Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

Transcription

1 Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

2 PCI COMPLIANCE COMPLIANCE MATTERS. The PCI Data Security Standard (DSS) was developed by the founding payment brands of the PCI Security Standards Council (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) to help facilitate the broad adoption of consistent data security measures on a global basis. Its primary goal is to provide a standard by which the Payment Card Industry can self-regulate. In addition, a number of initiatives are currently underway from state legislatures and federal regulators to increase the penalties for non-compliant organizations. More so now than ever before compliance matters.

3 Rethinking PCI Compliance PCI DSS is a multi-faceted security standard that includes specific requirements for security management, policies, procedures, network architecture, software design, training and other critical, protective measures. Coupled with Premium PCI Managed and, Masergy s Unified Enterprise Security (UES) systems take a holistic approach to helping customers achieve and maintain PCI compliance, seamlessly integrating process, technology, service and reporting. Key technology elements center around and complement Masergy s patented adaptive behavioral analysis and correlation engine like a complex credit card fraud detection system on steroids. The technology enables the discovery and tracking of odd behaviors over time the kind of activity that eventually makes newspaper headlines providing you with the opportunity to take preemptive action. P Process Policy, Procedure, Assessment, Gap Analysis, Remediation, Vulnerability Scans, Perimeter Scans, PCI Consulting Services Reporting Technology PCI Compliance: Continuous Process Synergistic Approach R Compliance Discovery, Security Alerts, Stealth Attacks, Prioritized Threats, Policy Violations, Access Violations, Audit Trails Service 24/7 Monitoring, Firewall Mgmt & Monitoring, Log File Mgmt & Monitoring, Quarterly Vulnerability Scans, Quarterly Perimeter Scans, Annual Audit, Consulting IDS / IPS, UTM, NBA, AV, AS, CF, Firewalls, Threat Management, Log Management, SIEM T Passive Technology: No Network Latency No Network Changes Unified: Administration 24/7 Monitoring Reporting S

4 PCI COMPLIANCE Make Life Easier. Partner with Masergy, A Certified PCI Vendor. What does all this mean to your organization? The alleviation of business risk (along with demonstrating the expected due care related to storage, processing, and transmission of critical cardholder data as defined by the PCI DSS) is complex and resource-dependent. At Masergy, we understand that compliance depends on a number of critical factors. From auditing to technology, process, and policy, Masergy understands that each organization has different requirements depending on where they currently stand on the compliance path. That s why we approach the challenge of compliance in a holistic fashion, tailoring our services to your organization s current needs and specific requirements. You can be confident that Masergy, one of the few PCI-certified companies, can provide the partnership required to help you efficiently achieve and maintain PCI compliance Best Products & Services Reader s Trust Award Network Products Guide has awarded Masergy the 2009 Best Products and Services - Readers Trust Award for Unified Security Tomorrow s Technology Today Award Masergy is a winner of 2006, 2007, 2008 and 2009 Tomorrow s Technology Today awards from Info Security Products Guide Global Product Excellence - Customer Trust Award Masergy is a winner of the 2009 Global Product Excellence Customer Trust Award for Integrated Security from Info Security Products Guide Best Deployment Scenario Award Info Security Products Guide has named Masergy a winner of the 2009 Best Deployment Scenario Award for Managed Security Services Product Innovation Award Masergy s Enterprise UTM++ and All-n-One Security Module for Enterprise UTM have received 2008 and 2009 Product Innovation awards for unified security from Network Products Guide.

5 PREDICT AND PROTECT Enterprise UTM A holistic, non-intrusive, layered approach to PCI compliance A fully integrated, highly scalable, passive network security suite with patented behavioral analysis and correlation shared by all applications Unified Administration, Monitoring and Reporting Protect Monitor Alert Report Trusted Computing Base IDS Users Intrusions Discovery Internet IPS NBA AV NAC AS CF Firewall BLOCKING Servers Firewalls Syslogs Switches Routers Policies Threats Suspicious Traffic Viruses Trojans Vulnerabilities Vendor Alerts Stealth Attacks Access Violations Resource Violations Alerts Compliance Prioritized Threats Policy Violations Access Violations Network Traffic Suspicious Traffic Threats Network Behavioral Analysis and Correlation Server

6 PCI COMPLIANCE COMPREHENSIVE PCI COMPLIANCE REPORTING Using the most advanced algorithms in the industry, Masergy automatically analyzes your threat status and continually compiles comprehensive sets of reports on suspicious activity. Specific to PCI compliance, we offer the following reporting services: Vulnerability Scan Reports Current Risk Report Current Risk Summary Ignored Vulnerabilities Report Vulnerability Escalation Report Vulnerability History Report Report by Vulnerability > Detailed description > Consequences > Detailed remediation steps > Risk factor > Links to CVEs, patches, etc. Vulnerability Management Reports Prioritized Vendor Threats Prioritized Network Threats Prioritized Global Threats Prioritized Vulnerabilities Prioritized Threat List (all) Links Threats with: > Threat sources, ports, protocols > Targeted assets > Required remediation steps & patches Rolling 30-day Threat Remediation Report Network Access Policy Violation Report Geographic Origin of Attackers

