Achieving and maintaining PCI compliance and security with Dell solutions Dell solutions overview
Table of Contents 1.0 Executive summary... 3 2.0 PCI requirements and corresponding Dell solutions... 3 Summary... 17 2
1.0 Executive summary Due to the complexity of the Payment Card Industry Data Security Standards (PCI DSS), no single security product can guarantee compliance. PCI compliance demands an orchestrated number of products, policies, procedures and people to work together harmoniously. Dell s solutions are specifically designed to meet and exceed the security requirements for merchants and service providers who must securely process, store and transmit cardholder data. Dell helps merchants of all types and sizes meet and maintain PCI compliance requirements with a combination of hardware, software, and services. Our solutions include network security, secure wireless, endpoint protection, and systems management, as well as data protection and encryption. Point solutions, such as security appliances and software, are only one aspect of compliance. Dell also offers managed security services that provide 24/7 monitoring and response capability through Dell SecureWorks, a PCI Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). From firewalls and anti-virus solutions, to managed security services, consulting, and system management appliances, Dell can help you address the challenges of PCI compliance more confidently and effectively. 2.0 PCI compliance requirements and Dell solutions The following chart provides an overview of the products and services that are part of Dell s PCI compliance portfolio of products and services. We have implemented these solutions for thousands of companies. This deep experience means you can work with your Dell sales team to identify the products and services from our broad portfolio that best meet your requirements, and leverage their understanding of your business. We streamline this process and do our best to make this complex and important initiative one that you can more easily manage, and to give you the results you need to be successful. Build and maintain a secure network 1. Install and maintain a Security and risk consulting firewall configuration to Managed firewall protect cardholder data. Security log monitoring SIEM on-demand Network security End point protection End point configuration management This requirement mandates the need to implement a sound firewall infrastructure to protect cardholder data from external access. Security and risk consulting Dell SecureWorks Security and Risk Consulting helps merchants assess their current firewall and network architecture; identify gaps; recommend solutions to fill these gaps; and implement any needed changes. Managed Firewall services remove the burden of firewall management with a 24x7x365 team of experts who can audit policies to ensure they align with PCI requirements, perform ongoing rule-set changes, and monitor these devices for any signs of attack. Security Log Monitoring services provide real-time monitoring for known and unknown threats across firewall infrastructure, while Security Information Management (SIEM) services enable internal monitoring. Robust reporting is available through our Web-based portal, enabling merchants to easily demonstrate compliance. 3
Network security All Dell SonicWALL firewall appliances include a stateful firewall and a patented Reassembly-Free Deep Packet Inspection (RFDPI) 1 technology that can detect, segment and secure cardholder traffic in without compromising performance. The Dell SonicWALL solution maintains zone control and segregates customer, employee and credit card data traversing across the network. Components that store cardholder data, such as POS systems and databases, can be properly segmented into separate and distinct zones with controlled access by wired or wireless clients that are owned by the business, and most certainly never by guest wireless access accounts. Dell SonicWALL E-Class Secure Remote Access (SRA) End Point Control (EPC ) uniquely identifies Windows -based endpoints to tie them to authorized users, and checks for essential components such as anti-virus, anti-spyware and personal firewall software before allowing Windows-based devices to connect to the network. Dell SonicWALL Aventail Advanced End Point Control (EPC ) includes an advanced interrogator list that includes all supported anti-virus, personal firewall and anti-spyware solutions from vendors like McAfee, Symantec, Computer Associates, Sophos, Kaspersky Lab and many more. It also integrates technology from OPSWAT to create a virtual Windows session that runs on top of the actual desktop. With centralized management via the Dell SecureWorks Global Management System (GMS), administrators can centrally define and view their policies across thousands of devices, all from a single interface. End point protection Working in conjunction with Dell SonicWALL firewalls, the Dell SonicWALL Enforced Client Anti-Virus and Anti-Spyware service automatically enforces anti-virus and anti-spyware policies on every client, reducing administrative overhead. It combines client-based scanning and remediation capabilities with centralized management and reporting capabilities. When a non-compliant end-point within the network tries to connect to the