificserviceanddeploymentmodel.theappropriatechoiceofserviceanddeployment modelsshouldbedrivenbycustomerrequirements,andthecustomer schoiceshouldincludeacloudsolutionthatis implementedusingatrustedplatform. VMwareisthemarketleaderinvirtualization,thekeyenablingtechnologyforcloudcomputing.VMware svcloud Suiteisthetrustedcloudplatformthatcustomersusetorealizethemanybenefitsofcloudcomputing,including safelydeployingbusinesscriticalapplications. IfyouareanorganizationorpartnerthatisinterestedinmoreinformationontheVMwareComplianceProgram, WheretoStartGConsiderationsforManagement,ITandAuditors+ MigratingatraditionalITinfrastructuretoavirtualorcloudenvironmenthasasignificantimpactonanorganization thatextendsbeyondinformationtechnology.securityandcompliancecontinuetoremaintopconcernsfor management,itdepartments,andauditors.allthreeareasshouldberepresentedandengagedforanyit virtualizationorcloudprojectstoconfirmthatbusiness,itoperations,andcomplianceteamscarefullyconsiderthe benefitsandrisks.themovetocloudandvirtualenvironmentshasmanytechnicalconsiderations,butitshouldalso beabusinessdecision.organizationsshouldreviewthebenefitsandrisksoftheircurrentenvironmentandcompare themtothedifferentclouddeploymentmodelsandservicemodels. SpecifictoEUC,apreYexistingclouddeploymentisrequired.TheextensiontoEUCprovidestheabilitytobetter managemobileandremoteusers.thisfinalareaiskeybecauseitbringswithitaspecificfocusonaccesscontrol bothforusersanddata.organizationsdeployingeucshouldconsiderthedeliverymodelbecausethereissomuch flexibilityinpickingandchoosingthetechnologyandsupportingtherequisitecontrols. Thefollowingquestionsmaybeimportantwhenconsideringthepotentialbusinessimpact,benefits,andrisksofa virtualand/orcloudenvironment. VMwareGSpecificAssessmentConsiderations 1. WhatcertificationsdoesyourteamhaveinVMwareproductsorsolutions? 2. Areyouworkingwithanauditpartnertohelpassessandmanagerisk&complianceconsiderations? 3. HowmanyindividualsthatarepartoftheassessmentteamhaveexperiencewithVMware?
20 VMware EUCProductApplicabilityGuideforPaymentCardIndustryDataSecurityStandard(PCIDSS) 4. HowlonghavetheybeenworkingwithVMwarearchitectures? 5. Whatreferencesdotheyhaveforconductingsimilarassessments? 6. WhatpartsoftheEUCsolutionwillyoudeployanddoesthedesignleaveoutanycontrols? Management/BusinessConsiderations 1. CantheCloudbeastrategicdifferentiatorforthebusinessorisitacommodityservice? 2. HowarecompetitorsorpartnersleveragingCloudandvirtualization? 3. WhatisthebusinessvaluethatCloudcoulddelivertoOperations? 4. WhatisthestrategicvaluethatCloudcoulddelivertotheCompany? 5. IstheITBudgetexpandingorcontracting? 6. WhataretheareaswhereCloudcanprovideadditionalvaluetothecompany? 7. ArethereeffortstoconsolidateITfunctionsthatcanbeaddressedwithCloud? 8. WhatarethecriticalITservicesthatareorcouldbeoutsourced? ITConsiderations 1. HowdoIToperationalprocessesaddress&supportthecompany sstrategicandoperationalgoals? 2. Whatmanualprocessesareinplacethatcanbeautomated? 3. WhataretheskillsandcapabilitiesoftheITDepartment? 4. Havetherebeenanypreviousattemptstovirtualizeoroutsourcecriticaloperations? 5. WhichITinitiativescurrentlyunderwaycouldaffectthescopeoftheCardholderDataEnvironment? 6. Howisencryptionandtokenizationcurrentlyusedtolimitrisk? 7. Howissensitivedatacurrentlyclassified(i.e.,doyouknowwhereallyourPCIdataresides)? 8. Aretheresecondarysystemsthatmighthavecreditcarddata(accounting,marketing)? 9. HowhassecurityandcomplianceaffectedITOperations? AuditConsiderations 1. Whatpriorexperiencedoestheauditorhavewithvirtualenvironments(QualifiedSecurityAssessor(QSA)or InternalSecurityAssessor(ISA))? 2. HastheQSAorISAsuccessfullyassessedPCIenvironmentsinthecloudorvirtualareas? 3. WhatcertificationsdotheyhaveinVMwareproductsorsolutions? 4. HowmanyindividualsthatarepartoftheassessmentteamhaveexperiencewithVMware? 5. WhatthoughtleadershipandguidancehastheQSA/ISApublished? 