A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards



Similar documents
PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Did you know your security solution can help with PCI compliance too?

PCI Compliance for Cloud Applications

Using Data Loss Prevention for Financial Institutions Banks, Credit Unions, Payments

Becoming PCI Compliant

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

CREDIT CARD SECURITY POLICY PCI DSS 2.0

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

March

Payment Card Industry Data Security Standard

PCI DSS Requirements - Security Controls and Processes

PCI Requirements Coverage Summary Table

Miami University. Payment Card Data Security Policy

Passing PCI Compliance How to Address the Application Security Mandates

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

A Buyer's Guide to Data Loss Protection Solutions

Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March Information Supplement: Protecting Telephone-based Payment Card Data

Websense Data Security Solutions

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI Requirements Coverage Summary Table

The Impact of HIPAA and HITECH

Automate PCI Compliance Monitoring, Investigation & Reporting

PCI Data Security and Classification Standards Summary

PCI Compliance. Top 10 Questions & Answers

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Trend Micro Data Protection

Thoughts on PCI DSS 3.0. September, 2014

Data Loss Prevention Best Practices to comply with PCI-DSS An Executive Guide

74% 96 Action Items. Compliance

TERMINAL CONTROL MEASURES

New York University University Policies

GFI White Paper PCI-DSS compliance and GFI Software products

Credit Card Security

BANKING SECURITY and COMPLIANCE

RSA Solution Brief RSA. Data Loss. Uncover your risk, establish control. RSA. Key Manager. RSA Solution Brief

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

The Cloud App Visibility Blindspot

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Accepting Payment Cards and ecommerce Payments

Complying with PCI Data Security

Introduction. PCI DSS Overview

Vanderbilt University

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

You Can Survive a PCI-DSS Assessment

PCI Compliance Top 10 Questions and Answers

LogRhythm and PCI Compliance

The Comprehensive Guide to PCI Security Standards Compliance

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Achieving PCI-Compliance through Cyberoam

Feature. Log Management: A Pragmatic Approach to PCI DSS

PCI Data Security Standards (DSS)

Credit Card (PCI) Security Incident Response Plan

How To Manage Security On A Networked Computer System

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

AlienVault for Regulatory Compliance

Appendix 1 Payment Card Industry Data Security Standards Program

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

CorreLog Alignment to PCI Security Standards Compliance

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

10 Building Blocks for Securing File Data

Accounting and Administrative Manual Section 100: Accounting and Finance

PCI Compliance Overview

P R O G R E S S I V E S O L U T I O N S

University of Sunderland Business Assurance PCI Security Policy

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Empowering Your Business in the Cloud Without Compromising Security

A multi-layered approach to payment card security.

Information Security Policy

Compliance Management, made easy

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Payment Card Industry Compliance

Frequently Asked Questions

Improving PCI Compliance with Network Configuration Automation

plantemoran.com What School Personnel Administrators Need to know

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Trend Micro Solutions for PCI DSS Compliance

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Beyond PCI Checklists:

Payment Card Industry Data Security Standard

How To Protect Your Credit Card Information From Being Stolen

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

A Rackspace White Paper Spring 2010

Transcription:

A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards

Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security Modern commerce relies heavily on credit card transactions, providing convenience to consumers and more sales opportunities for merchants. With vast amounts of financial capital transferring via these means, it s no wonder that credit card fraud amounts to over a billion dollars in the US alone, according to the US Treasury. The Payment Card Industry Security Standards (PCI DSS) were developed by a consortium of credit card issuers, including MasterCard and Visa, to provide best practices for securing IT systems and establishing processes for the use, storage, and transmission of credit card data in electronic commerce. PCI DSS consists of six categories: 1. Build and maintain a secure network 2. Protect cardholder data 3. Maintain vulnerability program 4. Implement strong access control measures 5. Regularly monitor and test networks 6. Maintain an information security policy I highly suspect we will see outbound content monitoring and filtering in the next revision of PCI DSS Consider this your first warning. Rich Mogull (former Gartner analyst), Securiosis blog, February 2008 In an age of phishing scams, malware, and pursuit of profits by hackers, compliance with PCI DSS is usually interpreted as a way to mitigate the risk of an external threat. Secure Sockets Layer (SSL), Transport Layer Security (TLS), Internet Protocol Security (IPSEC), and other technologies are recommended as safeguards against these threats, focusing on anti-theft and anti-intrusion measures. However, the ultimate concern is the unauthorized use of credit card data, so safeguarding the data, then, is essential to mitigating this risk. Loss Prevention (DLP) is the solution to help safeguard this credit card data. While PCI DSS has done much to establish a common set of security best practices to minimize external hacks into networks where credit card data is transmitted, stored or collected, it has not explicitly mandated the monitoring of this data. As many industry analysts and forward-thinking enterprises have already acknowledged, DLP must be a part of a PCI compliance and credit card data security policy, given that even a single instance of data loss can lead to penalties from card holding institutions and banks, high remediation costs, damage to an organization s reputation, and loss of market share. DLP is Essential for Compliance with PCI DSS The PCI DSS does not discriminate between internal and external threats; data loss is data loss, whatever the cause. Yet, the emphasis on external threats is often a distraction from the more likely risk of loss employees or insiders leaking data. According to Open Security Foundation resource for data loss incidents sponsored by the Open Security Foundation, at least 28 percent of all data loss incidents are attributed to insiders and close to 60 percent of these are attributed to accidental leaks of confidential data. loss via the Web is four times more likely than email. Source: Loss Open Security Foundation 2

Prevent Loss and Comply with Payment Card Industry Security Standards The causes of data loss are numerous and seemingly mundane, such as: Emailing sensitive data using personal accounts (e.g., Yahoo! Mail, Gmail, or Hotmail) Posting data to a social networking or other Web 2.0 site (e.g., Facebook, Twitter, or blogs) Copying customer data from a CRM or bill payment system to a removable storage drive Emailing data to the wrong person, inside or outside your organization Emailing unencrypted account numbers to customers, partners, or vendors Whether erroneous or intentional, the outcome is equally damaging since once customer credit card information is accessed by an unauthorized user, the data is assumed to be compromised. Restoring customer confidence following a leak is not easy. The damage to a customer s credit and confidence combined with the tarnished reputation of the company (a merchant, payment service provider or any entity storing, processing, or transmitting credit card data) can last for years. Often, a breach can require credit monitoring services for affected customers, payment of legal settlements, and result in lost business. Internally, the company would have to reengineer business processes to avoid such a leak in the future, invest in restoring the brand, and pay for information control audits for up to five years. In the end, the loss of credit card information can impact the bottom line and the business may never be the same. A data loss prevention solution, consisting of secure business processes, employee education, and technology can reduce the risk of leaks and help you attain PCI DSS compliance. In a transaction-heavy environment, an automated solution is critical to be operationally feasible. DLP technologies can monitor the enterprise and automatically enforce information controls and notify business managers. However, it s important to note that not all DLP solutions are equal. Different technology approaches yield varying results. For thorough PCI DSS compliance, a careful DLP solution selection process is necessary. PCI DSS and Websense Security Suite The Websense Security Suite takes a unique approach to data loss prevention and information control which can be applied to the specific challenge of protecting credit card data. Websense offers both a comprehensive and modular solution which grants full visibility into key business activities where confidential data may be handled. Destination awareness and control for Web and email on the network, combined with application and device control for endpoints, exceed typical DLP offerings while addressing operational concerns around deployment and ongoing management. The solution delivers accuracy and policy granularity providing knowledge of who sent the data, how it is being sent or used, where it is going, and what type of data it is, such as credit card data. With this level of accuracy, appropriate enforcement actions to protect the data can be made without fear of disrupting legitimate business processes. Websense Security Suite includes four integrated modules, managed under a single policy framework, which together provide visibility and control over network and endpoint data loss as well as comprehensive data discovery across enterprise storage systems. Depending on which infrastructure area is deemed to be of highest risk, one or more of these modules can be deployed at any given time. Websense Monitor Monitors network for data loss across Web, email, and instant messaging channels, and includes enhanced visibility with destination awareness and 3