Internet, the firewall will direct the user to a web page to install the latest Dell SonicWALL Enforced Client Anti- Virus and Anti-Spyware software. The solution automatically delivers updated security definitions to the end point as soon as they become available to protect against today s rapidly-evolving threats. Because enforcement is automatic, administration time and costs are minimized. Dell PowerConnect W-series products enable merchants to easily update firewall configurations and other settings to meet PCI requirements. The Dell SonicWALL Clean Wireless solution makes deploying wireless WLANs secure, simple and cost-effective with the first total 1 Dell SonicWALL employs the services of an independent PCI Qualified Security Assessor (QSA) to review Dell SonicWALL security platforms. This review initiative provides assurance that Dell SonicWALL solutions can satisfy PCI criteria when configured and implemented in accordance with the PCI DSS standard. 4
security solution to integrate universal 802.11 a/b/g/n wireless with an enterprise-class firewall/vpn gateway. Whether you are adding wireless into an existing network infrastructure or deploying a wireless network from the ground up, the extensible Dell SonicWALL Clean Wireless solution scales to virtually any network deployment. By combining advanced security features such as WiFiSec, Virtual APs (VAP), and wireless intrusion detection services (WIDS) with support for industry standards including IPSec, WPA, and 802.11i, Dell SonicWALL protects your wireless network from malicious attacks. Centralized management of your globally distributed wired and wireless networks is easy using the award-winning Dell SonicWALL Global Management System solution. End point configuration management The Dell KACE K1000 Management Appliance provides several easyto-use ways to enforce PC configurations for improved security, and includes several pre-built policies. Administrators can enforce firewall configurations by controlling users firewall settings including logging and allowing TCP traffic on ports required to enable remote administration tools. It allows enforcing browser security settings thereby controlling users' preferences including home page, privacy and security policies. IT administrators can also disallow the running of specific programs and implement quarantine policies for compromised devices. This enables administrators to sever communications between a computer and all other systems when a network security risk has been identified. Build and maintain a secure network 2. Do not use vendor Vulnerability assessments supplied defaults for Vulnerability scanning system passwords and Network security other security parameters. Data protection This requirement dictates that organizations must use sound password policies, such as not using default vendor passwords, and secure wireless and infrastructure configuration standards. Dell SecureWorks offers Vulnerability Assessments to identify any weaknesses in configuration practices including weak passwords, unnecessary services and rogue web servers. Dell SecureWorks consultants can also help merchants develop a secure configuration standard for all critical systems based on industry best practices. Additionally, Dell SecureWorks Vulnerability Scanning service can perform ongoing internal and external scans to ensure infrastructure remains secure. On-demand vulnerability reports can be generated via our customer portal. Network security All Dell SonicWALL firewall appliances require the administrator to change the default passwords upon the initial bootup. A password warehouse can be managed and controlled locally on the appliance or centrally through Dell SonicWALL GMS, which can propagate all 5
settings down to remote devices. All passwords, pre-shared secret keys for VPNs and polices are encrypted during transmission and in local storage. Administrators can also mandate automated passwords checks for weak and generic passwords. Console access can be restricted to only centralized management or HTTPS management for all security parameters. Appliances encrypt all non-console administration for all communications between managed appliances, as well as to GMS, using strong cipher VPNs or HTTPS. Every Dell SonicWALL firewall appliance is a hardened security device that is purpose-built for network security. Furthermore, Dell SonicWALL solutions ensure only specific services (DNS, web, etc.) are allowed to access trusted servers, thus restricting unnecessary services that can have access to systems in the cardholder data environment. The Dell PowerConnect W-Series wireless product line offers enterprise network connectivity and the ability to custom configure WLAN deployments. Merchants can easily configure encryption settings, passwords, and community strings to meet PCI requirements. Data protection Dell Data Protection and Encryption supports SSL for all non-console administrative access, effectively meeting PCI requirements. Protect cardholder data 3. Protect stored cardholder data. Security and risk consulting Managed intrusion prevention and detection Data protection This requirement mandates rendering stored cardholder data unreadable, if possible, or implementing other compensating controls, such as preventing Web application attacks, as outlined in Appendix B of