PCI Requirements Coverage Summary Table



Similar documents
PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Achieving PCI-Compliance through Cyberoam

PCI DSS Requirements - Security Controls and Processes

Becoming PCI Compliant

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry Self-Assessment Questionnaire

March

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

A Rackspace White Paper Spring 2010

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

PCI v2.0 Compliance for Wireless LAN

LogRhythm and PCI Compliance

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Best Practices for PCI DSS V3.0 Network Security Compliance

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Enforcing PCI Data Security Standard Compliance

74% 96 Action Items. Compliance

Project Title slide Project: PCI. Are You At Risk?

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Josiah Wilkinson Internal Security Assessor. Nationwide

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI Compliance for Cloud Applications

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

PCI DSS Reporting WHITEPAPER

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PCI DSS v2.0. Compliance Guide

Credit Card Secure Architecture for Interactive Voice Response (IVR) Applications

White Paper September 2013 By Peer1 and CompliancePoint PCI DSS Compliance Clarity Out of Complexity

Overcoming PCI Compliance Challenges

PCI Compliance Top 10 Questions and Answers

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

SonicWALL PCI 1.1 Implementation Guide

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Payment Card Industry Data Security Standard

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

GFI White Paper PCI-DSS compliance and GFI Software products

PCI DSS Compliance Guide

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Payment Card Industry Data Security Standards.

Automate PCI Compliance Monitoring, Investigation & Reporting

Need to be PCI DSS compliant and reduce the risk of fraud?

PCI Compliance. Top 10 Questions & Answers

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

Presented By: Bryan Miller CCIE, CISSP

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

How To Protect Your Business From A Hacker Attack

General Standards for Payment Card Environments at Miami University

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance Training

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Client Security Risk Assessment Questionnaire

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Technology Innovation Programme

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

PCI Security Compliance

Payment Card Industry Data Security Standard

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Achieving PCI Compliance Using F5 Products

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

PCI Data Security and Classification Standards Summary

PCI Data Security Standards

Improving PCI Compliance with Network Configuration Automation

MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

How Reflection Software Facilitates PCI DSS Compliance

Introduction. PCI DSS Overview

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

New PCI Standards Enhance Security of Cardholder Data

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Two Approaches to PCI-DSS Compliance

Transcription:

StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2 Solution Overview: People, Process, and Technology... 2 About StillSecure... 3 Summary Table of PCI Requirements Met by StillSecure PCI Complete... 4 2011 StillSecure All rights reserved. StillSecure, StillSecure logo, PCI Complete, Strata Guard, VAM, Safe Access, ProtectPoint, Cobia, and Cobia logo are trademarks or registered trademarks of StillSecure. Additional StillSecure trademarks or registered marks are available at http:///policies/copyright.php. All other brands, company names, product names, trademarks or service marks are the property of their respective owners.

Introduction StillSecure s PCI Complete managed security solution, in conjunction with StillSecure partners, helps merchants and service providers comply with all portions of PCI. This summary table (page 4) describes how StillSecure s PCI Complete security solution meets specific PCI compliance requirements and minimizes the risk and liability from network attacks. Coverage assumptions for PCI Complete deployments The StillSecure PCI Complete solution, when deployed in a PCI-compliant datacenter or Section 9 compliant facility, helps organizations achieve PCI compliance. As all companies subject to PCI know, there is no silver bullet with PCI compliance. When combined with your internal initiatives, PCI Complete s goal is help reduce the burden of compliance and off-load mundane, repetitive activities. PCI Complete can manage a significant number of PCI DSS requirements and in this matrix our analysis assumes that the client will take for these requirements: Standard policies are in place for passwords, messaging, and hiring. Anti-virus and personal firewall software are deployed. WPA or WPA2 wireless security is implemented for all wireless access points. The customer adheres to PCI coding standards for their custom code. Any hosting providers used by the customer are PCI compliant. All point of sales systems are PA-DSS compliant and store and display credit card information masked or encrypted. The customer uses a unified authentication system like Active Directory or LDAP. With these assumptions, PCI Complete can have a significant positive impact on a client s PCI compliance program. Solution Overview: People, Process, and Technology PCI Complete supports organizations in their initiative to comply with all 12 PCI provisions. The solution is affordable, highly automated, and fully managed by StillSecure s staff of security experts. The solution is a combination of technology, process, and expert personnel. It is designed to protect organizations from malicious attacks and reduce the risk and liability of electronic fraud while assuring compliance with all PCI DSS requirements. Systems The PCI Complete solution meets the technological requirements of the PCI DSS by bundling the following managed services: Firewall Intrusion Detection and Prevention System SSL and IPSec VPN Multi-Factor Authentication Internal PCI Vulnerability Scanning External ASV Vulnerability Scanning Web Application Firewall File Integrity Monitoring Log Management and Monitoring Process The PCI Complete solution combines the following policies, procedures, and facilities to meet the process requirements of the PCI DSS: Change control management for services provided Daily event review of all security event log files 6 month firewall and Web app firewall rule configuration reviews Alert escalation procedures for services provided Incidence response procedures 24x7x365 QSA Approved and SSAE 16 Type II audited Security Operations Centers (SOCs) Personnel The PCI Complete solution is fully managed and monitored by StillSecure security analysts on a 24x7x365 basis. These security experts are located in our redundant Security Operations Centers. Our analysts are dedicated security experts whose only is to monitor and manage network security for our customers. They are: Customer service focused, and responding rapidly to security events and customer inquiries (adhering to our 3 rd -ring service policy for handling incoming calls). A highly trained team that understands security and the costs and challenges associated with PCI compliance PCI experts, capable of helping you embed PCI Complete as part of your PCI compliance program. Real-time transparency into these services, processes, and policies is available to authorized customer personnel and auditors through our secure RADAR customer portal. QSA Approved The StillSecure PCI Complete service has achieved a PCI Report on Compliance. All security controls implemented 2

