Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric

Similar documents
Enabling SOX Compliance on DataStax Enterprise

GFI White Paper PCI-DSS compliance and GFI Software products

Security and Compliance in Big Data

Becoming PCI Compliant

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

The Modern Online Application for the Internet Economy: 5 Key Requirements that Ensure Success

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Simplifying Database Management with DataStax OpsCenter

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Payment Card Industry Data Security Standard

Need to be PCI DSS compliant and reduce the risk of fraud?

PCI Compliance. Top 10 Questions & Answers

Why Is Compliance with PCI DSS Important?

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Introduction to Multi-Data Center Operations with Apache Cassandra and DataStax Enterprise

PCI Standards: A Banking Perspective

How To Achieve Pca Compliance With Redhat Enterprise Linux

University of Sunderland Business Assurance PCI Security Policy

PCI Data Security Standards

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

PCI Compliance Top 10 Questions and Answers

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI DSS COMPLIANCE DATA

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

How To Protect A Web Application From Attack From A Trusted Environment

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

So you want to take Credit Cards!

PCI DSS Requirements - Security Controls and Processes

Merchant guide to PCI DSS

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Highly available, scalable and secure data with Cassandra and DataStax Enterprise. GOTO Berlin 27 th February 2014

Did you know your security solution can help with PCI compliance too?

Ensure PCI DSS compliance for your Hadoop environment. A Hortonworks White Paper October 2015

Presented By: Bryan Miller CCIE, CISSP

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Requirements Coverage Summary Table

Two Approaches to PCI-DSS Compliance

Complying with PCI Data Security

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI Compliance for Cloud Applications

PCI Requirements Coverage Summary Table

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Introduction to Apache Cassandra

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

PCI Compliance Training

How To Protect Your Data From Being Stolen

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Comparing the Hadoop Distributed File System (HDFS) with the Cassandra File System (CFS)

Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

PCI v2.0 Compliance for Wireless LAN

Application Delivery in PCI DSS Compliant Environments

Introduction to Multi-Data Center Operations with Apache Cassandra, Hadoop, and Solr WHITE PAPER

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Frequently Asked Questions

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Your Compliance Classification Level and What it Means

Thoughts on PCI DSS 3.0. September, 2014

Achieving PCI Compliance Using F5 Products

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

How Transactional Analytics is Changing the Future of Business A look at the options, use cases, and anti-patterns

March

La règlementation VisaCard, MasterCard PCI-DSS

SecurityMetrics Introduction to PCI Compliance

Enforcing PCI Data Security Standard Compliance

Payment Card Industry (PCI) Data Security Standard

Cloudwick. CLOUDWICK LABS Big Data Research Paper. Nebula: Powering Enterprise Private & Hybrid Cloud for DataStax Big Data

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Achieving PCI Compliance for Your Site in Acquia Cloud

Transcription:

Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric

Table of Contents Table of Contents... 2 Overview... 3 PIN Transaction Security Requirements... 3 Payment Application Data Security Standard (PA- DSS)... 3 Payment Card Industry Security Standard (PCI DSS)... 3 Target Market and Customers... 3 Goals and Objectives... 3 Levels of Compliance and Types... 3 PCI DSS Requirements... 5 What DataStax Enterprise Offers... 5 DataStax and Vormetric Partnership... 6 The Vormetric Solution... 6 How DSE and Vormetric Address PCI Requirements... 7 Limitations... 8 Conclusion... 9 About DataStax... 9 About Vormetric... 9