the PCI DSS. Dell SecureWorks can help classify assets and the data residing in them, and help formulate a data protection strategy appropriate to your infrastructure. Our Managed Intrusion Prevention and Detection service provides prevention and detection controls to protect any data that cannot be encrypted. This service can include implementation of commercial IPS/IDS technology or can be bundled with our award-winning isensor IPS technology to deliver superior, cost-effective protection. Once implemented, trained security analysts manage these devices, including ongoing tuning, and monitor them to identify and respond to any threats. The Dell SecureWorks customer portal provides real-time visibility into intrusion prevention and detection, including any alerts and remediation efforts, while delivering on-demand reports to demonstrate PCI compliance. 6
Network security While Dell storage solutions address the issue of protecting stored cardholder data, Dell SonicWALL firmware allows the administrator to identify cardholder data in transit through the use of real-time regular expression (regex) matching mapped to Primary Account Numbers (PAN). Regex minimizes the oversights and limitations of legacy systems that are not prepared to handle the deluge of cardholder that cleverly slips through internal and external storage checks. Since Dell PowerConnect W-series products are not designed to store cardholder data, this requirement does not apply directly to W-series products that are included in deployments that need to meet PCI compliance. However, ensuring that security and encryption parameters for the transmissions are appropriately set helps protect data in motion. Data protection Dell Data Protection and Encryption, or DDP E, uses strong cryptography with associated key management processes and procedures on every device on which our solutions are installed. DDP E provides all the implementation/configuration features necessary to allow customers to meet these requirements. In addition, all DDP E storage of encryption material is secured and only authorized users and system resources are allowed access. Dell also provides all the implementation/configuration features necessary (including documentation where appropriate) to allow customers to meet PCI requirements. Protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks. Security and risk consulting Managed firewall Email encryption End point protection This requirement calls for all cardholder data to be encrypted during transmission over public or untrusted networks. Dell SecureWorks helps meet this requirement by assessing current infrastructure to ensure all VPNs and wireless networks are configured properly to encrypt sensitive data, as well as identify any gaps in data transmission flows that may leave sensitive information unencrypted. Our Managed Firewall service removes the burden of site-to-site VPN management by providing a team of security professionals to administer these devices. Our analysts will also monitor your VPNs for any signs of malicious activity, enabling you to respond quickly to threats. The Dell SecureWorks customer portal provides real-time visibility and ondemand reporting to demonstrate PCI compliance. Dell SecureWorks Email Encryption service helps ensure all cardholder data is transmitted via encrypted email. The solution is easy-to-use and 7
requires very little end-user training, making compliance with this requirement relatively painless. Network security Dell SonicWALL s Clean VPN approach integrates a layer of intelligent remote access technology using a Secure Sockets Layer virtual private network (SSL VPN) to secure users and devices beyond the perimeter. In combination with Dell SonicWALL s Next-Generation Firewall traffic can be secured and cleaned before it enters the merchant network. Dell SonicWALL Next-Generation Firewall appliances support SSL and IPSec-encrypted communication protocols across 802.11x, 2G, 3G and 4G data networks. In addition, Dell SonicWALL Secure Remote Access solutions provide strong encryption for data during transmission over open networks using SSL and TLS encryption protocols. Both products support the MD5 and SHA-1 protocols to ensure the integrity of secure transmissions involving cardholder data for wireless, and wired end points. End point protection With Worry-Free, outbound email can be scanned and analyzed to identify and block sensitive information. This could be information like credit cards, social security numbers, member ID, or other specific words setup by the organization. Dell PowerConnect W-series products include strong encryption and security features that can be easily configured in accordance with PCI requirement levels. WPA/WPA2/AES/802.1X features are also provided. Further, PowerConnect W-series offers advanced cryptography features aligned with the high security requirements of FIPS and Suite-B wireless deployments. Dell SonicWALL firewalls with integrated wireless (or used in conjunction with Dell SonicWALL SonicPoint wireless access points) create a Clean Wireless environment, which can layer IPSec over WLAN encryption and enable the regular rotation of WPA/WPA2/TKIP/AES keys. This affords greater protection than required by PCI DSS 2.0 without degradation to performance. Furthermore, encrypted traffic is supplemented with Dell SonicWALL s protection services including IPS/IDS, anti-virus, anti-spyware and URL filtering. With the addition of policy-based routing and Reassembly-Free Deep Packet Inspection, administrators can create policies that never allow unprotected PANs to be sent over a public network, regardless of the application (e.g., email, IM, social media, etc.). 8
