Reduce the Cost of PCI DSS Compliance with Unified Vulnerability Management



Similar documents
Avoiding the Top 5 Vulnerability Management Mistakes

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Why Is Compliance with PCI DSS Important?

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Simplifying the Challenges of Mobile Device Security

Payment Card Industry Data Security Standard

How To Protect Your Data From Being Stolen

Global Partner Management Notice

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire

Achieving Compliance with the PCI Data Security Standard

Retina CS: Using Strong Certificates

Technical breakout session

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

PCI Compliance for Cloud Applications

Payment Card Industry Data Security Standard (PCI DSS)

Security Management. Keeping the IT Security Administrator Busy

Data Security for the Hospitality

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Payment Card Industry Self-Assessment Questionnaire

Understanding BeyondTrust Patch Management

Josiah Wilkinson Internal Security Assessor. Nationwide

Western Australian Auditor General s Report. Information Systems Audit Report

Three Ways to Secure Virtual Applications

University of Sunderland Business Assurance PCI Security Policy

PCI Requirements Coverage Summary Table

PCI Compliance: Protection Against Data Breaches

MITIGATING LARGE MERCHANT DATA BREACHES

PCI Compliance Top 10 Questions and Answers

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

North Carolina Office of the State Controller Technology Meeting

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI DSS COMPLIANCE DATA

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

AISA Sydney 15 th April 2009

NACS/PCATS WeCare Data Security Program Overview

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Best Practices for PCI DSS V3.0 Network Security Compliance

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

PCI Requirements Coverage Summary Table

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

An article on PCI Compliance for the Not-For-Profit Sector

Important Info for Youth Sports Associations

Is the PCI Data Security Standard Enough?

WHITE PAPER. What Every CIO Needs to Know About HIPAA Compliance

How To Secure Your Store Data With Fortinet

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Payment Card Industry Data Security Standard

This article describes the history of the Payment Card

PCI Compliance. Top 10 Questions & Answers

Beyond PCI Checklists:

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Client Security Risk Assessment Questionnaire

PCI DSS. CollectorSolutions, Incorporated

Frequently Asked Questions

Franchise Data Compromise Trends and Cardholder. December, 2010

WHITE PAPER. Take Back Control of Your Active Directory Auditing

GFI White Paper PCI-DSS compliance and GFI Software products

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Becoming PCI Compliant

Network Segmentation

Q: What is PCI? Q: To whom does PCI apply? Q: Where can I find the PCI Data Security Standards (PCI DSS)? Q: What are the PCI compliance deadlines?

SecurityMetrics Introduction to PCI Compliance

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Industry - Achieving PCI Compliance Steps Steps

Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) Frequently Asked Questions

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Your Compliance Classification Level and What it Means

PCI Security Compliance

How To Protect Your Credit Card Information From Being Stolen

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Simplêfy Client Support and Information Services. PCI Compliance Guidebook

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

White Paper. Best Practices to Protect the Cardholder Data Environment and Achieve PCI Compliance

PCI: It Never Ends. Why?

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

WHITE PAPER. Towards A Consolidated Approach For PCI-DSS Compliance In Healthcare

What does it mean to be secure?

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Introduction. PCI DSS Overview

Why The Security You Bought Yesterday, Won t Save You Today

Whitepaper. PCI Compliance: Protect Your Business from Data Breach

Payment Card Industry Data Security Standard (PCI DSS) Compliance Guide for Merchants

Payment Card Industry Data Security Standards.

How To Protect Visa Account Information

* Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

PCI DSS Reporting WHITEPAPER

Transcription:

WHITE PAPER Reduce the Cost of PCI DSS Compliance with Unified Vulnerability Management A Requirement-by-Requirement Guide

Table of Contents Introduction 3 What are the PCI Data Security Standards 3 The New Model: Cards Not Cash 3 The Pressure to Comply 4 Enforcement of Penalties, Fines, and Termination 4 PCI Requirements 5 What Does it Really Mean? 6 Operational Processes 6 Infrastructure 6 Information and Security Technology 7 The Challenges of Compliance 7 Ongoing Vulnerability Assessment and Monitoring 7 Endpoint Protection 7 Network Protection 8 How Unified Vulnerability Management Helps 8 Conclusion 11 About BeyondTrust 11 2 2013. BeyondTrust Software, Inc.