6. WhataretherisksandmitigationtechniquestheQSA/ISAbelievesareappropriateformultiYtenancyormixedY modeenvironments? 7. HowlonghavetheybeenworkingwithVMwarearchitectures? 8. HavetheybeeninvolvedwiththePCISpecialInterestGrouporotherPCIcommunities? 9. Whatreferencesdotheyhaveforconductingsimilarassessments? 10. IstheQSA/ISAassignedtotheauditengagementcompanyknowledgeableaboutthebasiccomponents, systems,andsoftwareinavmwarecloud? GuidancefromthePaymentCardIndustrySecurityStandardsCouncil VMwareProductApplicabilityGuide/20 VMware,Inc.3401HillviewAvenuePaloAltoCA94304USATel877G486G9273Fax650G427G5001www.vmware.com Copyright 2015VMware,Inc.Allrightsreserved.ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.VMwareproductsarecoveredbyone ormorepatentslistedathttp:// marksandnamesmentionedhereinmaybetrademarksoftheirrespectivecompanies.
VMware!Product!Applicability!Guide!for!! Payment!Card!Industry!Data!Security!Standard!
VMwareProductApplicabilityGuidefor PaymentCardIndustryDataSecurityStandard (PCIDSS)version3.0 February2014 V3.0 DESIGNDOCUMENT This is the first document in the Compliance Reference Architecture For PCI.
More informationVMware!SDDC!Product! Applicability!Guide!for!CJIS! v5.2!
VMwareSDDCProduct ApplicabilityGuideforCJIS v5.2 August2014 v1.0 Product Guide This is the first document in the Compliance Reference Architecture for CJIS. You can find more information on the Framework
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationVMware Product Applicability Guide for. Payment Card Industry Data Security Standard
VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 February 2014 V3.0 DESIGN DO CU MENT Table of Contents EXECUTIVE SUMMARY... 4 INTRODUCTION... 5
More informationVMware s)approach)to)compliance))
VMware sapproachtocompliance UpdatedJuly2015 V2.1 VMware sapproachtocompliance TableofContents 1. INTRODUCTION...3 2. SECURITY,COMPLIANCE,ANDGUIDELINES...5 3. AVIEWOFVMWARE SCOMPLIANCESOLUTIONS...7 4.
More informationVMware!SDDC!Product! Applicability!Guide!for! FedRAMP,!v!1.0! February,!2014! v1.0!
VMWAREPRODUCTAVAILABILITY GUIDEFORFEDRAMP VMwareSDDCProduct ApplicabilityGuidefor FedRAMP,v1.0 February,2014 v1.0 TECHNICALGUIDE This is the first document in the Compliance Reference Architecture for
More informationVMware 'SDDC'Product' Applicability'Guide'for' HIPAA/HITECH,'v1.0 '
VMware SDDCProduct ApplicabilityGuidefor HIPAA/HITECH,v1.0 November2013 TECHNICALGUIDE This is the first document in the Compliance Reference Architecture for HIPAA. You can find more information on the
More informationPCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS
PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session
More informationClient Security Risk Assessment Questionnaire
Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationMiami University. Payment Card Data Security Policy
Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that
More informationPreparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013
Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition November 2013 Introductions Brian Serra PCI Practice Director Nick Puetz Managing Director - Strategic Services 2013 FishNet Security Inc. All
More informationAdministrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation
The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationBuilding Private & Hybrid Cloud Solutions
Solution Brief: Building Private & Hybrid Cloud Solutions WITH EGENERA CLOUD SUITE SOFTWARE Egenera, Inc. 80 Central St. Boxborough, MA 01719 Phone: 978.206.6300 www.egenera.com Introduction When most
More informationHow To Control Vcloud Air From A Microsoft Vcloud 1.1.1 (Vcloud)
SOC 1 Control Objectives/Activities Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a variety of industry standard audits,
More informationSee Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.