Maintain a vulnerability management program 5. Use and regularly Managed intrusion prevention and detection update anti-virus Security log monitoring software or programs. SIEM on-demand Software distribution and patch management This requirement mandates the use of anti-malware solutions to prevent all known types of malicious software from impacting your critical systems. Dell SecureWorks Network Intrusion Prevention and Detection service with our isensor IPS appliance can provide an additional layer of defense against multiple types of attacks. The isensor includes advanced analysis and blocking techniques to protect against threats. Dell security experts can provide full life-cycle management for isensor appliances, from implementation to proactive administration and tuning, including monitoring, configuration, access management, backups, updates, patches, hardware expansion and replacement, and daily audits of existing signatures. If your organization has already invested in Network IPS/IDS equipment, Dell SecureWorks can deliver monitoring services in a co-managed fashion. Dell SecureWorks Security Log Monitoring service provides a team of experts to monitor your infrastructure to identify attacks before damage is done. If you prefer to monitor this activity in-house, Dell SecureWorks SIEM On-Demand service provides the same event aggregation and correlation technology used by our experts as a service, so you can analyze any threats that may occur. Both services provide real-time security visibility and on-demand reports to demonstrate PCI compliance via our customer portal. Network security Dell SonicWALL Next-Generation Firewalls provide an innovative multilayered anti-malware strategy consisting of a proprietary Reassembly- Free Deep Packet Inspection along with anti-malware solution at the gateway and enforced anti-virus solution at the endpoints. When a noncompliant end-point within the network tries to connect to the Internet, the firewall will direct the user to a web page to install the latest Dell SonicWALL Enforced Client Anti-Virus and Anti-Spyware software. The solution automatically delivers updated security definitions to the endpoint as soon as they become available to protect against today s rapidly-evolving threats. Because enforcement is automatic, administration time and costs are minimized. With a continuously updated server and desktop anti-virus technology, administrators can deploy the right solution for their cardholder environment. Client software can be easily deployed on POS machines, retail backoffice servers, workstations, laptops and desktops; all of this can be automated and enforced with Dell SonicWALL firewalls and centrally managed by the Dell SonicWALL Global Management System (GMS). In addition to firewall and endpoint enforcement, the Dell SonicWALL GRID Network collaboratively gathers, analyzes and vets cross-vector 9
threat information from millions of business-oriented sources around the world. Reputation-based threat protection information is then distributed securely, anonymously and in real-time to improve the overall effectiveness of Dell SonicWALL security solutions. Due to the distributed nature of this network and the use of multiple different data sources, the evaluation from one contributor can be vetted against multiple other contributors, allowing the GRID Network s collaborative filtering process to be highly accurate and fully self-correcting. Consequently, businesses that deploy solutions that communicate to the collective backend of the GRID Network are afforded the most up-todate malware signature files. Software distribution and patch management Dell KACE enables organizations to assess, schedule and administer patches and verify status without much of the complexity and cost of traditional solutions. Dell KACE products support large patch repositories including those for Microsoft Windows and Apple Mac OS operating systems, as well as applications from a wide range of vendors including Microsoft, Apple, Adobe, Symantec and Mozilla. The Dell KACE family also supports distribution, installation, and management of security measures such as anti-virus, through remote administration, software distribution and installation capabilities for virtually any application, service pack, update or hotfix. The ease of deployment and use of Dell KACE systems management appliances simplifies these tasks for IT administrators, easing the assurance of compliance and reducing its costs. Maintain a vulnerability management program 6. Develop and maintain Security and risk consulting secure systems and Vulnerability scanning applications. Counter threat unit intelligence Patch management WAF (Web Application Firewall) This requirement mandates the need to ensure that your environment maintains current patch levels, you adhere to secure coding practices and that all Web applications undergo periodic Web application assessments. Dell SecureWorks can conduct periodic vulnerability assessments to ensure the security of environment, perform Web application testing to identify any areas of concern across Web-facing infrastructure, including vulnerabilities that may lead to cross-site scripting attacks, buffer overflows, etc., and align application development with secure coding best practices. Dell SecureWorks Vulnerability Scanning service provides the ability to conduct periodic infrastructure scans to identify any potential vulnerabilities or out-of-date systems. Recurring PCI Compliance Scans and Web Application Scans can be scheduled through the Dell SecureWorks customer portal, or are available any time on demand. 10