Prevent Loss and Comply with Payment Card Industry Security Standards user details Websense Protect (includes Websense Monitor) Monitors network channels and enforces automated, policy-based controls to block, quarantine, encrypt, audit and log, or notify users of violations Websense Endpoint Monitors and enforces automated, policy-based controls for data usage via applications and peripheral devices on user desktops or laptops. Discovers and classifies confidential data stored on end-user systems. Websense Discover Discovers and classifies confidential data stored in enterprise repositories. Automatically remediates discovered data based on policy. The solution ships with PCI DSS templates that can be modified to align with specific information security policies. For example, you can configure it to alert stakeholders only if an email has at least five instances of records containing a credit card number and the associated three-digit or four-digit CVV (card verification value, to protect against card-not-present fraud). The reason for this threshold may be that an email with only one credit card record may indicate a personal transaction. If needed, the fiverecord threshold could be changed to as low as one or as high as the organization deems appropriate based on PCI DSS compliance policies. For even more accurate detection of a high-risk leak, a customer data file containing portions of credit card data (e.g. last four digits), could be fingerprinted, allowing this snapshot to be compared with what is identified by the solution, to determine if an actual customer s data was compromised or if a non-customer credit card number was detected. A comprehensive yet modular DLP offering with accuracy in credit card detection as well as user and destination awareness has established Websense as a leader in the DLP space and makes Websense Security Suite an ideal choice for protecting credit card data in enterprises where PCI compliance is a must. To learn more about Websense DLP solutions through a demonstration of the solution, visit www.websense.com/evaluations. 4

Prevent Loss and Comply with Payment Card Industry Security Standards The designated DLP modules below indicate the minimum solution offering required to address the respective PCI requirements. The Websense Security Suite, comprising all modules, addresses all of the listed PCI requirements. Modules are designed to address visibility and control in different areas of the enterprise: network communications, network storage servers, and end-user systems. PCI DSS Requirement Requirement Satisifaction Monitor Websense Security Suite Protect Discover Endpoint 3.1: Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for businesses, legal, and regulatory purposes, as documented in the data retention policy. Automatically discover cardholder data stored throughout the enterprise on desktops, laptops, fileservers (including SharePoint), and email servers (including Exchange) and in databases (with native connectors) that is in violation of the PCI data retention and disposal policy. Once discovered, the solution can automatically enforce pre-defined actions based on policy, including file quarantining, encryption (through third-party file encryption solution), transfer, replacement and removal. Ensures that copies of cardholder data are not stored in violation of corporate and regulatory policy. 3.2: Do not store sensitive authentication data subsequent to authorization (even if encrypted). Sensitive authentication data includes the data as cited in the requirements 3.2.1 through 3.2.3. Automatically discover sensitive authentication data, card validation codes, and personal identification numbers stored throughout the enterprise. It can also monitor for use or transmission of any such information. Once identified, data can be remediated by any number of pre-defined or custom actions, including file quarantining, encryption, transfer, replacement and removal. 3.3: Mask the primary account number (PAN) when displayed (the first six and last four digits are the maximum number of digits to be displayed). Credit card data can be found in transit on the network, stored on network servers, or on end-user systems. Incident management reports provide forensics of PCI violations while masking the PAN. Configuration with role-based access control to limit administrator and auditor views of incident details further mitigate risk of unauthorized user seeing credit card data. 3.4: Render PAN, at minimum, unreadable anywhere it is stored (including on portable digital media, backup media, in logs). Identify and report on the location of primary account numbers stored throughout the enterprise. Based on policy, automatically enforce file encryption and other custom actions to remediate the violation. 5