Cloud Strategy Information Systems and Technology Bruce Campbell What is the Cloud? From http://csrc.nist.gov/publications/nistpubs/800-145/sp800-145.pdf Cloud computing is a model for enabling ubiquitous,
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationTHE BLUENOSE SECURITY FRAMEWORK
THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program
More informationCHEAT SHEET: PCI DSS 3.1 COMPLIANCE
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
More informationVblock Systems hybrid-cloud with Cisco Intercloud Fabric
www.vce.com Vblock Systems hybrid-cloud with Cisco Intercloud Fabric Version 1.0 April 2015 THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." VCE MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
More informationGoogle Cloud Print. Administrator's Guide
Google Cloud Print Administrator's Guide October 2014 www.lexmark.com Contents 2 Contents Overview...3 Configuring the application...4 Acquiring a Google account...4 Accessing the configuration page for
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationVMware Hybrid Cloud. Accelerate Your Time to Value
VMware Hybrid Cloud Accelerate Your Time to Value Fulfilling the Promise of Hybrid Cloud Computing Through 2020, the most common use of cloud services will be a hybrid model combining on-premises and external
More informationDatacenter Management and Virtualization. Microsoft Corporation
Datacenter Management and Virtualization Microsoft Corporation June 2010 The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
More informationPCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM
PCI Compliance PCI DSS v3.1 Dan Lobb CRISC Lisa Gable CISM Dan Lobb, CRISC o Introduction Dan has an MIS degree from the University of Central Florida. He began his career at Accenture and for the past
More informationAre You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
More informationSERENA SOFTWARE Serena Service Manager Security
SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand
More informationCisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
More informationSOLUTION BRIEF MANUFACTURING DELIVER BRILLIANT CAD PERFORMANCE
SOLUTION BRIEF MANUFACTURING DELIVER BRILLIANT CAD PERFORMANCE NVIDIA GRID vgpu with VMware Horizon delivers superior virtualized graphics performance. Employees across the organization, from engineers
More informationVMware vcloud Service Definition for a Public Cloud. Version 1.6
Service Definition for a Public Cloud Version 1.6 Technical WHITE PAPER 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationCustomer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics
Customer PCI 3.0 Changes = New Opportunity For You Giles Witherspoon-Boyd SecurityMetrics Who is this guy? Giles Witherspoon-Boyd, PCIP 15 years in technology, 4 years at SecurityMetrics SecurityMetrics
More information10 Things Every Web Application Firewall Should Provide Share this ebook
The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security
More informationNetwork Detective. PCI Compliance Module Using the PCI Module Without Inspector. 2015 RapidFire Tools, Inc. All rights reserved.
Network Detective PCI Compliance Module Using the PCI Module Without Inspector 2015 RapidFire Tools, Inc. All rights reserved. V20150819 Ver 5T Contents Purpose of this Guide... 4 About Network Detective
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More informationVMsources Group Inc. www.vmsources.com 1-866-644-7764
VMware Horizon View 6 Virtual Desktop Deployment COURSE DESCRIPTION Our VMware View class offers participants the most extensive training available in the Installation, Configuration and Management of
More informationPCI DSS 3.0 and You Are You Ready?
PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs combslc@jmu.edu Ron King rking@campusguard.com AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes
More informationTraining module 2 Installing VMware View
Training module 2 Installing VMware View In this second module we ll install VMware View for an End User Computing environment. We ll install all necessary parts such as VMware View Connection Server and
More informationPublic Cloud Service Definition
Public Version 1.5 TECHNICAL WHITE PAPER Table Of Contents Introduction... 3 Enterprise Hybrid Cloud... 3 Public Cloud.... 4 VMware vcloud Datacenter Services.... 4 Target Markets and Use Cases.... 4 Challenges
More informationCopyright 2013 wolfssl Inc. All rights reserved. 2
- - Copyright 2013 wolfssl Inc. All rights reserved. 2 Copyright 2013 wolfssl Inc. All rights reserved. 2 Copyright 2013 wolfssl Inc. All rights reserved. 3 Copyright 2013 wolfssl Inc. All rights reserved.
More informationUNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE
UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed
More informationTufin Orchestration Suite
Tufin Orchestration Suite Security Policy Orchestration across Physical Networks & Hybrid Cloud Environments The Network Security Challenge In today s world, enterprises face considerably more network
More informationHow To Extend Security Policies To Public Clouds
What You Will Learn Public sector organizations without the budget to build a private cloud can consider public cloud services. The drawback until now has been tenants limited ability to implement their
More informationPCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
More informationAchieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations
Achieving Control: The Four Critical Success Factors of Change Management Technology Concepts & Business Considerations T e c h n i c a l W H I T E P A P E R Table of Contents Executive Summary...........................................................
More informationCloud Infrastructure Services for Service Providers VERYX TECHNOLOGIES
Cloud Infrastructure Services for Service Providers VERYX TECHNOLOGIES Meeting the 7 Challenges in Testing and Performance Management Introduction With advent of the cloud paradigm, organizations are transitioning
More informationHow To Protect Data From Attack On A Network From A Hacker (Cybersecurity)
PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security
More informationVBLOCK SOLUTION FOR SAP APPLICATION SERVER ELASTICITY
Vblock Solution for SAP Application Server Elasticity Table of Contents www.vce.com VBLOCK SOLUTION FOR SAP APPLICATION SERVER ELASTICITY Version 2.0 February 2013 1 Copyright 2013 VCE Company, LLC. All
More informationDetailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems
Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems The Payment Card Industry has a published set of Data Security Standards to which organization s accepting and
More informationConfidence in the Cloud Five Ways to Capitalize with Symantec
Five Ways to Capitalize with Symantec Solution Brief: Confidence in the Cloud Confidence in the Cloud Contents Overview...............................................................................................
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationFAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER
FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER SAQ FAQ S Q: Should I complete the PCI Wizard or should I go straight to the PCI Forms? A: The PCI Wizard has been designed to simplify the self-assessment requirement
More informationAUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC
AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC MANAGE SECURITY AT THE SPEED OF BUSINESS AlgoSec Whitepaper Simplifying PCI-DSS Audits and Ensuring Continuous Compliance with AlgoSec
More informationTHE FIVE NEW PCI COMPLIANCE RULES YOU NEED TO KNOW
THE FIVE NEW PCI COMPLIANCE RULES YOU NEED TO KNOW By Stephen Cobb, ESET senior security researcher. If your business accepts credit or debit cards, then you know that PCI DSS stands for Payment Card Industry
More informationFrom Secure Virtualization to Secure Private Clouds
From Secure Virtualization to Secure Private Clouds Gartner RAS Core Research Note G00208057, Neil MacDonald, Thomas J. Bittman, 13 October 2010, RV2A108222011 As enterprises move beyond virtualizing their
More informationNew PCI Standards Enhance Security of Cardholder Data
December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target
More informationCONTENT OUTLINE. Background... 3 Cloud Security... 3. Instance Isolation:... 4. SecureGRC Application Security... 5
Page 2 Disclaimer THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF THE LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET
More information( ( ( Kaleidescape(Secure(Content(Delivery(System( (KDRMBC)(
( ( ( Kaleidescape(Secure(Content(Delivery(System( (KDRMBC)( ( ( ( ( ( ( ( Security(Review(Management(Report( Version1.1(Final) Author:(Tom(Thomas,(Ian(Whitworth( T+441256844161 F+441256844162 www.farncombe.com
More informationHow To Protect A Virtual Desktop From Attack
Endpoint Security: Become Aware of Virtual Desktop Infrastructures! An Ogren Group Special Report May 2011 Executive Summary Virtual desktops infrastructures, VDI, present IT with the unique opportunity
More informationPIKA µfirewall Cloud Management Guide
Version 1.0 April 2015 Introduction... 2 Installation... 2 Configuring the Unit... 10 Changing Parameters... 10 Adding Blacklists and White lists... 12 Upgrading Firmware... 15 Disclaimer... 18 Frequently
More informationTABLE OF CONTENTS. INTRODUCTION: - Section 1: PCI DSS Version 3.0 Changes - Section 2: Can IDS and WAF Techniques Replace Systems with PCI DSS 3.0?