Dell SecureWorks Counter Threat Unit Intelligence Services provide vulnerability and threat alerts tailored to your environment, and alerts you to any new patches relevant to your systems. Both the Scanning and Intelligence services provide access to the Dell SecureWorks customer portal to generate on-demand reports to demonstrate PCI compliance. Network security The Dell SonicWALL Web Application Firewall (WAF) Service on the Secure Remote Access Series offers a complete, affordable, out-of-box compliance solution for businesses that is easy to manage and deploy, while protecting web applications against threats and attacks. It leverages an existing infrastructure as a licensable add-on module to the Dell SonicWALL Secure Remote Access platform. Utilizing a dynamically updated signature database to detect and protect against sophisticated web-based attacks, the Dell SonicWALL WAF Service applies reverse proxy analysis of Layer 7 traffic against known signatures, denies access upon detecting Web application malware, and redirects users to an explanatory error page. Additionally, the WAF Service is capable of using custom rules to protect against day-zero vulnerabilities. Acceleration features, including content caching, compression and connection multiplexing, improve the performance of protected websites, significantly reducing transactional costs. Dell SonicWALL WAF also protects against Open Web Application Security Project (OWASP) Top 10 Vulnerabilities. For instance, HTTPS inspection can block attacks embedded into SSLencrypted packets. The WAF Service can protect against sophisticated attacks such as Cross-site Request Forgery (CSRF). Information disclosure protection can block access to websites containing administrator-defined keywords or phrases, and cardholder data, PAN and SSN protection can help in web-based Data Leak Protection (DLP) by preventing leakage of user sensitive information. Dell SonicWALL GMS can ensure that all appliances get the latest firmware and configuration changes mandated by PCI DSS. Appliances can receive security signature updates by GMS or through the cloud without any human intervention. This ensures that all system components are always protected and up-to-date. Regular releases of Dell PowerConnect W-series software versions are made available to all customers to help ensure compliance, along with Security Advisories as appropriate. Dell PowerConnect W-series AirWave management software provides broad reporting capabilities for PCI compliance factors that help identify potential problems. Patch management and end point protection The Dell KACE K1000 Management Appliance patch management solution provides comprehensive and reliable patching that is also easy-to-use and affordable. The KACE patching feature is powered by Lumension, the industry's leading patch management solution. The appliance provides one of the largest patch repositories including patches for Windows and Mac operating systems, as well as a wide range of applications from vendors including Microsoft, Apple, Adobe, Symantec and Mozilla. It also utilizes Lumension s Digital Fingerprint Technology to accurately and reliably assess and remediate vulnerabilities. All of these capabilities are managed through an intuitive 11
Web-based management console, where administrators can control scanning and distribution schedules to minimize business disruptions. The Dell KACE K1000 Management Appliance also provides users with the ability to uncover and remediate problems quickly, by helping them identify vulnerabilities across all end nodes, and enforce compliance with company policies across all desktops, laptops and servers. It reduces the risk of malware, spyware, and viruses, and eliminates vulnerabilities. This reduces user down time due to infection or other security breaches, and in those instances when problems cannot automatically be fixed, allows systems to be quarantined to prevent them from infecting the rest of the network. Implement strong access control measures 7. Restrict access to Security and risk consulting cardholder data by Security log monitoring business need to know. SIEM on-demand This requirement mandates the need for organizations to implement proper identity and access management across systems that house cardholder information. Dell SecureWorks Security Log Monitoring service provides real-time monitoring of these systems by security experts to ensure only authorized personnel gain access. Dell SecureWorks SIEM On-Demand delivers the technology to monitor these systems as a service, should you choose to keep this function in-house. Both services provide access to the Dell SecureWorks customer portal for real-time visibility into activity on the systems housing cardholder information and on-demand reporting to demonstrate PCI compliance. Network security Access control is an essential element of all Dell SonicWALL security solutions. Dell SonicWALL Firewall appliances natively allow for the creation of granular access, authorization rules and enforcement at the perimeter, as well as internal and remote networks. With the addition of GMS, administrators can restrict access to a global network of appliances that protect cardholder data by defining what resources an individual, group, or department is authorized to view. Dell PowerConnect W-series enables you to quickly implement best practices for passwords and administrative access for any configurations you deploy. 12