7 PREDICT AND PROTECT Open Services Reports Identifies/documents external usage of enterprise services and resources Identifies/documents internal usage of external services and resources > Web Usage > Encrypted Web Usage > SMTP Mail Usage > Encrypted SMTP Mail Usage (SSL) > POP3 Mail Usage > Encrypted POP (SSL) Usage > IMAP Mail Usage > Encrypted IMAP Mail Usage > FTP Usage > Telnet Usage > SSH Usage > LDAP Usage > Socks Usage > News Usage > Encrypted News Usage (SSL) > Windows Share Usage (netbios-ssn) > P2P Usage > IM Usage > Proprietary (other)

8 PCI COMPLIANCE Masergy s 12 Steps to PCI Compliance. A. BUILD AND MAINTAIN A SECURE NETWORK 1. We can guide your organization in establishing, optimizing, and maintaining industry best practice firewall configuration standards, as well as install and maintain a firewall configuration to protect cardholder data. This optimizes the protection of all systems from unauthorized Internet access. We ll also share/develop with you industry best practice configuration standards for the rest of your major system components. 2. Monthly configuration scans are performed to ensure your organization is not using vendor-supplied defaults for system passwords or other security parameters. Not only are defaults well known in hacker communities, but they can easily be found in public information making your organization an easy target. B. PROTECT CARDHOLDER DATA 3. Monthly testing and assessments of your cardholder data processing, storage and encryption methodology are performed to ensure the cardholder data is properly protected. 4. Testing and assessment will ensure your organization is using the required strong cryptography and security protocols to protect sensitive information during transmission across open public networks. C. MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM 5. Periodic audits are conducted to assist with the necessary oversight to make sure your organization s anti-virus software or programs are updated. 6. Our Enterprise UTM compliance offering includes an integrated threat management solution to help your organization ensure its network and device vulnerabilities are discovered, prioritized and resolved in an effective manner. D. IMPLEMENT STRONG ACCESS CONTROL MEASURES 7. Our professional services organization can guide your organization related to security process, policy, and technology to ensure access to cardholder data is appropriate based upon business need-to-know. This ensures critical data is untouchable by unauthorized personnel. 8. Our periodic audits and testing make sure a unique ID is assigned to each person with computer access. 9. We also help you confirm that the necessary restrictions are in place regarding physical access to cardholder data, in order to protect hard copies of cardholder information as well as the cardholder information systems themselves. E. REGULARLY MONITOR AND TEST NETWORKS 10. The Enterprise UTM component of our PCI compliance offering tracks and monitors all access to network resources and cardholder data so that the cause of any policy violation can be determined through system alerts and activity logs. 11. As a PCI Approved Scanning Vendor, we will provide the required periodic vulnerability scans and penetration testing of your systems, processes and custom software to ensure security is maintained over time and throughout software changes.

9 PREDICT AND PROTECT F. MAINTAIN AN INFORMATION SECURITY POLICY 12. Based on your specific requirements, the Masergy professional services team can work with your organization to establish and maintain policies that address information security, as well as processes that confirm all employees, contractors, and vendor partners are aware of the sensitivity of your data and their responsibility for protecting it. PCI compliance is a significant undertaking for most organizations. The criticality for organizations that process, store, or transmit cardholder data to achieve and maintain PCI compliance continues to increase. Masergy s Premium PCI Managed Services and Enterprise UTM Technology have the necessary flexibility to meet the specific compliance needs of your organization. PCI compliance We can help make it happen.

10 PCI COMPLIANCE Build and Maintain a Secure Network REQUIREMENT 1: INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER DATA. Firewalls are computer devices that control computer traffic allowed into and out of a company s network, as well as traffic into more sensitive areas within a company s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized Internet access, whether entering the system as e- commerce, employees Internet-based access through desktop browsers, or employees access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy has developed a formal process for approving and testing all external network connections and changes to the firewall configuration Formal Change Approval Process All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will develop a formal process for approving and testing all external network connections and changes to the firewall configuration. Working with your organization, the Masergy professional services team will develop a formal process for approving and testing all external network connections and changes to the firewall configuration Current Network Diagram Working as an extension of your organization, Masergy will develop a current network diagram with all connections to cardholder data, including any wireless networks Firewall Requirements Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.

11 PREDICT AND PROTECT Firewall Requirements All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. Based upon your IT infrastructure/business requirements, the Masergy professional services team will define formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network Groups, Roles, Responsibilities Working with your team, Masergy will develop a current description of groups, roles, and responsibilities for logical management of network components. Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC (Security Control Center) Services, Ports Necessary for Business All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC. Based on your required business applications, the Masergy professional services team will document a list of services and ports necessary for business.