TABLE OF CONTENTS INTRODUCTION: - Section 1: PCI DSS Version 3.0 Changes - Section 2: Can IDS and WAF Techniques Replace Systems with PCI DSS 3.0? PREPARATION: - PCI DSS 3.0 Reporting and Auditing REQUIREMENTS:
More informationBroadSoft Partner Configuration Guide
BroadSoft Partner Configuration Guide MiaRec Call Recording System Sep 2015 Document Version 1.2 333 W. Santa Clara St, Suite 803 San Jose, CA 95133 +1.866.324.6717 WWW.MIAREC.COM BroadWorks Guide Copyright
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationSOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012
SOLARWINDS ORION Patch Manager Evaluation Guide for ConfigMgr 2012 About SolarWinds SolarWinds, Inc. develops and markets an array of network management, monitoring, and discovery tools to meet the diverse
More informationOracle Hospitality OPERA Cloud Services Security Guide Release 1.20 Part Number: E69079-01. April 2016
Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 Part Number: E69079-01 April 2016 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation
More informationIBM Endpoint Manager for Core Protection
IBM Endpoint Manager for Core Protection Device control and endpoint protection designed to guard against malware and loss of sensitive data Highlights Delivers real-time endpoint protection against viruses,
More informationPCI COMPLIANCE GUIDE For Merchants and Service Members
PCI SAQ C-VT PCI COMPLIANCE GUIDE For Merchants and Service Members PCI DSS v2.0 SAQ CVT Merchant Guide 1 Contents Contents... 2 Introduction... 3 Defining an SAQ C Merchant... 3 REQUIREMENTS FOR SAQ-VT...
More informationWhite Paper. Managing Risk to Sensitive Data with SecureSphere
Managing Risk to Sensitive Data with SecureSphere White Paper Sensitive information is typically scattered across heterogeneous systems throughout various physical locations around the globe. The rate
More information3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance
3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security
More informationFujitsu Dynamic Cloud Bridging today and tomorrow
Fujitsu Dynamic Cloud Bridging today and tomorrow Contents Cloud Computing with Fujitsu 3 Fujitsu Dynamic Cloud: Higher Dynamics for Enterprises 4 Fujitsu Dynamic Cloud: Our Offering 6 High Security Standards
More informationSecurity Module v2.0. White Paper. April 2011
Security Module v2.0 White Paper April 2011 Security Module: Comprehensive Security for CareFusion Products Overview CareFusion offers a comprehensive security technology solution for products running
More informationThis policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.
- 1. Policy Statement All card processing activities and related technologies must comply with the Payment Card Industry Data Security Standard (PCI-DSS) in its entirety. Card processing activities must
More informationApple Mail Setup Guide (POP3)
Versions Addressed: Mac OS X 10.4 (Tiger), 10.5 (Leopard), 10.6 (Snow Leopard) Document Updated: 9/23/2010 Copyright 2010 Smarsh, Inc. All rights Purpose: This document will assist the end user in configuring
More informationIT Sr. Systems Administrator
IT Sr. Systems Administrator Location: [North America] [United States] [Monrovia] Category: Information Technology Job Type: Open-ended, Full-time PURPOSE OF POSITION: Systems Administrators and Engineers
More informationSymphony Plus Cyber security for the power and water industries
Symphony Plus Cyber security for the power and water industries Symphony Plus Cyber Security_3BUS095402_(Oct12)US Letter.indd 1 01/10/12 10:15 Symphony Plus Cyber security for the power and water industries
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationUSER CONFERENCE 2011 SAN FRANCISCO APRIL 26 29. Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB
USER CONFERENCE 2011 SAN FRANCISCO APRIL 26 29 Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB Table of Contents UNIT 1: Lab description... 3 Pre-requisites:... 3 UNIT 2: Launching an instance on EC2...