Implement strong access control measures 8. Assign a unique ID to Security and risk consulting each person with Security log monitoring computer access. SIEM on-demand Data protection This requirement mandates the need to ensure that actions taken by known and authorized individuals with computer access can be monitored and traced. Dell SecureWorks can help develop and implement proper policies and procedures for assigning unique IDs and authentication measures. Dell SecureWorks Security Log Monitoring service can provide real-time monitoring of access to systems in your environment. Our SIEM On- Demand delivers the technology you need to monitor access to these systems as a service, should you choose to keep this function in-house. Customers enjoy access to the Dell SecureWorks customer portal for real-time visibility into the cardholder data environment, as well as ondemand reporting. Network security Authentication is an essential part of all Dell SonicWALL solutions. Dell SonicWALL firewall appliances support multiple third-party database authentication, including XAUTH/ RADIUS, Active Directory, SSO, LDAP, Terminal Services, Citrix as well as an internal user database native to the appliance. Several two-factor authentication mechanisms are available for administrators who require access to the cardholder network. Tokens, digital certificates and Single-Sign-on (SSO) are all support across all Dell SonicWALL appliances. An integrated X.509 digital certificate is provided to aid both user and entity authentication, thus allowing for strong authentication without the use of a certificate authority. A local database can be used for user authentication for those administrators who do not wish to deploy digital certificates. In addition, Dell SonicWALL is compatible with trusted PKI vendors such as Baltimore and Entrust. For business running distributed networks, GMS allows for granular control of users who have access to read and write capabilities across a predefined group of appliances. Dell PowerConnect W-series products enable you to easily configure access rights to meet PCI requirements. Data protection Dell Data Protection and Encryption provides the implementation and configuration features necessary (including documentation where appropriate) to allow customers to meet these requirements. DDP E supports the necessary third-party components required (in order to meet sections 8.2, 8.3). 13
Implement strong access control measures 9. Restrict physical access to cardholder data Security and risk consulting End point protection This requirement dictates that organizations implement appropriate physical security controls to limit access to critical systems, ensure proper visitor handling procedures and that organizations have proper procedures when moving or destroying physical media where cardholder information is stored. Dell SecureWorks Security and Risk Consulting can help you address this requirement by working with your team to identify areas where physical security controls must be implemented and testing controls to ensure compliance through social engineering and other tactics. Our Security and Risk Consulting team can also help you develop physical data handling and destruction procedures that align with industry best practices, such as those from the Department of Defense. Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data. Security log monitoring SIEM on-demand This requirement calls for companies to implement logging mechanisms across all network, security and server infrastructure that houses or handles cardholder information, and monitor the logs for any violations. Dell SecureWorks Security Log Monitoring service provides real-time log aggregation, correlation and analysis across any security device or critical information asset. All logs and alerts are monitored by security experts 24x7x365, in real-time, to identify known and unknown threats, or unusual user behavior. Any malicious activitythat is identified is immediately addressed. Our SIEM On-Demand provides your team with the same aggregation and correlation technology used by our analysts, as a service, to enable you to monitor your environment in-house. With both services, log information is stored indefinitely with the previous two years accessible via the Dell SecureWorks customer portal, which also provides real-time security visibility and on-demand reports to demonstrate PCI compliance. Network security Dell SonicWALL GMS offers centralized real-time monitoring, and comprehensive policy and compliance reporting for Dell SonicWALL solutions. Dell SonicWALL Application Traffic Analytics solutions offer deeper insight into suspicious network activity and automated alerts. Dell s W-series AirWave management software can provide audits and 14
