PCI Requirements Coverage Summary Table



Similar documents
PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI DSS Requirements - Security Controls and Processes

Becoming PCI Compliant

Achieving PCI-Compliance through Cyberoam

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

University of Sunderland Business Assurance PCI Security Policy

A Rackspace White Paper Spring 2010

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

March

Payment Card Industry Self-Assessment Questionnaire

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

LogRhythm and PCI Compliance

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Enforcing PCI Data Security Standard Compliance

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

SonicWALL PCI 1.1 Implementation Guide

PCI Compliance in Multi-Site Retail Environments

74% 96 Action Items. Compliance

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

PCI Compliance for Cloud Applications

PCI v2.0 Compliance for Wireless LAN

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Automate PCI Compliance Monitoring, Investigation & Reporting

Need to be PCI DSS compliant and reduce the risk of fraud?

Achieving PCI Compliance Using F5 Products

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Josiah Wilkinson Internal Security Assessor. Nationwide

Technology Innovation Programme

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Overcoming PCI Compliance Challenges

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Presented By: Bryan Miller CCIE, CISSP

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PCI DSS v2.0. Compliance Guide

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security

GFI White Paper PCI-DSS compliance and GFI Software products

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

PCI Compliance Top 10 Questions and Answers

Implementation Guide

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Passing PCI Compliance How to Address the Application Security Mandates

Client Security Risk Assessment Questionnaire

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI DSS Compliance Guide

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Payment Card Industry Data Security Standard

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Accelerating PCI Compliance

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Project Title slide Project: PCI. Are You At Risk?

Network Segmentation

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Credit Card Secure Architecture for Interactive Voice Response (IVR) Applications

How Reflection Software Facilitates PCI DSS Compliance

PCI Compliance. Top 10 Questions & Answers

General Standards for Payment Card Environments at Miami University

Payment Card Industry Data Security Standard

New PCI Standards Enhance Security of Cardholder Data

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

PCI DSS requirements solution mapping

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Retour d'expérience PCI DSS

Achieving PCI DSS Compliance with Cinxi

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

PCI DSS Reporting WHITEPAPER

Two Approaches to PCI-DSS Compliance

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Did you know your security solution can help with PCI compliance too?

MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Transcription:

StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2 Solution Overview: People, Process, and Technology... 2 About StillSecure... 3 Summary Table of PCI Requirements Met by StillSecure PCI Complete... 4 2013 StillSecure View trademark and copyright restrictions: http:///company/copyright.php.

Introduction StillSecure s PCI Complete managed security solution, in conjunction with StillSecure partners, helps merchants and service providers comply with all portions of PCI. This summary table (page 4) describes how StillSecure s PCI Complete security solution meets specific PCI compliance requirements and minimizes the risk and liability from network attacks. Coverage assumptions for PCI Complete deployments The StillSecure PCI Complete solution, when deployed in a PCI-compliant datacenter or Section 9 compliant facility, helps organizations achieve PCI compliance. As all companies subject to PCI know, there is no silver bullet with PCI compliance. PCI Complete s goal is to help reduce the burden of compliance and off-load mundane, repetitive activities. When combined with your internal initiatives, PCI Complete can address a significant number of PCI DSS requirements and in this matrix our analysis assumes that the client will take for these requirements: Standard policies and procedures are in place for passwords, messaging, and hiring, particularly in regards to Requirement 12. Anti-virus and personal firewall software are deployed. WPA or WPA2 wireless security is implemented for all wireless access points. The customer adheres to PCI coding standards for their custom code. Any hosting providers used by the customer are PCI compliant. All point of sales systems are PA-DSS compliant and store and display credit card information masked or encrypted. The customer uses a unified authentication system like Active Directory or LDAP. With these assumptions, PCI Complete can have a significant positive impact on a client s PCI compliance program. Solution Overview: People, Process, and Technology PCI Complete supports organizations in their initiative to comply with PCI DSS. The solution is affordable, highly automated, and fully managed by StillSecure s staff of security experts. The solution is a combination of technology, process, and expert personnel. It is designed to protect organizations from malicious attacks and reduce the risk and liability of electronic fraud while assuring compliance with all PCI DSS requirements. Systems The PCI Complete solution meets the technological requirements of the PCI DSS by bundling the following managed services: Firewall Intrusion Detection and Prevention System SSL and IPSec VPN Multi-Factor Authentication Internal Vulnerability Scanning External Vulnerability Scanning Web Application Firewall File Integrity Monitoring Security Event Log Management (SELM) and Monitoring Process The PCI Complete solution combines the following policies, procedures, and facilities to meet the process requirements of the PCI DSS: Change control management for services provided Daily event review of all security event log files 6 month firewall and Web app firewall rule configuration reviews Alert escalation procedures for services provided Incidence response procedures 24x7 QSA Approved and SSAE 16 Type II audited Security Operations Centers (SOCs) Personnel The PCI Complete solution is fully managed and monitored by StillSecure security analysts on a 24x7 basis. These security experts are located in our redundant Security Operations Centers. Our analysts are dedicated security experts whose only is to monitor and manage network security for our customers. They are: Customer service focused, responding rapidly to security events and customer inquiries (adhering to our 3 rd -ring service policy for handling incoming calls). A highly trained team that understands security and the intricacies of the requirements associated with meeting PCI Compliance PCI experts, capable of helping you embed PCI Complete as part of your PCI compliance program. Real-time transparency into these services, processes, and policies is available to authorized customer personnel and auditors through our secure RADAR customer portal. QSA Approved The StillSecure PCI Complete service has achieved a PCI 2 All rights reserved. Copyright 2012 StillSecure.