More informationCloud Security Who do you trust?
Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud
More informationBuilding Private & Hybrid Cloud Solutions
Solution Brief: Building Private & Hybrid Cloud Solutions WITH EGENERA CLOUD SUITE SOFTWARE Egenera, Inc. 80 Central St. Boxborough, MA 01719 Phone: 978.206.6300 www.egenera.com Introduction When most
More informationManaging the Business of IT in the Cloud Era. VMware vrealize Business
Managing the Business of IT in the Cloud Era VMware vrealize Business KEY HIGHLIGHTS VMware vrealize Business supports better business-it alignment by delivering transparency into the cost and quality
More informationConnectivity to Polycom RealPresence Platform Source Data
Polycom RealAccess Security White Paper The Polycom RealAccess service is delivered using the Software as a Service (SaaS) model. This white paper outlines how the service protects sensitive customer data
More informationSecuring the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation
Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationComplying with PCI DSS
Complying with PCI DSS Table of Contents Complying with the New PCI DSS Rulings 1 Audio and DTMF Tone Data 2 Agent Screen Data 2 Appendix A 3 Complying with the New PCI DSS Rulings The Payment Card Industry
More informationOut of the Frying Pan and Into the Fire: Protecting the Security of Research Data. Vice Chancellor for IT & CIO July 19, 2011 UNC Chapel Hill
Out of the Frying Pan and Into the Fire: Protecting the Security of Research Data Larry Conrad ISTS Dartmouth College Vice Chancellor for IT & CIO July 19, 2011 UNC Chapel Hill First the Context: Information
More informationBlue Jeans Network Security Features
Technical Guide Blue Jeans Network Security Features Blue Jeans Network understands an organization s need for secure communications. The Blue Jeans cloud-based video conferencing platform provides users
More informationOffice of Information Technology Hosted Services Service Level Agreement FY2009
Application Name: Application Agreement Start Date: 07/01/08 Customer Name: Customer Agreement Renewal Date: 06/30/09 SLA Number: HSxxxFY09A Service Description: This document describes the technical support
More informationPICO Compliance Audit - A Quick Guide to Virtualization
WHITE PAPER August 2011 Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security HYTRUST AND TREND MICRO DEEP SECURITY TOC Contents Virtualization
More informationAlways On Infrastructure for Software as a Ser vice
Solution Brief: Always On Infrastructure for Software as a Ser vice WITH EGENERA CLOUD SUITE SOFTWARE Egenera, Inc. 80 Central St. Boxborough, MA 01719 Phone: 978.206.6300 www.egenera.com Introduction
More informationService Manager and the Heartbleed Vulnerability (CVE-2014-0160)
Service Manager and the Heartbleed Vulnerability (CVE-2014-0160) Revision 1.0 As of: April 15, 2014 Table of Contents Situation Overview 2 Clarification on the vulnerability applicability 2 Recommended
More informationPCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
More informationVMware vcloud Architecture Toolkit Public VMware vcloud Service Definition
VMware vcloud Architecture Toolkit Version 2.0.1 October 2011 This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents
More informationTenable Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0
Tenable Product Applicability Guide For Payment Card Industry (PCI) Partner Addendum VMware Compliance Reference Architecture Framework to VMware Product Applicability Guide for Payment Card Industry Data
More informationPatch Management Integration
Patch Management Integration January 10, 2012 (Revision 5) Copyright 2002-2012 Tenable Network Security, Inc. Tenable Network Security, Nessus and ProfessionalFeed are registered trademarks of Tenable
More information