12 PCI COMPLIANCE Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). This information is always up-to-date and readily available upon request. A specific report is available at any time by simply contacting the SCC Justification for Non-Standard Protocols All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). This information is always up-to-date and readily available upon request. A specific report is available at any time by simply contacting the SCC. Masergy will work with your organization to identify non-standard protocols in use. We will be responsible for developing a formal justification for required nonstandard protocols Justification for Risky Protocols (e.g., FTP) Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, including any risky protocols allowed such as file transfer protocol (FTP). There are also several reports that catalog the use of FTP and other risky protocols. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC.

13 PREDICT AND PROTECT Justification for Risky Protocols (e.g., FTP) All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, including any risky protocols allowed such as file transfer protocol (FTP). There are also several reports that catalog the use of FTP and other risky protocols. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC. Masergy will work with your organization to identify risky protocols in use. We will be responsible for developing a formal justification for required risky protocols. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue a complete report Quarterly Review of FW & Router Rules All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue a complete report. The Masergy professional services team will perform a quarterly review of the firewall and router rule sets Router Configuration Standards Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy offers industry best practice configuration standards for routers. The Masergy professional services team will provide a complete report of industry best practice configuration standards for routers.

14 PCI COMPLIANCE Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy builds a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment. All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy builds a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment. 1.2 FW Rules to Deny Untrusted Networks & Hosts Network Access Monitoring via Network Security Zones Enterprise UTM++ Configurations, Requires Z-1000-G Software ASM Configurations, Requires Z-2500-G Software Network Security Zones (NSZ) is the first network access monitoring (NAM) solution based solely on behavioral network analysis and correlation. Each Network Security Zone is a user-defined network access policy comprised of specific network resource objects: users, systems, applications, date/time, etc. with secure boundaries for specific systems, applications and users. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. The Masergy professional services team offers a recommended firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment.

15 PREDICT AND PROTECT Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements FW Rules to Restrict Connections All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements The Masergy professional services team will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy restricts inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) Ingress Filters All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will restrict inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters). Based upon your business environment, the Masergy professional services team will deliver a recommended configuration design, restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) Inhibit Internal Address from Reaching Internet via DMZ Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will not allow internal addresses to pass from the Internet into the DMZ.

16 PCI COMPLIANCE Inhibit Internal Address from Reaching Internet via DMZ All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will not allow internal addresses to pass from the Internet into the DMZ. Working with your particular infrastructure, the Masergy professional services team will recommend a design and not allow internal addresses to pass from the Internet into the DMZ. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network) Implement Stateful Inspection All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network). The Masergy professional services team will offer a design and periodically verify that stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network), is properly implemented Segregate DMZ and Database(s) Firewall Management & Monitoring Service Syslog Module All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb As part of the service, Masergy will ensure the firewall configuration logically places any database(s) in an internal network zone, segregated from the DMZ. The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will ensure the firewall configuration logically places any database(s) in an internal network zone, segregated from the DMZ.

17 PREDICT AND PROTECT Segregate DMZ and Database(s) Network Security Zones For UTM++ Configurations, Requires Z-1000-G Network Security Zones Feature For ASM Configurations, Requires Z-2500-G Network Security Zones Feature No Additional HW or SW Agents are Required. As part of the NSZ capability and service, secure computing policies are established to logically place database(s) in an internal network zone, segregated from the DMZ. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will recommend a design and periodically verify that the database is in an internal network zone, segregated from the DMZ. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will logically configure network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment Restrict I/O Traffic All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Network Security Zones For UTM++ Configurations, Requires Z-1000-G Network Security Zones Feature For ASM Configurations, Requires Z-2500-G Network Security Zones Feature No Additional HW or SW Agents are Required. The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will logically configure network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console where trained security analysts perform incident response.

18 PCI COMPLIANCE Restrict I/O Traffic Network Security Zones NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will offer a design and periodically confirm that network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment is properly implemented Secure & Synch Router Configuration Files Firewall Management & Monitoring Service Syslog Module As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. As part of the service, Masergy will periodically confirm the security and synchronization router of configuration files. For example, running configuration files (for normal functioning of the routers) and start-up configuration files (when machines are re-booted), and ensuring all have the same secure configuration. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will configure network access to deny all other inbound and outbound traffic not specifically allowed Deny all Other Nonessential I/O Traffic Network Security Zones Requires Z-1000-G Network Security Zones Feature Syslog Module to Block/ Deny NSZ Policy Violations No Additional HW or SW Agents are Required. As part of the NSZ capability and service, secure computing policies can be established to deny all other inbound and outbound traffic not specifically allowed. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.

19 PREDICT AND PROTECT Deny all Other Nonessential I/O Traffic Network Security Zones NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will offer a design and periodically confirm that network access to deny all other inbound and outbound traffic not specifically allowed is properly implemented Install Perimeter FW Between Wireless Networks and PCI Data Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes). As part of the service, Masergy will install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes) Install PC FW on any Mobile and Employee-Owned Computers with Direct Internet Connections Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will monitor personal firewall software on any mobile and employeeowned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. Requires software syslog agent be installed on each monitored laptop that will transmit to FSM, or syslog output from PC FW management/ administration console. As part of the service, Masergy will periodically confirm the appropriate installation of personal firewall software on any mobile and employeeowned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. Customer must supply the personal firewall software.