Overview Securing data is a requirement for any organization large or small that handles debit, credit and prepaid cards, otherwise known as payment cards. These institutions must comply with the security standards to help avoid a data breach, as they deal with sensitive customer information, including name, address and account number as well as the threedigit security number on the payment card. In order to protect this data, major payment card brands (Visa, MasterCard, American Express, Discover and JCB) founded the PCI Security Standards Council (PCI SSC) to facilitate the broad adoption of consistent data security measures on a global basis. Payment card industry security standards comprise the following three categories: consistent data security (in-house). PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data with an emphasis on general IT security & controls. The PCI DSS is administered and managed by the PCI SSC. Compliance means that the payment card information (data) is very secure, and customers can trust the complying organization with their sensitive payment card information. Not being compliant can lead to data being compromised (due to a hack or other various reasons). This could ultimately result in irreparable brand damage, loss of sales/customers and may also include lawsuits, fines and account cancellation. Target Market and Customers PCI DSS applies to organizations or merchants that store, accept, processes or transmit any cardholder data. This includes web and e-commerce companies, banks and other retail and financial institutions. Reference: https://www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf PIN Transaction Security Requirements These security requirements, referred to as PCI PTS (formerly PCI PED), focus on companies that makes devices or components that accept PIN numbers as part of a transaction and for other payment processing related activities. Payment Application Data Security Standard (PA-DSS) PA-DSS applies to vendors and other software developers who implement payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. Payment Card Industry Security Standard (PCI DSS) PCI DSS is a set of requirements designed to ensure companies have a highly secure environment while facilitating the broad adoption of Goals and Objectives Merchants and organizations expect the underlying database to be highly secure and in compliance, as sensitive cardholder data will eventually be kept in the data store. DataStax, the company driving Apache Cassandra provides enterprise-class security features that businesses need to protect key data assets. DataStax is focused on providing customers a secure, scalable, high-performance NoSQL database that puts organizations on the path of managing modern data and meeting PCI compliance initiatives. Levels of Compliance and Types Merchants or organizations may fall into any of the following four levels depending on the transaction volume per year and five types depending upon the way they handle and process cardholder data.

To determine their standing as it relates to PCI compliance, organizations can complete a selfassessment questionnaire; and/or have a regular network or website scan performed by an Approved Scanning Vendor and a report from a Quality Security Assessor. The organization can also choose to complete an Attestation of Compliance form. Reference: http://usa.visa.com/merchants/risk_management/cisp_merchants.html Merchant level definitions by payment brands and transaction volume Reference: (http://information.rapid7.com/rs/rapid7/images/pci-dss-2-0-guide.pdf) The above charts (levels) describe number of transactions processed annually. This is independently defined by each payment brand. Types determine relevant sections & requirements of PCI DSS and are related to the self-assessment questionnaire as mentioned above. Unlike levels, types have been collectively defined by all brands. There are five types namely: A, B, C-VT, C and D.

Reference:(http://information.rapid7.com/rs/rapid7/Demystifying-pci-guide.pdf) PCI DSS Requirements The grid below highlights the 12 security requirements for networks, servers, databases and applications. What DataStax Enterprise Offers DataStax Enterprise (DSE) includes enterpriseready Cassandra, the ability to run analytics on Cassandra data with Apache Spark or Hadoop, and the capability of performing enterprise search operations on Cassandra data with Apache Solr. DataStax Enterprise also provides the following robust enterprise security features: Internal authentication using login accounts and passwords for Cassandra, Hadoop and Spark clusters in DSE. Object permission management based on the GRANT/REVOKE paradigm for keyspaces or tables. Client to node encryption using SSL for data going from the client to the Cassandra/Hadoop/Spark/Solr clusters in DSE. LDAP and Active Directory integration: a standardized way of storing security credentials in a centralized repository for a company s applications. Allows various users to be created in DSE while directory servers handle password management. Supports authentication for Cassandra, Spark, Hadoop and Solr clusters in DSE. Kerberos authentication: a network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner using tickets. Supports authentication for Cassandra, Spark, Hadoop & Solr clusters in DSE.

