WHITE PAPER Reduce the Cost of PCI DSS Compliance with Unified Vulnerability Management A Requirement-by-Requirement Guide
Table of Contents Introduction 3 What are the PCI Data Security Standards 3 The New Model: Cards Not Cash 3 The Pressure to Comply 4 Enforcement of Penalties, Fines, and Termination 4 PCI Requirements 5 What Does it Really Mean? 6 Operational Processes 6 Infrastructure 6 Information and Security Technology 7 The Challenges of Compliance 7 Ongoing Vulnerability Assessment and Monitoring 7 Endpoint Protection 7 Network Protection 8 How Unified Vulnerability Management Helps 8 Conclusion 11 About BeyondTrust 11 2 2013. BeyondTrust Software, Inc.
With the addition of new systems, devices, and virtual environments, achieving Payment Card Industry Data Security Standard (PCI DSS) compliance is an ongoing challenge. To be compliant, security professionals can no longer simply run vulnerability scans and collect firewall and intrusion detection logs; they need new tools and techniques that not only scan for and block potential threats, but also make it easy to maintain and prove compliance. In this guide, IT Managers and Security Professionals will get a better view into PCI DSS and learn how to overcome key challenges to reduce the cost of PCI compliance and ensure sensitive and personal information stays protected. Introduction With the addition of new systems, devices, and virtual environments, achieving PCI compliance is an ongoing challenge. To be compliant, security professionals can no longer simply run vulnerability scans and collect firewall and intrusion detection logs; they need new tools and techniques that not only scan for and block potential threats, but also make it easy to maintain and prove compliance. In this guide, IT Managers and Security Professionals will get a better view into PCI DSS and learn how to overcome key challenges to reduce the cost of PCI compliance and ensure sensitive and personal information stays protected. What are the PCI Data Security Standards PCI DSS encompasses and applies to all system components defined as: any network, server, or application included in, or connected to, the cardholder data environment. The number of networks and devices used to perform business functions and online transactions continues to grow, both in physical and virtual form. Consider that U.S. airline industry s plans to switch to a completely plastic business model, eliminating all non-credit transactions a clear sign that the world of using and storing cardholder data online is quickly becoming the cornerstone of many businesses. The New Model: Cards Not Cash The introduction of new digital business models continues to grow as well, introducing yet another set of physical and virtual systems and networks. Self-serve kiosks offering DVD rentals and credit-accepting vending machines that dispense soft drinks and the like are becoming more and more prevalent. Consumers and businesses continue to explore new ways to use credit cards in lieu of cash. When we evaluate each of the business models associated with credit card transactions, we must look at each of the components that make up the business infrastructure that enables transactions to take place and the security models used to protect card holder data. Key components networks, endpoints, and data each have a role to play in ensuring the transaction takes place accurately and securely. Network: There is a huge web of communication and storage components involved when a credit card transaction is conducted, ranging from consumer devices connecting to business services through fulfillment services, and back. Endpoints: The number of endpoints as input/output devices can easily appear to be an infinite number. Consider the enterprise servers, enterprise desktops, merchant service and fulfillment servers and desktops, and, of course, the consumer devices desktops, laptops, mobile devices, and smart phones that may touch sensitive information. Data: The data is the real crown jewel when it comes to the PCI DSS. All of the requirements, implementations, and audits revolve around making sure that card holder data is safe. 3 2013. BeyondTrust Software, Inc.
The Pressure to Comply ENFORCEMENT OF PENALTIES, FINES, AND TERMINATION Non-PCI-compliant organizations face potential fines of up to $500,000 per incident for security breaches. Other fines range between $5,000 and $100,000 per month for PCI compliance violations. Your bank will most likely pass this fine downstream until it eventually hits your organization. Additionally, your bank could increase your merchant transaction fees or even terminate your merchant relationship if your organization is found to be out of compliance. The PCI Security Standards Council has identified a number of scenarios in which data security breaches were successful. The following are included in the PCI DSS Self-Assessment Questionnaire: Storage of magnetic stripe card data where many compromised entities were unaware that their systems are storing this data Inadequate access controls due to improperly installed merchant POS systems, allowing hackers in via paths intended for POS vendors Default system settings and passwords not changed when the system was set up Unnecessary and vulnerable services not removed or fixed when system was set up Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the website Missing and outdated security patches Lack of logging and log analysis Lack of monitoring via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems Lack of segmentation in a network, making cardholder data easily accessible through weaknesses in other parts of the network (e.g., from wireless access points, employee e-mail, and web browsing) 4 2013. BeyondTrust Software, Inc.
PCI Requirements The PCI DSS is a group of guiding principles and accompanying requirements, organized within the following categories: All 12 requirements must be met, without exception. Each and every requirement must be accompanied by supporting, attestable, documentation in order to be deemed compliant. 5 2013. BeyondTrust Software, Inc.