with PCI Complete, including all systems, processes, and personnel, have been scrutinized, tested, and approved for conformance with PCI requirements 1 through 12 by a Qualified Security Assessor (QSA). As a result, a customer s cardholder data environment will inherit these controls when their systems are protected by PCI Complete. Clear evidence that the security controls are effective 24x7x365 is available through our RADAR customer portal, making the customer s PCI audit or selfassessment much more efficient and cost effective. You can rest assured that our service will support your PCI DSS compliance program. About StillSecure At StillSecure, we believe IT executives should be able to focus on driving the success of their company versus being distracted by security and compliance demands. For IT executives facing escalating security threats and evolving compliance requirements, and data centers looking to cement long-term customer relationships, StillSecure designs and delivers managed network security and certified compliance solutions so you can focus on growing your core business. Headquartered in Superior, Colorado, StillSecure protects some of the most sensitive and important computer networks in the world. For more information please call (303) 381-3830, visit http://, or check out more on the StillSecure blog at http://www.thesecuritysamurai.com. 3

Summary Table of PCI Requirements Met by StillSecure PCI Complete The PCI requirements that StillSecure s PCI Complete addresses is summarized below. The table also presents the responsibilities of the customer and the PCI-compliant datacenter or facility for meeting the level of PCI requirements coverage discussed above. PCI requirement StillSecure PCI Complete coverage Partner / hosting provider Customer Requirement 1 Install and maintain a firewall configuration to protect cardholder data Requirement 2 Do not use vendorsupplied defaults for system passwords and other security parameters Firewall Service: Provides implementation of ingress/egress stateful firewall, NAT, and DMZ to prevent access from public, untrusted, and wireless networks. File Integrity Monitoring Service: Checks that the current, running and backup configurations for all routers and switches are in synch. Documentation Process: Maintains a detailed diagram of the network architecture showing all connections, wireless devices, ingress, and egress points within the cardholder environment (CDE). Also, maintains a list of all connections to the CDE that is reviewed quarterly for differences from the results of the vulnerability scan. Configuration Change Control Process: Handles changes, control, and testing of firewall configuration modifications as well as documentation of business justification for all allowed traffic. The system maintains administrator roles and responsibilities for network components. Includes a quarterly review of firewall rules and network documentation. Internal PCI Vulnerability Scanning Service: Checks for the use of default vendor passwords, community strings, and unnecessary user accounts. Checks that each server has only one primary function and unnecessary services are disabled. Ensures all non-console access uses secure, patched, and encrypted protocols. VPN Service: All non-console administrator access is encrypted using an SSL tunnel. For devices that StillSecure manages, the tunnel is established with the StillSecure SOC ensuring that all management activities are encrypted. For other devices within the CDE, the VPN service is used to connect and encrypt all management traffic to and from the CDE. Requirement 1.4 Customer must install and maintain personal firewall software for all mobile devices connecting to the CDE. Note: PCI Complete will check that the firewall software is installed and enabled. Requirement 2.1.1 Ensure that the wireless security settings are configured according to the requirements. Requirements 2.2.3 and 2.2.4 Devices managed by the customer must conform to the Standard Configuration Hardening process. Requirement 2.4 Ensure that all other shared hosting 4

PCI requirement StillSecure PCI Complete coverage Partner / hosting provider Customer providers conform to PCI requirements if they store, process, or transmit cardholder data. Requirement 3 Protect stored cardholder data PCI Network Analysis Consultation: Although a customer, StillSecure will work with the customer to segment the network to reduce complexity of the CDE and determine who has access and to what. Requirement 3 The customer must ensure that their credit card storage and point of sales systems encrypt data and manage encryption keys in a compliant manner. Requirement 4 Encrypt transmission of cardholder data across open, public networks Requirement 5 Use and regularly update anti-virus software or programs VPN Service: Provides strong encryption via IPSEC or SSL VPN connections across open or public networks. Site-to-site or personal VPN connections can be established depending on the customer s network architecture. Firewall Service and Change Control Process: Ensures that messaging protocols are not transmitted in and out of the CDE. Documentation Process: Provides a template for messaging policies. Web Application Firewall and Intrusion Detection and Prevention Service Escalation Process: If a detected credit card leak indicates a possible security breach, the escalation procedures are initiated. Internal PCI Vulnerability Scanning Service: Checks that all antivirus software is installed, DAT files are up-to-date, and a full system scan has been completed recently. File Integrity Monitoring Service: For systems that do not support normal antivirus technologies, the File Integrity Monitoring service and agent can Requirement 3.1 Check card holder data retention policy. Requirement 4.1 If a customer uses a communication mechanism that is not natively encrypted, they must ensure the payload of the transmission is encrypted. Requirement 4.1.1 Ensure their wireless network uses secure practices. Requirement 5.1 Deploy antivirus software on all systems within the CDE for which normal antivirus technologies apply. 5