reporting on many PCI compliance factors. Clean Wireless Solutions from Dell SonicWALL support industry standards, such as Wi-Fi Protected Access (WPA), and WPA2, as well as integrated radio frequency (RF) scanning and monitoring capabilities. Support for industry standards enables administrators to secure sensitive cardholder information in both wired and wireless network environments, and protect wireless networks and mobile applications from unauthorized use or attack. Dell SonicWALL appliances and access points can also identify and prevent rogue access points (RAP) and unmonitored networks from gaining access to cardholder networks. In addition, both Dell SonicWALL Next-Generation Firewalls and GMS synchronize in helping businesses monitor activity and proactively protect against future probes, attacks and RAPs. Email alerts can be sent to a defined group of security responders. Logs can be stored locally or redirected to a GMS. By utilizing GMS, a business can have a centralized location for security events and logs across thousands of appliances, thus providing a single point to conduct network forensics. Such logs and reports are commonly utilized by QSAs and remediation teams. Audit and reporting Dell KACE systems management appliances support PCI requirements for logging, alerting and audit-worthy reporting. Dell KACE monitoring capabilities keep administrators up-to-date on their current security posture in line with PCI requirements for maintaining security systems and applications, enabling more timely response and preemptive actions when indicated. Metrics provide trending and other information that help direct resources where needed to maintain the compliance posture, while reporting capabilities support the documentation mandated by 10 and elsewhere within the PCI DSS. Protect cardholder data 11. Regularly test security systems and processes. Security and risk consulting Vulnerability scanning Managed intrusion prevention and detection Managed host intrusion prevention Security log monitoring SIEM on-demand This requirement mandates that organizations periodically test their systems and protect them through vulnerability scans, penetration testing, intrusion prevention and detection, and file integrity software. Dell SecureWorks can provide vulnerability assessments and penetration testing. Dell SecureWorks is an Approved Scanning Vendor (ASV), and our Vulnerability Scanning service can be utilized to comply with the quarterly external scan that is required for PCI compliance. Our Managed Intrusion Prevention and Detection service provides the prevention/detection controls identified in this requirement. This 15
service provides implementation of a commercial IPS/IDS technology or can be bundled with our award winning isensor IPS technology to deliver superior protection cost-effectively. Once implemented, our experts will manage these devices, including ongoing tuning, and monitor them to identify and respond to any threats. Dell SecureWorks Managed Host Intrusion Prevention service provides you with the technology and a team of experts to manage and monitor this infrastructure in order to keep it operating at peak performance. Dell SecureWorks Security Log Monitoring service provides real-time monitoring across your systems by true security experts to respond to any security events occurring. Dell SecureWorks SIEM On-Demand service delivers the technology you need to monitor these systems as a service, should you choose to keep this function in-house. Our scanning, Managed IPS/IDS, Log Monitoring and SIEM On-Demand services provide access to the Dell SecureWorks customer portal for real-time visibility into activity on the systems housing cardholder information and on-demand reporting to demonstrate PCI compliance. Network security Unauthorized access points can allow outside attackers to steal bandwidth, infiltrate point-of-sale networks or steal and destroy confidential data. To prevent the installation of RAPs, Dell SonicWALL s wireless IPS can monitor radio spectrum for unauthorized access points. Once an RAP is identified, it can be quarantined and investigated before network access is granted. Although scans must be performed on a 90-day interval, RAP detection can be administered daily across multiple spectrum bands and reported in GMS. Dell s W-series products have the features to quickly detect failing and missing access points. Our W-series AirWave management system has multi-vendor support, and can efficiently manage/monitor Dell or other vendors wired and wireless networking products that may be included in the deployment. Dell PowerConnect W-series provides industry leading Wireless Intrusion Detection and Prevention measures. Wireless Intrusion Detection features should be enabled and utilized to help meet PCI compliance. Vulnerability scanning The Dell KACE K1000 Management Appliance equips organizations to face security audits by allowing enforcement of security policies through OVAL-Based Security and SCAP Scanning The K1000 supports OVAL-based vulnerability scanning of all managed Windows systems. OVAL promotes open, publicly available security content and standardization of its transfer across security tools and services. This includes setting the testing schedule (Security/OVAL Tab), and results reporting. More than 1,700 pre-defined tests are included, and new tests are added as they are defined and published. The K1000 features a National Institute of Standards and Technology (NIST) certified FDCC scanner as part of the Security Content 16