With the addition of new systems, devices, and virtual environments, achieving Payment Card Industry Data Security Standard (PCI DSS) compliance is an ongoing challenge. To be compliant, security professionals can no longer simply run vulnerability scans and collect firewall and intrusion detection logs; they need new tools and techniques that not only scan for and block potential threats, but also make it easy to maintain and prove compliance. In this guide, IT Managers and Security Professionals will get a better view into PCI DSS and learn how to overcome key challenges to reduce the cost of PCI compliance and ensure sensitive and personal information stays protected. Introduction With the addition of new systems, devices, and virtual environments, achieving PCI compliance is an ongoing challenge. To be compliant, security professionals can no longer simply run vulnerability scans and collect firewall and intrusion detection logs; they need new tools and techniques that not only scan for and block potential threats, but also make it easy to maintain and prove compliance. In this guide, IT Managers and Security Professionals will get a better view into PCI DSS and learn how to overcome key challenges to reduce the cost of PCI compliance and ensure sensitive and personal information stays protected. What are the PCI Data Security Standards PCI DSS encompasses and applies to all system components defined as: any network, server, or application included in, or connected to, the cardholder data environment. The number of networks and devices used to perform business functions and online transactions continues to grow, both in physical and virtual form. Consider that U.S. airline industry s plans to switch to a completely plastic business model, eliminating all non-credit transactions a clear sign that the world of using and storing cardholder data online is quickly becoming the cornerstone of many businesses. The New Model: Cards Not Cash The introduction of new digital business models continues to grow as well, introducing yet another set of physical and virtual systems and networks. Self-serve kiosks offering DVD rentals and credit-accepting vending machines that dispense soft drinks and the like are becoming more and more prevalent. Consumers and businesses continue to explore new ways to use credit cards in lieu of cash. When we evaluate each of the business models associated with credit card transactions, we must look at each of the components that make up the business infrastructure that enables transactions to take place and the security models used to protect card holder data. Key components networks, endpoints, and data each have a role to play in ensuring the transaction takes place accurately and securely. Network: There is a huge web of communication and storage components involved when a credit card transaction is conducted, ranging from consumer devices connecting to business services through fulfillment services, and back. Endpoints: The number of endpoints as input/output devices can easily appear to be an infinite number. Consider the enterprise servers, enterprise desktops, merchant service and fulfillment servers and desktops, and, of course, the consumer devices desktops, laptops, mobile devices, and smart phones that may touch sensitive information. Data: The data is the real crown jewel when it comes to the PCI DSS. All of the requirements, implementations, and audits revolve around making sure that card holder data is safe. 3 2013. BeyondTrust Software, Inc.

The Pressure to Comply ENFORCEMENT OF PENALTIES, FINES, AND TERMINATION Non-PCI-compliant organizations face potential fines of up to $500,000 per incident for security breaches. Other fines range between $5,000 and $100,000 per month for PCI compliance violations. Your bank will most likely pass this fine downstream until it eventually hits your organization. Additionally, your bank could increase your merchant transaction fees or even terminate your merchant relationship if your organization is found to be out of compliance. The PCI Security Standards Council has identified a number of scenarios in which data security breaches were successful. The following are included in the PCI DSS Self-Assessment Questionnaire: Storage of magnetic stripe card data where many compromised entities were unaware that their systems are storing this data Inadequate access controls due to improperly installed merchant POS systems, allowing hackers in via paths intended for POS vendors Default system settings and passwords not changed when the system was set up Unnecessary and vulnerable services not removed or fixed when system was set up Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website Missing and outdated security patches Lack of logging and log analysis Lack of monitoring via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems Lack of segmentation in a network, making cardholder data easily accessible through weaknesses in other parts of the network (e.g., from wireless access points, employee e-mail, and web browsing) 4 2013. BeyondTrust Software, Inc.

PCI Requirements The PCI DSS is a group of guiding principles and accompanying requirements, organized within the following categories: All 12 requirements must be met, without exception. Each and every requirement must be accompanied by supporting, attestable, documentation in order to be deemed compliant. 5 2013. BeyondTrust Software, Inc.

What Does it Really Mean? As with any IT project, it is important to have a plan in place that outlines the objectives, the feasibility, the tasks and schedule, and any inherent risks. When building out your PCI DSS compliance project, be aware that you will be required to have a solid understanding of, and the ability to change, your current business infrastructure, supporting business technologies, and overarching processes. Keep in mind, however, that simply becoming PCI DSS compliant and not setting proper data security objectives for the organization would be analogous to passing a driving test and then driving around recklessly. At the end of the day, your organization has a responsibility to your employees, partners, and customers to protect their data regardless of whether or not your organization actually meets the standard. OPERATIONAL PROCESSES In order for any security program to work, it is critical for your organization and staff to understand what their role in achieving the standard is, and how they can help the organization avoid falling out of compliance. From an operational standpoint, this primarily revolves around a proper security policy (Requirement #12). This security policy is what will drive the rest of the requirements such as determining what infrastructure to use, what technologies to use, how often you will validate the policy, how often you will review the status of compliance, and how you will respond to exceptions coming from planned reviews versus those coming from an unexpected incident (such as a breach). A few key elements here include defining and setting the configurations for your firewalls and anti-virus programs (Requirements #1 and #5) and not using the default settings for your security software as was set by the vendor when it was released (Requirement #2). Two additional operational items that begin to cross over into infrastructure are the requirement to utilize a centralized identity management (Requirement #8) and the requirement to track and monitor all of the activity related to cardholder data transactions creation, storage, access, modification, transfer, etc. (Requirement #10). INFRASTRUCTURE For your organization to actually control security across the infrastructure and all of its connection points, the organization must have a crystal-clear view of all the infrastructure components involved how it looks today, what changes are needed to achieve the standard, and how the infrastructure might look over time as things change. There could be many changes to deal with business, technology, additional regulations, and more. As new systems are added, as new networks are added, as new card-enabled business functions are implemented, as new business partners come online, your organization will need to evaluate the impact these actions will have on your overall security program. You will need to manage your PCI DSS compliance program accordingly, as a result of those changes. Another key element when managing systems is to ensure that card-holding systems are segregated from other systems (Requirement #7) and that they are located in a secure physical location (Requirement #9). 6 2013. BeyondTrust Software, Inc.

