Corporate and Payment Card Industry (PCI) compliance

Similar documents
GoToAssist Remote Support HIPAA compliance guide

Citrix GoToAssist Service Desk Security

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate.

University of Sunderland Business Assurance PCI Security Policy

GoToMyPC Corporate Security FAQs

74% 96 Action Items. Compliance

HIPAA compliance. Guide. and HIPAA compliance. gotomeeting.com

GoToAssist Express Best Practices Guide to Unattended Support

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

SonicWALL PCI 1.1 Implementation Guide

Three reasons. why IT pros choose GoToAssist over the competition. Real customers share their insights on IT support tools.

Achieving PCI-Compliance through Cyberoam

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX

PCI DSS Requirements - Security Controls and Processes

Lucas POS V4 for Windows

Implementation Guide

Catapult PCI Compliance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Qualified Integrators and Resellers (QIR) Implementation Statement

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Payment Application Data Security Standards Implementation Guide

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Cyber-Ark Software and the PCI Data Security Standard

Did you know your security solution can help with PCI compliance too?

Introduction. PCI DSS Overview

How to Increase Your Sales Close Rates with Video Conferencing

GoToMyPC Technology Making Life Simpler for Remote and Mobile Workers

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

How Reflection Software Facilitates PCI DSS Compliance

How To Comply With Pca Dss

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

March

Advanced Service Desk Security

How To Protect Your Data From Being Stolen

Policies and Procedures

PADSS Implementation Guide

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

General Standards for Payment Card Environments at Miami University

Citrix GoToMyPC Corporate Provisioning Tool. Seamlessly integrate the GoToMyPC Corporate solution with your existing support infrastructure.

Windows Azure Customer PCI Guide

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

PCI implementation guide for L-POS

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

GFI White Paper PCI-DSS compliance and GFI Software products

PA-DSS Implementation Guide

Enforcing PCI Data Security Standard Compliance

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

GoToMyPC reviewer s guide

Complying with PCI Data Security

Payment Card Industry (PCI) Compliance. Management Guidelines

Automate PCI Compliance Monitoring, Investigation & Reporting

Retail Stores Networks and PCI compliance

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Data Security Standard

PA-DSS Implementation Guide

With Globalscape EFT and the High-Security Module. The Case for Compliance

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

LogRhythm and PCI Compliance

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Becoming PCI Compliant

A Rackspace White Paper Spring 2010

PCI Compliance Training

Payment Card Industry Data Security Standard

Global Partner Management Notice

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

CISP Compliance and PCI Data Security Standard Adherence. according to the Payment Application-Data Security Standard Version 1.2

RezStream Professional Credit Card Processing Manual. January 2011

Why PCI DSS Compliance is Impossible without Privileged Management

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI Data Security Standards

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

paypoint implementation guide

ISO PCI DSS 2.0 Title Number Requirement

PCI DSS requirements solution mapping

PCI Requirements Coverage Summary Table

PCI Implementation Guide

Compliance and Security Information Management for PCI DSS Requirement 10 and Beyond

Transcription:

Citrix GoToMyPC Corporate and Payment Card Industry (PCI) compliance GoToMyPC Corporate provides industryleading configurable security controls and centralized endpoint management that can be implemented to meet the PCI DSS requirements.