20 PCI COMPLIANCE Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). 1.4 Prohibit Direct Public Access to any PCI Data Network Security Zones Requires Z-1000-G Network Security Zones Feature No Additional HW or SW Agents are Required. Syslog Module to Enable Blocking at Firewalls and/or Switches and Routers. As part of the NSZ capability and service, secure computing policies will prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will recommend a design to logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic Prohibit Direct Routes in the DMZ All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic.

21 PREDICT AND PROTECT Prohibit Direct Routes in the DMZ Restrict Outbound Traffic from PCI Applications in the DMZ Firewall Management & Monitoring Service Syslog Module All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb As part of the service, Masergy will offer a detailed design to implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic. As part of the service, Masergy will restrict outbound traffic from payment card applications to IP addresses within the DMZ. The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic. As part of the service, Masergy will offer a detailed design to implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). 1.5 Implement IP Masquerading All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). As part of the service, Masergy will offer a design and periodically confirm that IP masquerading to prevent internal addresses from being translated and revealed on the Internet is properly implemented, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).

22 PCI COMPLIANCE Build and Maintain a Secure Network REQUIREMENT 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER SECURITY PARAMETERS. Hackers (both external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information. 2.1 Change Vendor-Supplied Defaults for New Systems Change Wireless Vendor Defaults for New Systems 2.2 Configuration Standards for all System Components Requires V-3001-G Vulnerability Scanner Module Requires V-3001-G Vulnerability Scanner Module Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will audit any newly installed system for vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts). Periodically scan and provide suggested system remediation for detected vulnerabilities. As part of the service, Masergy will audit any newly installed system for vendor-supplied defaults for wireless environments, including but not limited to wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, SNMP community strings, as well as disable SSID broadcasts and enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. Periodically scan and provide suggested system remediation for detected vulnerabilities. As part of the service, Masergy will offer recommended configuration standards for all system components, assure that these standards address all known security vulnerabilities, and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS) Implement Only One Primary Function per PCI Server Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will periodically audit to ensure only one primary function per server (for example, Web servers, database servers, and DNS should be implemented on separate servers). Periodically scan and provide suggested system remediation for detected vulnerabilities.

23 PREDICT AND PROTECT Disable all Unnecessary and Insecure Services for all PCI System Components Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices specified function). Periodically scan and provide suggested system remediation for detected vulnerabilities Configure System Security Parameters to Prevent Misuse for all PCI System Components Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will audit and recommend the optimal system security parameters to prevent misuse. Periodically scan and provide suggested system remediation for detected vulnerabilities Remove all Unnecessary Functionality for all PCI System Components Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will identify unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers. Periodically scan and provide suggested system remediation for detected vulnerabilities. 2.3 Encrypt all Non-Console Administrative Access Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will identify and recommend appropriate encryption methods for all non-console administrative access, and implement technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access. Periodically scan and provide suggested system remediation for detected vulnerabilities. 2.4 Hosting Providers Requirements As part of the service, Masergy audits any hosting providers to ensure protection of each entity s hosted environment and data, to ensure providers must meet the specific requirements as detailed in Appendix A: PCI DSS Applicability for Hosting Providers.

24 PCI COMPLIANCE Protect Cardholder Data REQUIREMENT 3: PROTECT STORED CARDHOLDER DATA. Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full primary account number (PAN) is not needed, and not sending PAN in unencrypted s. 3.1 Minimize Cardholder Data Storage As part of the service, Masergy will audit cardholder data storage minimum requirements, and make recommendations for cardholder data storage reductions. Working with your organization, we will develop a data retention and disposal policy. Establish storage amount limitation(s) and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Sensitive Authentication Data Policy As part of the service, Masergy will audit PCI server authentication implementation(s) to ensure sensitive authentication data subsequent to authorization is not stored anywhere (even if encrypted). Working with your organization, we will develop a compliant authentication and disposal policy. Sensitive authentication data includes the data as cited in the following Requirements Magnetic Stripe Data Handling Policy Working as an extension of your organization, Masergy will develop and implement policies to ensure there is no storage of the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data.

25 PREDICT AND PROTECT Magnetic Stripe Data Handling Policy Card-Validation Code Handling Policy In the normal course of business, the following data elements from the magnetic stripe may need to be retained: the account holder s name, primary account number (PAN), expiration date, and service code. To minimize risk, store only those data elements needed for business. NEVER store the card verification code or value or personal identification number (PIN) verification value data elements. As part of the service, Masergy will audit cardholder PIN usage and retention practices and identify corrective measures to ensure PCI compliance. Working with your organization, we will develop PIN retention and disposal policy. Establish personal identification number (PIN) limitation(s) and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.3 PAN Masking Policy As part of the service, Masergy will audit cardholder PAN usage, retention, and practices, and identify corrective measures to ensure PCI compliance. Develop primary account number (PAN) usage policy and practices to ensure masking the PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). Establish primary account number (PAN) limitation(s) and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.4 PAN Rendering Policy As part of the service, Masergy will audit cardholder PAN rendering usage, retention, and practices, and identify corrective measures to ensure PCI compliance.