Automation Protocol (SCAP) configuration Scanner, for use in configuration assessment and reporting. The SCAP scanner is integrated into the Appliance and provides easy to use automated scan scheduling and detailed reporting that enable IT managers to manage common endpoint configurations and confirm organizational compliance requirements such as the Federal Desktop Core Configuration (FDCC) standard. Maintain an information security policy 12. Maintain a policy that addresses information security for employees and contractors. Security and risk consulting Security log monitoring This requirement dictates that organizations must create an information security policy that is kept up to date and addresses all the security requirements in the PCI DSS, as well as operational security, system usage, security management, security awareness and incident response. Dell SecureWorks Security and Risk Consulting team can work with your team to create a robust, effective information security policy that addresses all the requirements of this section and the PCI DSS as a whole. Additionally, our Security Log Monitoring Service can provide you with the incident response plan and experts necessary to conduct effective response to stop threats before damage is done. With this service, you will be able to utilize the Dell SecureWorks customer portal to gain real-time security visibility and on-demand reporting to demonstrate PCI compliance. Summary Dell can help you strengthen your company s overall security posture and help satisfy PCI compliance requirements efficiently and cost-effectively. Most common configurations using Dell solutions are backed and approved by an independent PCI Qualified Security Assessor (QSA), ensuring their capacity to serve as technological control components for any merchant or service provider striving to achieve PCI compliance. 2 We have helped companies in a wide variety of industries, government organizations, and companies of all sizes to implement security and PCI compliance initiatives. This deep experience means you can work with your Dell sales team to identify the products and services from our broad portfolio that best meet your requirements and leverage their understanding of your business. We streamline this process and do our best to make this complex and important initiative one that you can more easily manage, and giving you the results you need to be successful. 2 Dell SonicWALL employs the services of an independent PCI Qualified Security Assessor (QSA) to review Dell SonicWALL security platforms. This review initiative provides assurance that Dell SonicWALL solutions can satisfy PCI criteria when configured and implemented in accordance with the PCI DSS standard. 17
About Dell Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and business solutions they trust and value. Dell KACE Dell KACE Appliances provide easy-to-use, comprehensive and affordable end-to-end systems management utilizing an appliance-based architecture. They deliver a complete, pre-integrated bundle of operating environment and application software via a dedicated server appliance, which can be plugged into an existing network and immediately begin functioning Dell SecureWorks Dell SecureWorks is recognized as an industry leader, providing world-class information security services to help organizations of all sizes protect their IT assets, comply with regulations and reduce security costs. Dell SecureWorks offers a full suite of PCI Security consulting and remediation solutions to help organizations address the demands and challenges of PCI compliance. Dell SecureWorks is also an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA). Dell SonicWALL Dell SonicWALL provides intelligent network security and data protection solutions that enable customers and partners to dynamically secure, control, and scale their global networks. Securing any organization with multi-threat scanning based on global input at wire speed, Dell SonicWALL is recognized as an industry leader by Gartner and NSS Labs. For additional information on Dell PCI Compliance solutions, please refer to our brochure, Understanding and Meeting the PCI DSS Compliance Standards You can also call 1-800-545-3608, or visit us at www.dell.com/retail. THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. Availability varies by country. Copyright 2012 Dell Inc. All rights reserved. Dell, Dell KACE, Dell SecureWorks, Dell SonicWALL and the Dell SecureWorks logos are registered trademarks or service marks of Dell Inc. in the United States and in other countries. All other products and services mentioned are trademarks of their respective companies. This document is for illustration or marketing purposes only and is not intended to modify or supplement any Dell specifications or warranties relating to these products or services. November 2012 18