What Does it Really Mean? As with any IT project, it is important to have a plan in place that outlines the objectives, the feasibility, the tasks and schedule, and any inherent risks. When building out your PCI DSS compliance project, be aware that you will be required to have a solid understanding of, and the ability to change, your current business infrastructure, supporting business technologies, and overarching processes. Keep in mind, however, that simply becoming PCI DSS compliant and not setting proper data security objectives for the organization would be analogous to passing a driving test and then driving around recklessly. At the end of the day, your organization has a responsibility to your employees, partners, and customers to protect their data regardless of whether or not your organization actually meets the standard. OPERATIONAL PROCESSES In order for any security program to work, it is critical for your organization and staff to understand what their role in achieving the standard is, and how they can help the organization avoid falling out of compliance. From an operational standpoint, this primarily revolves around a proper security policy (Requirement #12). This security policy is what will drive the rest of the requirements such as determining what infrastructure to use, what technologies to use, how often you will validate the policy, how often you will review the status of compliance, and how you will respond to exceptions coming from planned reviews versus those coming from an unexpected incident (such as a breach). A few key elements here include defining and setting the configurations for your firewalls and anti-virus programs (Requirements #1 and #5) and not using the default settings for your security software as was set by the vendor when it was released (Requirement #2). Two additional operational items that begin to cross over into infrastructure are the requirement to utilize a centralized identity management (Requirement #8) and the requirement to track and monitor all of the activity related to cardholder data transactions creation, storage, access, modification, transfer, etc. (Requirement #10). INFRASTRUCTURE For your organization to actually control security across the infrastructure and all of its connection points, the organization must have a crystal-clear view of all the infrastructure components involved how it looks today, what changes are needed to achieve the standard, and how the infrastructure might look over time as things change. There could be many changes to deal with business, technology, additional regulations, and more. As new systems are added, as new networks are added, as new card-enabled business functions are implemented, as new business partners come online, your organization will need to evaluate the impact these actions will have on your overall security program. You will need to manage your PCI DSS compliance program accordingly, as a result of those changes. Another key element when managing systems is to ensure that card-holding systems are segregated from other systems (Requirement #7) and that they are located in a secure physical location (Requirement #9). 6 2013. BeyondTrust Software, Inc.
INFORMATION AND SECURITY TECHNOLOGY In order to assess your environment, protect your environment, and report on your status of compliance, your organization must implement a collection of information and security technologies. Some technologies will enable your organization to achieve compliance. Others will help you do so more effectively and efficiently. Consider unified vulnerability management and integrated endpoint protection technologies to achieve the latter. The Challenges of Compliance With the addition of new systems, devices, and virtual environments, achieving PCI compliance is an ongoing challenge especially when you consider remote systems, unmanaged systems, virtual systems, and custom-built systems where, as an example, we might find Windows-based Point-of-Sale systems (POS) running hardened, customized versions of the operating systems. ONGOING VULNERABILITY ASSESSMENT AND MONITORING You must regularly monitor your environment and consistently run reports to show continued success and/or progress toward attaining and retaining compliance. You must also check to ensure that: The right technologies and protections are in place (firewall, anti-malware, intrusion prevention, and encryption) Security products are configured to match your business and operating environment Signature-based and rule-based technologies are always up to date dentities are unique, clearly defined, and that proper access is granted only when appropriate, eliminating unnecessary guest accounts and anonymous shares You re using non-intrusive, network-based and on-host vulnerability assessment technologies to reduce risks exposed by vulnerabilities, improper configurations, system/configuration weaknesses, and poorly managed identities Your policy remains current and that your processes support the policy ENDPOINT PROTECTION Multi-layered protection for your endpoints is a must-have. Be sure to consider the right protections to secure Point of Sale (POS) systems that run customized, hardened, non-changeable versions of the operating system. At a minimum, the following protection technologies are required at the endpoint: Host-based intrusion prevention Network, system, and application firewall Anti-malware (including anti-virus, anti-spyware, and anti-phishing) Host-based vulnerability assessment (used to validate the protection) Device and port control File-based and/or full-disk encryption 7 2013. BeyondTrust Software, Inc.
NETWORK PROTECTION Be sure to select a partner that can provide multi-layered protection for your network and communications infrastructure. At a minimum, implement the following protection technologies across and throughout your environment: Network intrusion detection/prevention Perimeter firewall Web & email anti-malware Network vulnerability assessment (used to validate the protection) Web and email encryption How Unified Vulnerability Management Helps As your critical IT assets are constantly changing, the challenge of PCI compliance becomes even harder. Everyday you face new network devices, operating systems, applications, databases, web applications, plus numerous IP-enabled devices (laptops, servers, printers, etc.). These lists seem to never stop growing. Clearly, as things get more complicated, they get more difficult to manage. Many organizations take the approach of using disparate, stand-alone solutions to accomplish the key aspects of vulnerability management assessment, mitigation, and protection. However, this leaves them with a disjointed picture of security, which is not only more difficult to manage, but also more expensive. The answer to this challenge is Unified Vulnerability Management (UVM), which delivers a consolidated solution for assessing, mitigating, and protecting your environment, while reducing the overall cost of PCI compliance. 8 2013. BeyondTrust Software, Inc.
9 2013. BeyondTrust Software, Inc.
10 2013. BeyondTrust Software, Inc.
Conclusion To be compliant, security professionals must employ old technologies, new tools, and unique techniques that not only identify potential threats but also make it cost effective to maintain and prove PCI compliance. With the right program in place, the right partner selected, and the right technologies deployed, your organization can achieve PCI DSS compliance and full confidence that your sensitive information is protected. About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California. For more information, visit beyondtrust.com. CONTACT INFO NORTH AMERICAN SALES 1.800.234.9072 sales@beyondtrust.com EMEA HEADQUARTERS Suite 345 Warren Street London W1T 6AF United Kingdom Tel: + 44 (0) 8704 586224 Fax: + 44 (0) 8704 586225 emeainfo@beyondtrust.com CONNECT WITH US Twitter: @beyondtrust Facebook.com/beyondtrust Linkedin.com/company/beyondtrust www.beyondtrust.com 11 2013. BeyondTrust Software, Inc.