26 PCI COMPLIANCE 3.4 PAN Rendering Policy Develop primary account number (PAN) rendering policy and practices to ensure rendered PAN, at minimum, is unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches: > Strong one-way hash functions (hashed indexes) > Truncation > Index tokens and pads (pads must be securely stored) > Strong cryptography with associated key management processes and procedures Disk Encryption Policy As part of the service, Masergy will audit disk encryption usage, practices, and identify corrective measures to ensure PCI compliance. Develop disk encryption usage policy and practices to ensure logical access is managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts), and that decryption keys are not tied to user accounts. Establish disk encryption application(s)/ implementation(s) required for business, legal, and/or regulatory purposes, as documented in the disk encryption usage policy. 3.5 Encryption Key Protection Policy ( ) As part of the service, Masergy will audit protection of encryption keys used for encryption of cardholder data against both disclosure and misuse. Develop encryption key protection policy and practices to ensure against data compromise by both disclosure and misuse. Establish and document applications and practices required for business, legal, and/or regulatory purposes, utilizing encryption keys: > Restrict access to keys to the fewest number of custodians necessary. > Store keys securely in the fewest possible locations and forms.

27 PREDICT AND PROTECT 3.6 Encryption Key Management Procedures ( ) As part of the service, Masergy will audit all key management processes and procedures for keys used for encryption of cardholder data, and identify corrective measures to ensure PCI compliance. Masergy will develop, fully document, and implement all key management processes and procedures for keys used for encryption of cardholder data, including: > Generation of strong keys > Secure key distribution > Secure key storage > Periodic changing of keys as deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically, or at least annually > Destruction of old keys > Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key) > Prevention of unauthorized substitution of keys > Replacement of known or suspected compromised keys > Revocation of old or invalid keys > Requirement for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities

28 PCI COMPLIANCE Protect Cardholder Data REQUIREMENT 4: ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN, PUBLIC NETWORKS. Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and 4.1 Use Strong Cryptography and Security Protocols As part of the service, Masergy will audit use of cryptography and security protocols intended to safeguard sensitive cardholder data during transmission over open public networks and identify corrective measures to ensure PCI compliance. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE x), global system for mobile communications (GSM), and general packet radio service (GPRS). Develop and document strong cryptography and security protocol policy and procedures required to safeguard sensitive cardholder data during transmission over open public networks. Establish and document all application(s)/ implementation(s) transmitting sensitive cardholder data over open public networks that may be required for business, legal, and/or regulatory purposes, as documented in the cryptography and security protocol usage policy Wireless Networks Transmitting Cardholder Data As part of the service, Masergy will audit use of cryptography and security protocols intended to safeguard sensitive cardholder data during transmission over wireless networks and identify corrective measures to ensure PCI compliance. Develop and document strong cryptography and security protocol policy and procedures for wireless networks transmitting cardholder data, including methods to encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Establish and document all application(s)/ implementation(s) transmitting sensitive cardholder data over wireless networks that may be required for business, legal, and/or regulatory purposes, as documented in the cryptography and security protocol usage policy.

29 PREDICT AND PROTECT 4.2 PAN Usage Policy As part of the service, Masergy will audit cardholder primary account number (PAN) usage, retention, and practices, and identify corrective measures to ensure PCI compliance. Develop primary account number (PAN) transmission policy and practices to ensure unencrypted PANs are never sent by . Establish and document all application(s) transmitting sensitive cardholder data via that may be required for business, legal, and/or regulatory purposes, as documented in the PAN e- mail usage policy. Maintain Vulnerability Management Program REQUIREMENT 5: USE AND REGULARLY UPDATE ANTI-VIRUS SOFTWARE OR PROGRAMS Many vulnerabilities and malicious viruses enter the network via employees activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software Anti-Virus Software Policy Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will audit antivirus software usage and practices for all servers, desktops, laptops, and mobile devices, and identify corrective measures to ensure PCI compliance. Develop and document anti-virus software policy and practices to: > Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. > Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. Identify and document all application(s)/systems using anti-malware that may be required for business, legal, and/or regulatory purposes, as documented in the anti-virus software policy.

30 PCI COMPLIANCE Anti-Virus Software Policy Firewall Management & Monitoring Service Syslog Module As part of the service, for wireless environments, change wireless vendor defaults, including but not limited to wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. Scan and remediate the system for detected vulnerabilities. Maintain Vulnerability Management Program REQUIREMENT 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendorprovided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques. As part of the managed service offering, Masergy will implement scheduled vulnerability scanning and security dashboard to: Vulnerability Management Security Dashboard Requires: V-3001-G Vulnerability Scanner Module I-6000-G Security Dashboard Module Ensure that all system components and software have the latest vendor-supplied security patches installed. Prioritize and monitor all detected vulnerabilities to ensure remediation occurs within one month of detection and/or patch availability. Automatically identify and prioritize newly discovered security vulnerabilities by correlating detected assets with posted vendors threats daily. Provision IT responders with detailed remediation instructions (including links to CVEs and available patches) allowing IT responders to install relevant security patches, etc.