2 Scope and audience This guide is for Citrix GoToMyPC Corporate customers and other stakeholders who need to understand how GoToMyPC can meet the requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS). This document solely addresses the GoToMyPC Corporate product as it pertains to the PCI DSS standards. This document is only a guide and not an authority on validating the GoToMyPC Corporate product with the PCI DSS. It is ultimately up to the merchant, service provider or Qualified Security Assessor (QSA) whether the GoToMyPC Corporate product would address the PCI DSS requirements as implemented in the customer s unique environment. Introduction Protecting the integrity of your company network and the privacy of sensitive data like credit card information is of utmost concern to any enterprise, especially when extending remote access. Merchants who are involved with the processing, storing or transmitting of credit card information must also comply with the PCI DSS. This guide was created to assist those merchants who want to implement GoToMyPC Corporate into their environment that needs to comply with the PCI DSS. Citrix GoToMyPC Corporate is a secure, managed service that provides remote access to the desktop. It reduces the costs and complexities associated with traditional remote access solutions while offering administrators the highest level of security and centralized control. The PCI DSS was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. The PCI DSS does this by providing a baseline of technical and operational requirements designed to protect cardholder data. These regulations apply to all entities involved in payment card processing including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder data. This document focuses on the information security features of GoToMyPC Corporate as it pertains to the PCI DSS. Before reading, you should already have a basic understanding of the product, its features and the PCI DSS. Additional materials on GoToMyPC Corporate may be found online at www. or by contacting a Citrix representative. Additional information on the PCI DSS program can be found at https://www.pcisecuritystandards.org. Payment Card Industry Data Security Standard compliance The GoToMyPC Corporate product contains various security and administrative features that can be used to meet the PCI DSS requirements. The table below describes some of these features and which PCI DSS requirement they may meet in the customer s environment. This list is not intended to be exhaustive but rather a highlight of the key controls when looking at the PCI DSS program. Detailed information about the security controls in GoToMyPC Corporate can be found in the GoToMyPC Corporate Security and Security FAQs.

3 Key requirements guide PCI DSS Requirement 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. 2.1 Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other nonconsole administrative access. 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release. 7.2 Establish an access control system for systems components with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. GoToMyPC Corporate GoToMyPC generates only outbound HTTP/TCP traffic to ports 80,443 and/or 8080. Traffic can be filtered to only the GoToMyPC broker address. Citrix will filter GoToMyPC connections to only company-authorized network address blocks. GoToMyPC is completely compatible with application proxy firewalls, dynamic IP addresses and network/ port address (NAT/PAT) translation. Unique accounts and passwords must be created at installation of product. No vendor defaults are used. All GoToMyPC Corporate connections are end-to-end encrypted using 128-bit AES (FIPS 197) encryption in Counter Mode (CTR). Unique 128-bit AES secret encryption keys are generated for each session. The Secure Remote Password (SRP) protocol is used for end-to-end encrypted authentication. Numerous additional checks are made on the session data after it is received to ensure network transmission integrity. All website connections are protected using SSL with a minimum of 128-bit symmetric encryption and a 1024- bit authenticated key agreement. Citrix continuously tests and improves upon the GoToMyPC Corporate product. Updates are regularly released to customers. Citrix servers run on hardened Linux servers with the latest security patches installed. Servers have penetration and vulnerability testing conducted on them. Account managers organize users into groups, defining access policy on a per-user or per-group basis. Users and account managers are identified by using their unique email address as their log-in name. GoToMyPC does not circumvent operating systemlevel access controls already in place.

4 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.) 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography. 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 8.5.2 Verify user identity before performing password resets. 8.5.4 Immediately revoke access for any terminated users. 8.5.5 Remove/disable inactive user accounts at least every 90 days. 8.5.6 Enable accounts used by vendors for remote access only during the time period needed. Monitor vendor remote access accounts when in use. 8.5.8 Do not use group, shared, or generic accounts and passwords or other authentication methods. 8.5.9 Change user passwords at least every 90 days. 8.5.10 Require a minimum password length of at least seven characters. 8.5.11 Use passwords containing both numeric and alphabetic characters. 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts. 8.5.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. Users are required to enter a username and password and then a secondary password at the host computer. Users can generate optional one-time passwords (OTP). GoToMyPC integrates with existing RSA SecureID infrastructure. Local operating system access controls are never overridden. Passwords are always transmitted or stored encrypted. Access code verifiers are stored encrypted on the user s computer and never transmitted. Administrators can add, delete and modify users. Users can either reset their password via a self-service function verified through email or by contacting a Citrix support representative who will verify their identity. Administrators can revoke user access at any time. The administration center can be used to check the activation status for individuals and groups. Controls are available to temporarily suspend or permanently cancel any user or group account. A guest mode can be used and is restricted to a onetime use for the guest. Access can be monitored and terminated at any time. A view-only mode exists for more restricted access. Unique accounts and passwords are used. The password expiration period is configurable. If the account holder logs in and the password has expired, the account holder is forced to change his or her password. Passwords are required to be at least 8 characters long. Passwords are required to contain both numbers and letters. Password reuse rules can be configured. By default, after 3 authentication failures, access to the user s account and computer are temporarily deactivated for 5 minutes. Administrators can match existing security policies by customizing the lockout period and enabling hard lockout after a consecutive number of incorrect password entries. Hard lockouts require administrator intervention to unlock the user s account. Reports allow administrators to view GoToMyPC Corporate usage and account information. Users are logged out of the GoToMyPC website after 15 minutes of inactivity. The viewer session is configurable to time out after a period of inactivity.