PCI requirement StillSecure PCI Complete coverage Partner / hosting provider Customer supplement this requirement. Log Management Service: Monitors the antivirus software logs to detect and alert on any antivirus system operational failures or viruses found. Requirement 6 Develop and maintain secure systems and applications Internal and External PCI Vulnerability Scanning Service: Provides scanning for up-to-date vendor-supplied security patches, Web application vulnerability scanning, and a process for remediation of found vulnerabilities. Scan can be performed before and after a Web application is deployed. Web Application Firewall Service: Provides ongoing protection against Web application threats for public-facing applications. The rules for protection include coverage of all vulnerabilities listed in the OWASP Top Ten and PCI DSS v1.2 requirements 6.5.1-6.5.10. Secure Coding Training: StillSecure partner provides training on best security practices for developing Web applications as well as in-depth code security audits prior to application deployment. Requirements 6.3 and 6.4 Ensure software developers understand policy and best practices for secure software application development. Requirement 7 Restrict access to cardholder data by business need to know VPN and Firewall Service: These services are used in conjunction to authenticate access into the CDE and limit the resources for which each user has access. ProtectPoint SOC Change Request Process: The change request process is a structured procedure to ensure that only authorized administrators can grant, change, or terminate user access to the CDE and users are limited to least privilege access according to job function. Requirement 7.1 IThe customer is responsible for ensuring users have access to the CDE on a need-to-know and leastprivilege basis. Requirement 7.1.2 Conform to PCI when choosing employees who can access cardholder data. Requirement 8 Assign a unique ID to each person with computer access Multi-Factor Authentication Service: Provides multi-factor authentication using hardware tokens, certificates, and user name and password mechanisms for all remote to PCI environment. VPN and Firewall Service: These services are used in conjunction to authenticate access into the CDE and limit the resources for which each user has access. For remote access the VPN service is used in conjunction with the Multi-Factor Authentication Service using secure tokens, username/password, and SSL certificates for unique identification. Requirement 8.5 For customer managed devices, applications, and databases, the customer must ensure these systems conform to least-privilege user authorization and authentication. 6

PCI requirement StillSecure PCI Complete coverage Partner / hosting provider Customer ProtectPoint SOC Change Request Process: The change request process is a structured procedure to ensure that only authorized administrators can grant, change, or terminate user access to the CDE and users are limited to least privilege access according to job function. Requirement 9 Restrict physical access to cardholder data PCI Certified Data Centers and Hosting Provider: Provided in conjunction with our Data Center and Provider partners, StillSecure offers PCI requirement 9 certified rack and virtualized environments. Requirement 9 Ensure that all customer managed physical environments conform. Requirement 10 Track and monitor all access to network resources and cardholder data Log Management Service: Provides daily event reviews for all ProtectPoint and 3 rd party security logs. Also provides log retention to track user access and actions within individual systems components and retains the required audit trail entries. Provides internal centralized log storage, secured audit trails, and forensic information. Retains audit trail history for a minimum of 1 year, with 3 months available for immediate analysis. File Integrity Monitoring Service: Provides file integrity checks on critical audit trail log files. Requirement 11 Regularly test security systems and processes Internal and External PCI Vulnerability Scanning Services: Provides internal and external network vulnerability scans, and Web application vulnerability testing performed by a qualified ASV at least quarterly and when there are significant changes to the network. IDPS Service: Provides monitoring of traffic and 24x7x365 response to attacks. File Integrity Monitoring Service: Provides file integrity checks for all critical systems at least weekly for critical system files, registries, configuration files, and Requirement 11.1 Perform tests for rogue wireless devices on your network. 7

PCI requirement StillSecure PCI Complete coverage Partner / hosting provider Customer content files. Requirement 12 Maintain a policy that addresses information security for employees and contractors 24X7X365 Incidence Response SOC: Our SOC provides an incidence response plan and action for any issue detected from security tools we are monitoring. Documentation Process: Provides usage and operational security policy templates and an incident response plan. Provides a checklist for all policies that must be implemented by the customer and disseminated to employees. Requirement 12.5 Assign a team to security responsibilities. Requirement 12.6 Tailor policy templates to organization requirements and disseminate policies to employees. Requirement 12.7 Screen potential employees. Requirement 12.8 Check PCI compliance of other service providers. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information