31 PREDICT AND PROTECT Vulnerability Management All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Required Upgrade to I G Security Dashboard Feature With upgrade to optional Security Dashboard feature to the base All-n-One Security Module, Masergy will implement scheduled vulnerability scanning and security dashboard to: Ensure that all system components and software have the latest vendor-supplied security patches installed. Prioritize and monitor all detected vulnerabilities to ensure remediation occurs within one month of detection and/or patch availability. Automatically identify and prioritize newly discovered security vulnerabilities by correlating detected assets with posted vendor threats daily. Provision IT responders with detailed remediation instructions (including links to CVEs and available patches) allowing IT responders to install relevant security patches, etc. The Masergy professional services team will perform a vulnerability assessment to: Ensure that all system components and software have the latest vendor-supplied security patches installed. Establish and document a comprehensive remediation process and procedure to install relevant security patches within one month of detection and/ or patch availability. Establish and document a comprehensive process to identify newly discovered security, and update standards to address new vulnerability issues. Customer may require subscription to vendor alert services. 6.3 Software Development Security Practices Requires V-3001-G Vulnerability Scanner Module The Masergy professional services team will establish and document software development security best practices and incorporate information security throughout the software development life cycle, including: Testing of all security patches, and system and software configuration changes before deployment. Separate development, test, and production environments. Separate duties between development, test, and production environments. Ensure production data (live PANs) are not used for testing or development.

32 PCI COMPLIANCE 6.3 Software Development Security Practices 6.4 Software Development Change Control Procedures Web Application Development Secure Coding Guidelines Requires V-3001-G Vulnerability Scanner Module Removal of test data and accounts before production systems become active. Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers. Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. The Masergy professional services team will audit/establish and document software development change control procedures for all system and software configuration changes, including: Documentation of impact Management sign-off by appropriate parties Testing of operational functionality Back-out procedures The Masergy professional services team will establish and document software development Web application secure coding guidelines, and review custom application code to identify coding vulnerabilities. Covers prevention of common coding vulnerabilities in software development processes, to include the following: Unvalidated input Broken access control (for example, malicious use of user IDs) Broken authentication and session management (use of account credentials and session cookies) Cross-site scripting (XSS) attacks Buffer overflows Injection flaws (for example, structured query language (SQL) injection) Improper error handling Insecure storage Denial of service Insecure configuration management Ensure that all Web-facing applications are protected against known attacks by applying either of the following methods: > Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security > Installing an application layer firewall in front of Web-facing applications

33 PREDICT AND PROTECT Implement Strong Access Control Measures REQUIREMENT 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED-TO-KNOW. This requirement ensures critical data can only be accessed by authorized personnel Strong Access Control Measures Network Access Monitoring via Network Security Zones UTM++ Configurations, Requires Z-1000-G Software ASM Configurations, Requires Z-2500-G Software Syslog Module Network Security Zones (NSZ) is the first network access monitoring (NAM) solution based solely on behavioral network analysis and correlation. Each Network Security Zone is a user-defined network access policy comprised of specific network resource objects: users, systems, applications, date/time, etc. with secure boundaries for specific systems, applications, and users. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/ prevention service. The Masergy professional services team will establish and document strong access control policy and procedures to: Provide appropriate recommendation to limit access to computing resources and cardholder information only to those individuals whose job requires such access. Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed.

34 PCI COMPLIANCE Implement Strong Access Control Measures REQUIREMENT 8: ASSIGN A UNIQUE ID TO EACH PERSON WITH COMPUTER ACCESS Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. The Masergy professional services team will audit/ establish and document unique ID policy and procedures to: Identify all users with a unique user name before allowing them to access system components or cardholder data. Employ at least one of the following methods to authenticate all users: > Password > Token devices (e.g., SecureID, certificates, or public key) > Biometrics Unique ID Policy and Procedures Offer a recommendation to implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Encrypt all passwords during transmission and storage on all system components. Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: > Audit/provide recommendation for control of addition, deletion, and modification of user IDs, credentials, and other identifier objects. > Verify user identity before performing password resets. > Set first-time passwords to a unique value for each user and change immediately after the first use. > Immediately revoke access for any terminated users. > Remove inactive user accounts at least every 90 days.

35 PREDICT AND PROTECT Unique ID Policy and Procedures > Enable accounts used by vendors for remote maintenance only during the time period needed. > Communicate password procedures and policies to all users who have access to cardholder data. > Do not use group, shared, or generic accounts and passwords. > Change user passwords at least every 90 days. > Require a minimum password length of at least seven characters. > Use passwords containing both numeric and alphabetic characters. > Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. > Limit repeated access attempts by locking out the user ID after not more than six attempts. > Set the lockout duration to thirty minutes or until administrator enables the user ID. > If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. > Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.