5 Requirement 10: Track and monitor all access to network resources and cardholder data The administrator can view connection history for any given day, including connections that are still active. Each connection record displays details such as the first and last name of the user, name of host, the IP address, connection start and stop times and connection duration. The administrator can generate reports for specific dates and ranges that provide details on users, connection time and duration, enabled users, security features enabled for users/groups, hours of access, last log-in time and failed log-in attempts. Event logs can be integrated into existing reporting infrastructure. Citrix maintains additional logs about the connection to aid in diagnosis. Logs are restricted to select Citrix personnel. Frequently asked questions Q: Is GoToMyPC Corporate compliant with the PCI DSS? GoToMyPC Corporate is not directly subject to the PCI DSS because it is a remote access technology. If GoToMyPC Corporate is used as a remote access solution for a customer s environment that is subject to the PCI DSS, then certain PCI DSS requirements may need to be met depending on how the product is implemented and the network scope of the PCI environment. It is up to a PCI Qualified Security Assessor (QSA) and the customer to determine the scope for their PCI DSS assessment. Q: I am using the GoToMyPC Pro product instead of GoToMyPC Corporate. Can that meet the intent of the PCI DSS requirements? It is recommended that GoToMyPC Corporate be used in an environment needing to comply with the PCI DSS requirements due to the extra configurable security controls and centralized management found in the product. Q: Is Citrix compliant with the PCI DSS? Yes, Citrix as a merchant maintains compliance with the PCI DSS. An annual assessment, quarterly vulnerability scans and penetration testing are conducted to maintain compliance. North America Citrix Online, LLC 7414 Hollister Avenue Goleta, CA 93117 U.S.A. T +1 805 690 6400 info@citrixonline.com Europe, Middle East & Africa Citrix Online, UK Ltd Chalfont Park House Chalfont Park, Gerrards Cross Bucks SL9 0DZ United Kingdom T +44 (0) 800 011 2120 europe@citrixonline.com Asia Pacific Citrix Online, AUS Pty Ltd Level 3, 1 Julius Avenue Riverside Corporate Park North Ryde NSW 2113 Australia T +61 2 8870 0870 asiapac@citrixonline.com About Citrix Citrix (NASDAQ:CTXS) is the cloud company that enables mobile workstyles empowering people to work and collaborate from anywhere, easily and securely. With market-leading solutions for mobility, desktop virtualization, cloud networking, cloud platforms, collaboration and data sharing, Citrix helps organizations achieve the speed and agility necessary to succeed in a mobile and dynamic world. Citrix products are in use at more than 260,000 organizations and by over 100 million users globally. Learn more at www.citrix.com. 2013 Citrix Online, LLC. All rights reserved. Citrix, GoToAssist, GoToMeeting, GoToMyPC, GoToTraining, GoToWebinar, Podio and ShareFile are trademarks of Citrix or a subsidiary thereof, and are or may be registered in the U.S. Patent and Trademark Office and other countries. All other trademarks are the property of their respective owners. Mac is a trademark of Apple, Inc., registered in the U.S. and other countries. 9.12.13/9400/PDF

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information