Transparent data encryption: the encoding of data flushed from the memtable in system memory to the SSTables on disk (at rest data) to be unreadable to unauthorized users. Encryption of data is done through Java Cryptography Extension (JCE). Encryption and decryption occurs without user intervention. The DSE encryption certificates are stored locally. As part of enhanced data security, DSE supports off server key encryption management using Key Management Interoperability Protocol (KMIP) to protect the data at rest. Data auditing: the administrator capability to create detailed audit trails of cluster activity. The inter-node gossip protocol and node to node communication is protected using SSL. DataStax OpsCenter can use SSL to encrypt the communication protocol and authenticate traffic between OpsCenter agents and the main OpsCenter daemon. It provides an option to use https as well. OpsCenter can connect to DSE clusters with Kerberos enabled. OpsCenter 5.1 and beyond comes with builtin granular security controls to manage cluster operations. Additional Resources [1] Security management [2] Configuring role based security DataStax and Vormetric Partnership Vormetric is the industry leader in data security solutions that span physical, virtual, cloud and big data environments from both internal and external threats. The company s scalable, high performance Vormetric Data Security Platform protects any file or database anywhere it resides with application transparent encryption, privileged user access controls, and security intelligence logging. Vormetric and DataStax enable complete dataat-rest security for DataStax Enterprise. Vormetric enhances the existing enterprise-class security features already available from DataStax s massively scalable distributed database technology with protection for data-at-rest that includes encryption, enhanced access controls and key management. The Vormetric Solution With the Vormetric Data Security Platform organizations maintain compliance and safely use sensitive data within the DataStax platform with protection for data stores, system logs, configurations, etc at the file system level, as well as within the data store at the field or column level. In addition, the Vormetric Data Security Platform can secure source data sets as well as the resulting analytics. This end-to-end approach of centrally managing data encryption and access policies across the organizations infrastructure simplifies security and reduces total cost of ownership. Vormetric Data Security Platform offers: A single console for managing all data-at-rest security policies Protection of data sources, DSE environment and analytic reports through data at rest encryption, least privileged user access policies and security intelligence logs that support PCI DSS Requirement 7 guidelines Enterprise-class architecture, scale and performance Security and compliance across all server environments: physical, virtual, cloud, big data, and hybrid environments Pre-defined dashboards and reports with popular SIEMs and other log collection tools to produce reports for auditors and to identify abnormal file data access behaviors in support of PCI DSS Requirement 10 guidelines Transparent data security for no application changes and fast deployment that support PCI DSS Requirement 3 guidelines Application-layer data encryption to protect specific database columns that support PCI DSS Requirement 3 guidelines

Policy and Encryption Key Management that is available in FIPS 140-2 compliant or virtual appliance form factors that support PCI DSS Requirement 3.5 guidelines How DSE and Vormetric Address PCI Requirements # Requirement DSE Vormetric Explanation 1 Use firewall to protect data Handled by the network. 2 Do not use vendor supplied defaults Yes Yes DSE and OpsCenter recommends changing the default password. Vormetric components will not allow implementation with default or weak passwords. 3 Protect stored cardholder data Yes Yes DSE offers transparent data encryption that secures cardholder data against disclosure and misuse. Vormetric protects cardholder data by encrypting it at the file/volume level and then by decrypting based on a pre-defined usage policy. This ensures that all data is rendered unread-able anywhere it is stored. Integrated key management makes the process seamless and meets these requirements. 4 Encrypt across open, public networks Yes DSE offers authentication & client to node SSL support 5 Use anti-virus programs Handled by the server. 6 Develop & maintain secure systems & applications 7 Restrict access to cardholder data 8 Identify and authenticate access to systems components Follow best practices and apply latest patches & protect your code. Yes Yes Through internal authentication and object permission management provided by DSE. Vormetric enforces a least-privilege model, which denies any data access activity that has not been expressly permitted by policy. Yes Yes External authentication allows DSE to provide single sign on capability. DSE allows super user creation and can authorize other users. Internal authentication stores user names and bcrypt-hashed passwords in the system_auth.credentials table. OpsCenter allows user creation and role assignments for managing and operating database clusters. Vormetric integrates with existing directory services to authenticate user IDs. All transmission of Vormetric authentication and key material takes place over a mutually authenticated TLS channel. Vormetric provides direct access to data and database queries can be limited to only database administrators. When a database is