36 PCI COMPLIANCE Implement Strong Access Control Measures REQUIREMENT 9: RESTRICT PHYSICAL ACCESS TO CARDHOLDER DATA. Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted Restrict Physical Access to Cardholder Data The Masergy professional services team will audit/ establish and document physical access control policy and procedures to: Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data. > Use cameras to monitor sensitive areas. Audit collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. > Restrict physical access to publicly accessible network jacks. > Restrict physical access to wireless access points, gateways, and handheld devices. Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. Make sure all visitors are handled as follows: > Authorized before entering areas where cardholder data is processed or maintained. > Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees. > Asked to surrender the physical token before leaving the facility or at the date of expiration. Use a visitor log to maintain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law. Store media back-ups in a secure location, preferably in an off-site facility, such as an alternate or backup site, or a commercial storage facility.

37 PREDICT AND PROTECT Restrict Physical Access to Cardholder Data Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data, including the following: > Classify the media so it can be identified as confidential. > Send the media by secured courier or other delivery method that can be accurately tracked. Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals). Maintain strict control over the storage and accessibility of media that contains cardholder data. > Properly inventory all media and make sure it is securely stored. Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows: > Cross-cut shred, incinerate, or pulp hardcopy materials. > Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed.

38 PCI COMPLIANCE Regularly Monitor and Test Networks REQUIREMENT 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA. Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs Track and Monitor all Access to Network Resources and Cardholder Data Firewall Syslog Module & Monitoring Service Syslog Module Network Access Monitoring via Network Security Zones UTM Configurations++, Requires Z-1000-G Software ASM Configurations, Requires Z-2500-G Software Utilizing the syslog monitoring, recording, and reporting capabilities of the N-2800-G Firewall Syslog Module, Masergy s security professionals will help your IT staff achieve requisite compliance by: Establishing and documenting a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. Implementing automated audit trails for all system components to reconstruct the following events: > All individual user accesses to cardholder data > All actions taken by any individual with root or administrative privileges > Access to all audit trails > Invalid logical access attempts > Use of identification and authentication mechanisms > Initialization of the audit logs > Creation and deletion of system-level objects Recording at least the following audit trail entries for all system components for each event: > User identification > Type of event > Date and time > Success or failure indication > Origination of event > Identity or name of affected data, system component, or resource Synchronizing all critical system clocks and times.

39 PREDICT AND PROTECT Track and Monitor all Access to Network Resources and Cardholder Data Firewall Syslog Module & Monitoring Service Network Security Zones For UTM Configurations++, Requires Z-1000-G Network Security Zones Feature For ASM Configurations, Requires Z-2500-G Network Security Zones Feature No Additional HW or SW Agents are Required. > Limit viewing of audit trails to those with a job-related need > Protect audit trail files from unauthorized modifications > Promptly back-up audit trail files to a centralized log server or media that is difficult to alter > Copy logs for wireless networks onto a log server on the internal LAN > Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) Reviewing logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used to achieve compliance with Requirement Retaining audit trail history for at least one year, with a minimum of three months online availability. As part of the Network Security Zones (NSZ) capability and service, secure computing policies are established to logically place database(s) and applications containing cardholder information in an internal Network Security Zone (NSZ) to monitor access compliance, and report access violations. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service.

40 PCI COMPLIANCE Regularly Monitor and Test Networks REQUIREMENT 11: REGULARLY TEST SECURITY SYSTEMS AND PROCESSES Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software Annual PCI Compliance Testing The Masergy professional services team will establish, document, and regularly test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use Quarterly PCI Compliance Scanning Masergy is an Approved PCI Scanning Vendor (Certificate # ) Requires V-3001-G Vulnerability Scanner Module The Masergy professional services team will establish, document, and regularly perform internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by a scan vendor qualified by the payment card industry. Scans conducted after network changes may be performed by the company s internal staff Annual PCI Compliance Penetration Testing Masergy is an approved PCI Scanning Vendor (Certificate # ) The Masergy professional services team will establish, document, and regularly perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a Web server added to the environment). These penetration tests include the following: Network-layer penetration tests Application-layer penetration tests