Report on Compliance. All security controls implemented with PCI Complete, including all systems, processes, and personnel, have been scrutinized, tested, and approved for conformance with PCI requirements 1 through 12 by a Qualified Security Assessor (QSA). As a result, a customer s cardholder data environment will inherit these controls when their systems are protected by PCI Complete. Clear evidence that the security controls are effective 24x7 is available through our RADAR customer portal, making the customer s PCI audit or selfassessment much more efficient and cost effective. You can rest assured that our service will support your PCI DSS compliance program. About StillSecure At StillSecure, we believe IT executives should be able to focus on driving the success of their company versus being distracted by security and compliance demands. For IT executives facing escalating security threats and evolving compliance requirements StillSecure designs and delivers managed network security and certified compliance solutions so you can focus on growing your core business. Headquartered in Superior, Colorado, StillSecure protects some of the most sensitive and important computer networks in the world. For more information please call (303) 381-3801, visit http://, or check out more on the StillSecure blog at http://www.thesecuritysamurai.com. Note: The following was derived from PCI DSS 2.0. It is current as of November 1, 2012. It is meant to distinguish between StillSecure's services and customer responsibilities with PCI Complete protecting customer's Cardholder Data Environment. It is not intended to provide legal guidance as to a customer's under PCI. Consult a PCI qualified security assessor (QSA) for appropriate guidance. 3

Summary Table of PCI Requirements Met by StillSecure PCI Complete The PCI requirements that StillSecure s PCI Complete addresses is summarized below. The table also presents the responsibilities of the customer and the PCI-compliant datacenter or facility for meeting the level of PCI requirements coverage discussed above. PCI requirement StillSecure PCI Complete coverage Partner / hosting provider Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendorsupplied defaults for system passwords and other security parameters Firewall Service: Provides implementation of ingress/egress stateful firewall, NAT, and DMZ to prevent access from public, untrusted, and wireless networks. File Integrity Monitoring Service: Checks that the current, running and backup configurations for all routers and switches are set according to policy. Documentation Process: Maintains a detailed diagram of the network architecture showing all connections, wireless devices, ingress, and egress points within the cardholder environment (CDE). Also, maintains a list of all connections to the CDE that is reviewed bi-annually for differences from the results of the vulnerability scan. Configuration Change Control Process: Handles change control, and testing of firewall configuration modifications as well as documentation of business justification for all allowed traffic. The system maintains administrator roles and responsibilities for network components. Includes a bi-annual review of firewall rules and network documentation. Internal PCI Vulnerability Scanning Service: Checks for the use of default vendor passwords, community strings, and unnecessary user accounts. Checks that each server has only one primary function and unnecessary services are disabled. Ensures all non-console access uses secure, patched, and encrypted protocols. VPN Service: All non-console administrator access is encrypted using an SSL tunnel. For devices that StillSecure manages, the tunnel is established with the Requirement 1.1 StillSecure follows established firewall and router configuration standards to provide services in a PCI compliant fashion. Customer is responsible to establish and follow their own processes. Requirement 1.3.7 Customer must accept deployment guidance for StillSecure to provide proper segregation. Requirement 1.4 Customer must install and maintain personal firewall software for all mobile devices connecting to the CDE. Note: PCI Complete will check that the firewall software is installed and enabled. Requirement 2 Customer is responsible for devices not managed by StillSecure. Requirement 2.3 StillSecure will secure access to the cardholder data environment through 4

PCI requirement StillSecure PCI Complete coverage Partner / hosting provider StillSecure SOC ensuring that all management activities are encrypted. For other devices within the CDE, the VPN service is used to connect and encrypt all management traffic to and from the CDE. VPN with multi-factor authentication. All other internal access paths must be secured by the customer. Requirement 3 Protect stored cardholder data PCI Network Analysis Consultation: Although a customer, StillSecure will work with the customer to segment the network to reduce complexity of the CDE and determine who has access and to what. Ensure that credit card storage and point of sales systems encrypt data and manage encryption keys in a compliant manner. Requirement 4 Encrypt transmission of cardholder data across open, public networks Requirement 5 Use and regularly update anti-virus software or programs VPN Service: Provides strong encryption via IPSEC or SSL VPN connections across open or public networks. Site-to-site or personal VPN connections can be established depending on the customer s network architecture. Firewall Service and Change Control Process: Ensures that messaging protocols are not transmitted in and out of the CDE. Web Application Firewall and Intrusion Detection and Prevention Service: IDPS and WAF identify unencrypted PANS sent out. Escalation Process: If a detected credit card leak indicates a possible security breach, the escalation procedures are initiated. Internal PCI Vulnerability Scanning Service: Checks that antivirus software is installed, DAT files are up-to-date, and a full system scan has been completed recently. File Integrity Monitoring Service: For systems that do not support normal antivirus technologies, the File Integrity Monitoring service and agent can supplement this requirement. Security Event Log Management (SELM) and Monitoring Service: Monitors the antivirus software logs to detect and alert on any antivirus system operational failures or viruses found. If a communication mechanism that is not natively encrypted is in use, ensure the payload of the transmission is encrypted. Deploy, manage and monitor antivirus software on all systems within the CDE for which normal antivirus technologies apply. 5