protected, all access to the data must come from the database process. All other sources can be denied access. 9 Restrict physical access to data Handled through company policy (log visitors, make sure physical media is secured etc.). 10 Regularly monitor and test networks including cardholder data 11 Regularly test security systems & processes 12 Maintain an information security policy Limitations Assuming you configure security features, this table describes exactly which data is secured (or not) based on the workload type: real-time Cassandra Yes Yes DSE supports data auditing via log4jbased integration or storing the events in a Cassandra table. Vormetric provides logging of access at the File Systems level. All read/write requests to sensitive data is tracked with PCI compliant audit records. User controlled policies allow for monitoring of all access to sensitive data, including access by privileged users. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Use network intrusion detection system to monitor traffic. Company should develop daily usage policy & operational security procedures. (DSE/Cassandra), analytics (Spark/Hadoop), and DSE/Search (Solr). [1] Permissions to access objects stored in Cassandra are checked. The Solr cache and indexes and the DSE Hadoop cache as well as Spark caches are not under the control of Cassandra, and therefore not checked. You may, however, set up permission checks to occur on tables that store DSE Hadoop or Solr data. [3] The Thrift interface between DSE Hadoop and the Cassandra File System (CFS) is SSL-protected. Intertracker communication is Kerberos authenticated, but not SSL secured. Hadoop access to Cassandra is SSL- and Kerberos-protected. Spark Integration supports SSL for Akka and HTTP (for broadcast and file server) protocols. [2] The inter-node gossip protocol is protected using SSL.

[4] HTTP access to the DSE Search/Solr data is protected using SSL. Node-to-node encryption using SSL protects internal Solr communication. [5] The inter-node gossip protocol is not authenticated using Kerberos. Node-to-node encryption using SSL can be used. [6] Cassandra commit log data and memtable data is not encrypted, only at rest data is encrypted. [7] Data in DSE/Search Solr tables is encrypted with Cassandra. Encryption has a slight performance impact, but ensures the encryption of original documents after Cassandra permanently stores the documents on disk. However, Solr cache data and Solr index data is not encrypted. [8] DSE Hadoop and Spark data auditing is done at the Cassandra access level, so requests to access Cassandra data is audited. [9] Password authentication pertains to connecting Spark to Cassandra, not authenticating Spark components between each other, and authenticating changes to the Shark configuration. [10] Password authentication pertains to connecting Hadoop to Cassandra, not authenticating Hadoop components between each other. [11] Applicable to communication with C* only. Not supported within the Spark/Shark ecosystem itself. Conclusion DataStax Enterprise in conjunction with Vormetric offers a comprehensive data security solution for the data stored in Cassandra and helps organizations comply with PCI-DSS requirements. About DataStax DataStax provides a massively scalable enterprise NoSQL platform to run modern online applications for some of the world s most innovative and data-intensive enterprises. Powered by the open source Apache Cassandra database, DataStax delivers a fully distributed, continuously available platform that is faster to deploy and less expensive to maintain than other database platforms. DataStax has more than 500 customers in 38 countries including leaders such as Netflix, Rackspace, Pearson Education, and Constant Contact, and spans verticals including web, financial services, telecommunications, logistics, and government. Based in San Mateo, Calif., DataStax is backed by industry-leading investors including Lightspeed Venture Partners, Meritech Capital, and Crosslink Capital. About Vormetric Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1400 customers, including 17 of the Fortune 30 and many of the world s most security conscious government organizations, to meet compliance requirements and protect what matters their sensitive data from both internal and external threats. The company s scalable Vormetric Data Security Platform protects any file, any database and any application anywhere it resides with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence. For more information, please visit: www.vormetric.com.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information