Prevent Loss and Comply with Payment Card Industry Security Standards PCI DSS Requirement 3.5: Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse. 4.2: Never send unencrypted PANs by email. Requirement Satisifaction Monitors internal and external communications channels, including Web, email, FTP, IM, print, and more and can automatically detect unsecured encryption keys and prevent misuse and disclosure. The solution can also automatically trigger rights management to restrict access controls to encryption key based on custodial policies. Built-in discovery capabilities enable managers to transparently scan the enterprise for unsecured keys and secure them. Monitors email communications both internal and external and can accurately identify unencrypted PANs (including in attachments) and route the communication to an email encryption gateway for encryption. This methodology is widely used to protect cardholder data and other confidential information. Automated enforcement by blocking, routing to an encryption gateway, or quarantining the data addresses this requirement. Monitor Websense Security Suite Protect Discover Endpoint 6.3.4: Production data (live PANs) are not used for testing and development. 7.1: Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.2: Establish an access control system for systems components with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. Discover live PANs resident on test systems (servers, end-user systems) and automatically enforce a predefined or manual action to secure the data (e.g. remove the data; copy it to a secure location). It can also monitor network communications between test systems to ensure cardholder information is not in use over email, Web, FTP, or printing. Attempts by end users to transfer this data to removable media can also be blocked. Identify cardholder information stored in inappropriate locations or with inappropriate access permissions and, with integration with rights management technologies, automatically apply the appropriate access rights to secure its use. Restrict file access to specified users based on the type of information they are attempting to access. Administrators can quickly configure a default policy to deny all access to files containing cardholder data unless otherwise specified. Additionally, the solution can restrict all or specified users from cut, copy, paste, print, and print screen if cardholder data is displayed on screen (e.g., by an application). 6

Prevent Loss and Comply with Payment Card Industry Security Standards PCI DSS Requirement Requirement Satisifaction Monitor Websense Security Suite Protect Discover Endpoint 8.4: Render all passwords unreadable during transmission and storage on all system components using strong cryptography. Accurately identify cardholder data transmitted on the network over business communication channels and enforce encryption (via integration with an encryption gateway). It can also apply file-level encryption (with integration) for data discovered on network file and storage systems. 10: Track and monitor all access to network resources and cardholder data. Main requirement in this section is to provide a detailed audit trail of access to credit card data. The solution passively monitors access to files containing cardholder data, as well as actions taken when users copy, paste, print, email, FTP, or post to the Web. The solution includes detailed forensics, reporting, and audit tools to provide auditors with the requisite information. 12.2: Develop daily operational security procedures that are consistent with requirements in this specification. Includes built-in, automated workflow to enable PCI compliance, for both administrators and end users. Automated incident alerts, workflow (e.g. assign incident to data owner), built-in PCI violation reports and integration with security information management (SIEM) solutions streamline the process for administrators. End users can also be automatically notified of their violation in real-time, preventing unnecessary helpdesk calls and improving PCI compliance over time. 12.3: Develop usage policies for critical employeefacing technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, personal digital assistants, email use and Internet usage) to define proper use of these technologies for all employees and contractors. Automated notifications and confirmations of policy violations for employees and contractors. Includes alerts for users and managers, message quarantining (requires manager approval for release). The system is configurable for autonomous operation, utilizing existing messaging tools to permit remediation from the business unit. 7

Prevent Loss and Comply with Payment Card Industry Security Standards PCI DSS Requirement Requirement Satisifaction Monitor Websense Security Suite Protect Discover Endpoint 12.5: Assign to an individual or team the following information security management responsibilities: 12.5.1: Establish, document, and distribute security policies and procedures. 12.5.2: Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.3: Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. 12.5.5: Monitor and control all access to data. Websense Security Suite has automated incident alerting for users, their managers, and security administrators. Alerts can be customized and include incident details. The solution also includes advanced reporting that can be scheduled for automated distribution. Incidents related to specific policy violations can be disseminated on a daily, weekly, monthly or configurable schedule to anyone in the enterprise. An audit trail is kept within the system to provide details of incident response, and group managers can monitor and report on the progress of individual incident managers. All incident detail providing within the Websense Security Suite is secured based on user access privileges. 12.6: Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. Automated, customizable notifications for data at rest, in use, and in motion. Notification templates communicate security policy to end users and their managers automatically at the time of the violation, and provide instruction on how to avoid similar incidents in the future. 12.9: Implement an incident response plan. Be prepared to respond immediately to a system breach. Provides both passive monitoring and automated enforcement. Centralized management and reporting permits administrators to quickly identify and respond to policy violations for network communications, network storage services, and end-user systems. The solution includes built-in trend analysis and reporting to provide visibility and help create, implement, and evaluate the effectiveness of incident response. 8 2009 Websense Inc. All rights reserved. Websense is a registered trademark of Websense, Inc. in the United States and certain international markets. Websense has numerous other registered and unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners. 07.14.09

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information