INFORMATION AND SECURITY TECHNOLOGY In order to assess your environment, protect your environment, and report on your status of compliance, your organization must implement a collection of information and security technologies. Some technologies will enable your organization to achieve compliance. Others will help you do so more effectively and efficiently. Consider unified vulnerability management and integrated endpoint protection technologies to achieve the latter. The Challenges of Compliance With the addition of new systems, devices, and virtual environments, achieving PCI compliance is an ongoing challenge especially when you consider remote systems, unmanaged systems, virtual systems, and custom-built systems where, as an example, we might find Windows-based Point-of-Sale systems (POS) running hardened, customized versions of the operating systems. ONGOING VULNERABILITY ASSESSMENT AND MONITORING You must regularly monitor your environment and consistently run reports to show continued success and/or progress toward attaining and retaining compliance. You must also check to ensure that: The right technologies and protections are in place (firewall, anti-malware, intrusion prevention, and encryption) Security products are configured to match your business and operating environment Signature-based and rule-based technologies are always up to date dentities are unique, clearly defined, and that proper access is granted only when appropriate, eliminating unnecessary guest accounts and anonymous shares You re using non-intrusive, network-based and on-host vulnerability assessment technologies to reduce risks exposed by vulnerabilities, improper configurations, system/configuration weaknesses, and poorly managed identities Your policy remains current and that your processes support the policy ENDPOINT PROTECTION Multi-layered protection for your endpoints is a must-have. Be sure to consider the right protections to secure Point of Sale (POS) systems that run customized, hardened, non-changeable versions of the operating system. At a minimum, the following protection technologies are required at the endpoint: Host-based intrusion prevention Network, system, and application firewall Anti-malware (including anti-virus, anti-spyware, and anti-phishing) Host-based vulnerability assessment (used to validate the protection) Device and port control File-based and/or full-disk encryption 7 2013. BeyondTrust Software, Inc.

NETWORK PROTECTION Be sure to select a partner that can provide multi-layered protection for your network and communications infrastructure. At a minimum, implement the following protection technologies across and throughout your environment: Network intrusion detection/prevention Perimeter firewall Web & email anti-malware Network vulnerability assessment (used to validate the protection) Web and email encryption How Unified Vulnerability Management Helps As your critical IT assets are constantly changing, the challenge of PCI compliance becomes even harder. Everyday you face new network devices, operating systems, applications, databases, web applications, plus numerous IP-enabled devices (laptops, servers, printers, etc.). These lists seem to never stop growing. Clearly, as things get more complicated, they get more difficult to manage. Many organizations take the approach of using disparate, stand-alone solutions to accomplish the key aspects of vulnerability management assessment, mitigation, and protection. However, this leaves them with a disjointed picture of security, which is not only more difficult to manage, but also more expensive. The answer to this challenge is Unified Vulnerability Management (UVM), which delivers a consolidated solution for assessing, mitigating, and protecting your environment, while reducing the overall cost of PCI compliance. 8 2013. BeyondTrust Software, Inc.

9 2013. BeyondTrust Software, Inc.

10 2013. BeyondTrust Software, Inc.

Conclusion To be compliant, security professionals must employ old technologies, new tools, and unique techniques that not only identify potential threats but also make it cost effective to maintain and prove PCI compliance. With the right program in place, the right partner selected, and the right technologies deployed, your organization can achieve PCI DSS compliance and full confidence that your sensitive information is protected. About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California. For more information, visit beyondtrust.com. CONTACT INFO NORTH AMERICAN SALES 1.800.234.9072 sales@beyondtrust.com EMEA HEADQUARTERS Suite 345 Warren Street London W1T 6AF United Kingdom Tel: + 44 (0) 8704 586224 Fax: + 44 (0) 8704 586225 emeainfo@beyondtrust.com CONNECT WITH US Twitter: @beyondtrust Facebook.com/beyondtrust Linkedin.com/company/beyondtrust www.beyondtrust.com 11 2013. BeyondTrust Software, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information