41 PREDICT AND PROTECT 11.4 IDS / IPS Monitoring UTM++ Behavioral Intrusion Detection/Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module software Systems configured with the Detection+Prevention Module(s) and Behavioral Correlation Module (BCM) automatically monitor all network traffic and alert monitoring personnel to suspected compromises. Each customer has a customized Security Alert Response Procedure (SARP) that details desired handling, response, and reporting of detected intrusion attempts. Systems under managed service(s) are guaranteed to keep all intrusion detection and prevention engines up-to-date and properly tuned. Systems configured with the Behavioral Correlation Module (BCM) automatically monitor all network traffic and alert monitoring personnel to suspected compromises. Each customer has a customized Security Alert Response Procedure (SARP) that details desired handling, response, and reporting of detected intrusion attempts. Systems under managed service(s) are guaranteed to keep all intrusion detection and prevention engines up-to-date and properly tuned Monitoring of Unauthorized Modification of Critical System or Content Files Firewall Syslog Module & Monitoring Service Syslog Module Utilizing the syslog monitoring, recording, and reporting capabilities of the N-2800-G Firewall Syslog Module, Masergy s security professionals will continuously monitor (7x24x365): Any deployed third-party file integrity monitoring software that generates a syslog file/feed, and alert personnel to unauthorized modification of critical system or content files. This includes any alerts generated from deployed third-party file integrity monitoring software configured to perform critical file comparisons at least weekly. Each customer has a customized Security Alert Response Procedure (SARP) that details desired handling, response, and reporting of detected intrusion attempts.

42 PCI COMPLIANCE Maintain an Information Security Policy REQUIREMENT 12: MAINTAIN A POLICY THAT ADDRESSES INFORMATION SECURITY FOR EMPLOYEES AND CONTRACTORS. A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it Maintain an Information Security Policy The Masergy professional services team will audit/ establish, publish, maintain, and disseminate a security policy that accomplishes the following: > Addresses all requirements in this specification > Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment > Includes a review at least once a year and updates when the environment changes Develop and document daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures and log review procedures). Develop and document usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following: > Explicit management approval > Authentication for use of the technology > List of all such devices and personnel with access > Labeling of devices with owner, contact information, and purpose > Acceptable uses of the technologies > Acceptable network locations for the technologies > List of company-approved products > Automatic disconnect of modem sessions after a specific period of inactivity > Activation of modems for vendors only when needed by vendors, with immediate deactivation after use

43 PREDICT AND PROTECT Maintain an Information Security Policy > When accessing cardholder data remotely via modem, prohibit storage of cardholder data onto local hard drives, floppy disks, or other external media, as well as the use of cutand-paste and print functions during remote access. Audit and/or ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors. Document and train assigned individuals or teams for the following information security management responsibilities: > Establish, document, and distribute security policies and procedures > Monitor and analyze security alerts and information, and distribute to appropriate personnel > Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations > Administer user accounts, including additions, deletions, and modifications > Monitor and control all access to data Document and help implement a formal security awareness program to make all employees aware of the importance of cardholder data security. > Educate employees upon hire and at least annually (for example, by letters, posters, memos, meetings, and promotions) > Require employees to acknowledge in writing that they have read and understood the company s security policy and procedures Review screening practices and procedures of potential employees to minimize the risk of attacks from internal sources. If cardholder data is shared with service providers, then audit contractually committed service providers to ensure that: > Service providers adhere to the PCI DSS requirements. > All service providers understand and agree in writing that the service provider is responsible for the security of cardholder data the provider possesses.

44 PCI COMPLIANCE Maintain an Information Security Policy Audit and/or implement an incident response plan to respond immediately to a system breach. > Create the incident response plan to be implemented in the event of system compromise. > Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contact strategies (for example, informing the Acquirers and credit card associations). > Test the plan at least annually. > Designate specific personnel to be available on a 24/7 basis to respond to alerts. > Provide appropriate training to staff with security breach response responsibilities. > Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems. > Develop processes to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments. Audit and report on all processors and service providers to ensure they maintain and implement policies and procedures to manage connected entities, to include the following: > Maintain a list of connected entities. > Ensure proper due diligence is conducted prior to connecting an entity. > Ensure the entity is PCI DSS compliant. > Connect and disconnect entities by following an established process.

45 PREDICT AND PROTECT APPENDIX A: PCI DSS APPLICABILITY FOR HOSTING PROVIDERS Requirement A.1: Hosting providers protect cardholder data environment. As referenced in Requirement 12.8, all service providers with access to cardholder data (including hosting providers) must adhere to the PCI DSS. In addition, Requirement 2.4 states that hosting providers must protect each entity s hosted environment and data. Therefore, A.1 Protect Each Entity s Hosted Environment and Data As part of the service, the Masergy professional services team will audit hosted environments and data, as in A.1.1 A.1.4. Ensure that each entity only has access to own cardholder data environment. Restrict each entity s access and privileges to own cardholder data environment only. Ensure logging and audit trails are enabled and unique to each entity s cardholder data environment, and consistent with PCI DSS Requirement 10. Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. A hosting provider must fulfill these requirements as well as all other relevant sections of the PCI DSS. Note: Even though a hosting provider may meet these requirements, the compliance of the entity that uses the hosting provider is not necessarily guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable.

46 PCI COMPLIANCE Notes

47 PREDICT AND PROTECT Notes 2014 Masergy, Inc. All Rights Reserved. All product and company names are the property of their respective owners.

48 Corporate Headquarters (USA): 2740 North Dallas Parkway, Suite 260, Plano, TX USA Phone: +1 (214) Fax: +1 (214)