PCI requirement StillSecure PCI Complete coverage Partner / hosting provider Requirement 6 Develop and maintain secure systems and applications Internal and External Vulnerability Scanning Service: Provides scanning for upto-date vendor-supplied security patches, and Web application vulnerability scanning. Scan can be performed before and after a Web application is deployed. Web Application Firewall Service: Provides ongoing protection against Web application threats for public-facing applications. The rules for protection include coverage of all vulnerabilities listed in the OWASP Top Ten and PCI DSS v1.2 requirements 6.5.1-6.5.9. Secure Coding Training: StillSecure partner provides training on best security practices for developing Web applications as well as in-depth code security audits prior to application deployment. StillSecure can assist in identifying vulnerabilities and follows documented internal processes to identify and assign risk to those vulnerabilities. Customer must patch vulnerabilities, use best secure software development practices, and follow all change control requirements. Requirement 7 Restrict access to cardholder data by business need to know VPN and Firewall Service: These services are used in conjunction to authenticate access into the CDE and limit the resources for which each user has access. StillSecure SOC Change Request Process: The change request process is a structured procedure to ensure that only authorized administrators can grant, change, or terminate user access to the CDE and users are limited to least privilege access according to job function. Customer is responsible for internal access control for all systems it manages. StillSecure provides remote access control via VPN with multifactor authentication. Requirement 8 Assign a unique ID to each person with computer access Multi-Factor Authentication Service: Provides multi-factor authentication using tokens, certificates, and user name and password mechanisms for all remote to PCI environment. VPN and Firewall Service: These services are used in conjunction to authenticate access into the CDE and limit the resources for which each user has access. For remote access the VPN service is used in conjunction with the Multi-Factor Authentication Service using secure tokens, username/password, and SSL certificates for unique identification. StillSecure provides access controls on a per user basis for all remote users via VPN with multi-factor authentication. Customer must provide all access controls for internal access to the CDE. StillSecure SOC Change Request Process: The change request process is a structured procedure to ensure that only authorized administrators can grant, change, or terminate user access to the CDE and users are limited to least privilege access according to job function. Requirement 9 Restrict physical PCI Certified Data Centers and Hosting Provider: Ensure that all customer managed physical environments conform. 6

PCI requirement StillSecure PCI Complete coverage Partner / hosting provider access to cardholder data Provided in conjunction with our Data Center and Provider partners, StillSecure offers PCI requirement 9 certified rack and virtualized environments. Requirement 10 Track and monitor all access to network resources and cardholder data Security Event Log Management (SELM) and Monitoring Service: Provides daily event reviews for all StillSecure and 3 rd party security logs. Also provides log retention to track user access and actions within individual systems components and retains the required audit trail entries. Provides internal centralized log storage, secured audit trails, and forensic information. Retains audit trail history for a minimum of 1 year, with 3 months available for analysis. File Integrity Monitoring Service: Provides file integrity checks on critical audit trail log files. Ensure log events are generated to meet all section 10 requirements. StillSecure will store, correlate and report on log events from the CDE. Requirement 11 Regularly test security systems and processes Internal and External Vulnerability Scanning Services: Provides internal and external network vulnerability scans, and Web application vulnerability testing performed by a qualified engineer at least bi-annually and when there are significant changes to the network (customer responsible for informing on all significant changes to the network). IDPS Service: Provides monitoring of traffic and 24x7 response to attacks. File Integrity Monitoring Service: Provides file integrity checks for all critical systems at least weekly for critical system files, registries, configuration files, and content files. Perform tests for rogue wireless devices on your network. Remediate vulnerabilities found in the CDE by StillSecure vulnerability scans. Assist in identifying exceptions to standard configuration files, as well as configuration files for custom applications for any changes that may be identified by StillSecure s file integrity service. Perform an annual penetration test, both network and application layers. Requirement 12 Maintain a policy that addresses information security 24x7 Incidence Response SOC: Our SOC provides an incidence response plan and action for any issue detected from security tools we are monitoring. Documentation Process: Provides usage and operational security policy StillSecure maintains, trains, and enforces its own security processes. Customer is responsible for maintaining, training and enforcing it s 7

PCI requirement StillSecure PCI Complete coverage Partner / hosting provider templates and an incident response plan. Provides a checklist for all policies that must be implemented by the customer and disseminated to employees. own security processes. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information