PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined [1]. Merchants and payment card service providers must validate their compliance periodically. This validation gets conducted by auditors - i.e. persons who are the PCI DSS Qualified Security Assessors (QSAs). Smaller companies, processing less than about 80,000 transactions a year, are allowed to perform a self-questionnaire. History of PCI-DSS PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council was formed, and on the 15th of December 2004, these companies aligned their individual policies and created Payment Card Industry Data Security Standard. In September, 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0. PCI is considered one of the more comprehensive data security standards in a cluster of regulations that have emerged over the past decade; Basel II, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002, California Senate Bill 1386. In October 2007, Visa International announced new Payment Applications Security Mandates "that are designed to help companies comply with PCI."[3] Mandates must be implemented by 2010 calling for "new merchants that want to be authorized for payment card transactions will have to be using only PABP-validated applications."[4] These new mandates will help companies achieve Payment Application Best Practice (PABP) compliance, an implementation of PCI DSS in vendor software. PCI-DSS Control Objectives The current version of the standard (1.1) [2] specifies 12 requirements for compliance, organized into 6 logically related groups, which are called "control objectives." Figure 1: Summary of PCI-DSS Technical Check Coverage Page 1 of 6
Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters - Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks - Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications - Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data - Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes - Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security How Symantec Control Compliance Suite Addresses These Requirements Automation of Technical and Procedural Evidence Gathering Symantec delivers the most comprehensive solution to automate the process of compliance. Businesses everywhere are attempting to cost effectively comply with mandates like PCI. But achieving good governance and successfully addressing this problem means having a comprehensive view; one that spans across the need to understand regulatory requirements to performing technical assessments. Control Compliance Suite (CCS) and Policy Manager (PM) provide this holistic approach. With Symantec Control Compliance Suite and Policy Manger organizations can easily formalize and automate the tasks that are typically weak links in compliance: assessment, remediation, approval workflow, exception management, and consolidated reporting. CCS/PM helps organizations tackle those difficult problems, while also easing the task of defining and managing policies, mapping policies to controls, publishing policies to end users, and collecting/archiving evidence of compliance. Managing PCI Controls with Control Compliance Suite Symantec s Control Compliance Suite can assist organizations in complying with many of the twelve control objects stated in PCI. CCS in conjunction with other Symantec solutions assist further in achieving full coverage of the twelve PCI objectives. Control Compliance Suite works through a process of scheduled agent-less reporting. Detected issues or non-compliant situations are handled through change controlled remediation to provide end to end management. Our development and research teams are Page 2 of 6
consistently updating CCS content to ensure our customers have the most up-to-date best practice control recommendation and guidance information. This section describes parts of PCI and how Control Compliance Suite addresses the requirements. For a complete description of PCI DSS sections please visit: www.pcisecuritystandards.org PCI Requirement 1: Install & Maintain a firewall configuration to protect cardholder data. Control Compliance Suite provides the capability to develop a written policy and disseminate it to the appropriate target audience that outlines change management procedures. Also, a self assessment questionnaire is developed in the RAM module to measure this procedural control. PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Control Compliance Suite allows companies to create a gold standard configuration that meets their requirements. These standards can be created for specific types of servers or workstations and can be based on industry best practices like Center for Internet Security benchmarks 1. CCS can then generate a thorough configuration (or delta) report on machines prior to putting it into production. Evaluations of servers and workstations can also be regularly scheduled, minimizing the window of time between mis-configurations arising and remediation occurring. Control Compliance Suite uses closed loop remediation, and will automatically generate a new ticket within your helpdesk solution. The ticket will contain remediation guidance provided by CCS on the specific steps needed to solve the problem. The ticket progress will be tracked and once closed CCS will re-evaluate the server or workstation to ensure the remediation has occurred. PCI Requirement 3: Protect stored cardholder data. Through the CCS Entitlements reporting and workflow a list of users deemed necessary to have these credentials are regularly monitored and approved by the appropriate manager. Also, a written policy is disseminated to network engineers that explicitly state appropriate configuration and access rights requirement. PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks. Symantec Control Compliance Suite has the ability to schedule configuration checks throughout the environment. As it relates to section 4 of PCI, CCS allows organizations to verify that SSL 128bit is implemented on all relevant machines in their environment. If SSL is not implemented, the company can utilize change controlled remediation to resolve the issue. PCI Requirement 5: Use and regularly update anti-virus software or programs. CCS Standards module runs scans on a scheduled basis to assure that all related anti-virus software or programs are in place, running, and related definitions are up to date. PCI Requirement 6: Develop and maintain secure systems and applications. Ensuring all system components have the latest patches installed to protect against exposure is not only a requirement for PCI, but also is a stable in practicing good governance. Control Compliance Suite, through its agentless technology, will scan your 1. PCI DSS Requirement 2 specifically points users to the Center for Internet Security Benchmarks in support of sub-requirement 2.2 for configuration standards. Page 3 of 6
entire environment to ensure all configurations adhere to best practices, and that the latest patches are installed. Customers can set up customized profiles for tracking mis-configurations with scheduled automated scans. The agentless CCS scans provide notifications on patch revision levels (or un-patched systems) on every machine in an environment. PCI Requirement 7: Restrict access to cardholder data by business need-to-know. Control Compliance Suite is the only solution in the market today that reports on entitlements and permissions beyond the ACL layer. CCS gathers permissions from file share and NTFS (both directly assigned and inherited), effective group memberships (including nested groups), effective local and network access rights, and effective user privileges (backup, restore, take ownership) in a heterogeneous environment. All this data is taken into account when creating a resultant set of permission for each end user. CCS answer the question of what a user has access to, what a group has access to, and what objects have rights to access specific data. In order to be compliant with PCI, organizations must have a thorough and accurate report of user and group permissions. CCS also delegates user access and permissions to the business owner. PCI Requirement 8: Assign a unique ID to each person with computer access. This section focus is on identity management. Control Compliance Suite isn t an identity management solution, but the reports gathered works in conjunction with identity management solutions. CCS reports on if stale user accounts are being deleted or if the password polices are being adhered to. With CCS s upcoming entitlement reporting, permissions to critical data stores can be easily reconciled and managed via their unique ID. PCI Requirement 9: Restrict physical access to cardholder data. CCS allows customers to develop policies and scheduled self-assessments specific to restricting physical access to cardholder data, to make sure key stake holders are aware and are implementing the required policies. CCS out of the box integrates the proof or attestation from the executed self-assessments directly into the appropriate policy providing evidence or compliance or non-compliance with that policy. PCI Requirement 10: Monitor and Test Network. Routinely monitor key groups for membership and change to an approved state. PCI Requirement 11: Regularly test security systems and processes. Control Compliance Suite allows for automated scheduled vulnerability scans across a heterogeneous environment. CCS focuses on internal, credentialed vulnerability scans, which give operations groups a richer understanding of their security posture. Our automated scans allows for audits to occur more routinely because of the minimal staff required to generate compliance evidence. PCI Requirement 12: Maintain a policy that addresses information security Policy Manager provides the ability assists with the creation, dissemination, and user acceptance tracking of security policies and procedures. This tool includes templates, best practices guidance and the ability to securely distribute via an easy-to-use, Web-based format. Policy Manager can help policy creators understand how their policies map to controls mandated by PCI (and other regulation). It also can track user acceptance of these policies, proving that employees and contactors have read, understood, and accepted their responsibilities as they pertain to securing cardholder data. Page 4 of 6
OS Benchmark Standard Total Checks CIS Windows 2003 Domain Member Server 450 CIS Windows 2000 Server 453 CIS Windows 2003 Domain Controller 448 CIS Windows 2000 1.2.2 185 CIS Sun Solaris 1.3 1761 NSA Guidelines for Exchange 124 NSA Guidelines for SQL 358 Total PCI-DSS Checks 3779 Summary The Control Compliance Suite meets the requirements of PCI-DSS compliance head on by providing a holistic and automated method to gather both procedural and technical control evidence. Most importantly, CCS provides a consolidated visualization of compliance to SOX and other mandates and provides a means to quickly identify and remediate deficiencies before they come under auditor scrutiny. Figure 2: View Results of Technical Evaluations Page 5 of 6
Contact Us Today Call toll-free 1 (800) 745 6054 Visit Our Web Site http://enterprise.symantec.com About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com. Symantec World Headquarters 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934 www.symantec.com Copyright 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 09/08 14121575 Page 6 of 6