Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Similar documents
AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

PCI COMPLIANCE IS NO LONGER OPTIONAL

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Clearing the Path to PCI DSS Version 2.0 Compliance

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

PCI Compliance: It's Required, and It's Good for Your Business

Navigating the PCI DSS Challenge. 29 April 2011

PCI DSS and the VNC SDK

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Merchant Guide to PCI DSS

01.0 Policy Responsibilities and Oversight

Data Sheet: Endpoint Security Symantec Network Access Control Starter Edition Simplified endpoint enforcement

PCI DSS and VNC Connect

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Clearing the Path to PCI DSS Version 2.0 Compliance

Will you be PCI DSS Compliant by September 2010?

Payment Card Industry Data Security Standards Version 1.1, September 2006

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Designing Polycom SpectraLink VoWLAN Solutions to Comply with Payment Card Industry (PCI) Data Security Standard (DSS)

PCI DSS COMPLIANCE 101

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Symantec Network Access Control Starter Edition

University of Sunderland Business Assurance PCI Security Policy

The PCI Security Standards Council

Symantec Network Access Control Starter Edition

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Oracle Database Vault

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Customer Compliance Portal. User Guide V2.0

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

Symantec Network Access Control Starter Edition

Daxko s PCI DSS Responsibilities

Symantec Security Monitoring Services

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

IBM Internet Security Systems October Market Intelligence Brief

Compliance and Privileged Password Management

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

PCI DSS COMPLIANCE DATA

Payment Card Compliance and Challenges

PCI compliance the what and the why Executing through excellence

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Achieving PCI-DSS Compliance with ZirMed financial services Darren J. Hobbs, CPA and James S. Lacy, JD

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

PCI Compliance Assessment Module with Inspector

PROFESSIONAL SERVICES (Solution Brief)

in PCI Regulated Environments

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Introduction to the PCI DSS: What Merchants Need to Know

Using GRC for PCI DSS Compliance

The IT Search Company

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

The Honest Advantage

Compliance in 5 Steps

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Payment Card Industry (PCI) Data Security Standard

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Choosing the Right Solution for Strategic Deployment of Encryption

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Data Sheet: Archiving Altiris Server Management Suite 7.0 Essential server management: Discover, provision, manage, and monitor

HIPAA Compliance Checklist

The Future of PCI: Securing payments in a changing world

Symantec Data Center Migration Service

Veritas Provisioning Manager

CCISO Blueprint v1. EC-Council

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

Self-Assessment Questionnaire A

Achieving PCI Compliance: Long and Short Term Strategies

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Data Sheet The PCI DSS

Safeguarding Cardholder Account Data

The Convergence of Security and Compliance

Symantec Business Continuity Solutions for Operational Risk Management

Credit Union Service Organization Compliance

Best Practices (PDshop Security Tips)

Escaping PCI purgatory.

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

RES Version 3.2 Service Pack 7 Hotfix 5 with Transaction Vault Electronic Payment Driver Version 4.3 PCI Data Security Standard Adherence

Credit Card Data Compromise: Incident Response Plan

Symantec Data Center Transformation

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

CSP & PCI DSS Compliance on HPE NonStop systems

Table of Contents. PCI Information Security Policy

PCI Compliance for Power Systems running IBM i

Transcription:

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined [1]. Merchants and payment card service providers must validate their compliance periodically. This validation gets conducted by auditors - i.e. persons who are the PCI DSS Qualified Security Assessors (QSAs). Smaller companies, processing less than about 80,000 transactions a year, are allowed to perform a self-questionnaire. History of PCI-DSS PCI DSS originally began as five different programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. Each company s intentions were roughly similar: to create an additional level of protection for customers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card Industry Security Standards Council was formed, and on the 15th of December 2004, these companies aligned their individual policies and created Payment Card Industry Data Security Standard. In September, 2006, the PCI standard was updated to version 1.1 to provide clarification and minor revisions to version 1.0. PCI is considered one of the more comprehensive data security standards in a cluster of regulations that have emerged over the past decade; Basel II, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act of 2002, California Senate Bill 1386. In October 2007, Visa International announced new Payment Applications Security Mandates "that are designed to help companies comply with PCI."[3] Mandates must be implemented by 2010 calling for "new merchants that want to be authorized for payment card transactions will have to be using only PABP-validated applications."[4] These new mandates will help companies achieve Payment Application Best Practice (PABP) compliance, an implementation of PCI DSS in vendor software. PCI-DSS Control Objectives The current version of the standard (1.1) [2] specifies 12 requirements for compliance, organized into 6 logically related groups, which are called "control objectives." Figure 1: Summary of PCI-DSS Technical Check Coverage Page 1 of 6

Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters - Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks - Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications - Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data - Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes - Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security How Symantec Control Compliance Suite Addresses These Requirements Automation of Technical and Procedural Evidence Gathering Symantec delivers the most comprehensive solution to automate the process of compliance. Businesses everywhere are attempting to cost effectively comply with mandates like PCI. But achieving good governance and successfully addressing this problem means having a comprehensive view; one that spans across the need to understand regulatory requirements to performing technical assessments. Control Compliance Suite (CCS) and Policy Manager (PM) provide this holistic approach. With Symantec Control Compliance Suite and Policy Manger organizations can easily formalize and automate the tasks that are typically weak links in compliance: assessment, remediation, approval workflow, exception management, and consolidated reporting. CCS/PM helps organizations tackle those difficult problems, while also easing the task of defining and managing policies, mapping policies to controls, publishing policies to end users, and collecting/archiving evidence of compliance. Managing PCI Controls with Control Compliance Suite Symantec s Control Compliance Suite can assist organizations in complying with many of the twelve control objects stated in PCI. CCS in conjunction with other Symantec solutions assist further in achieving full coverage of the twelve PCI objectives. Control Compliance Suite works through a process of scheduled agent-less reporting. Detected issues or non-compliant situations are handled through change controlled remediation to provide end to end management. Our development and research teams are Page 2 of 6

consistently updating CCS content to ensure our customers have the most up-to-date best practice control recommendation and guidance information. This section describes parts of PCI and how Control Compliance Suite addresses the requirements. For a complete description of PCI DSS sections please visit: www.pcisecuritystandards.org PCI Requirement 1: Install & Maintain a firewall configuration to protect cardholder data. Control Compliance Suite provides the capability to develop a written policy and disseminate it to the appropriate target audience that outlines change management procedures. Also, a self assessment questionnaire is developed in the RAM module to measure this procedural control. PCI Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Control Compliance Suite allows companies to create a gold standard configuration that meets their requirements. These standards can be created for specific types of servers or workstations and can be based on industry best practices like Center for Internet Security benchmarks 1. CCS can then generate a thorough configuration (or delta) report on machines prior to putting it into production. Evaluations of servers and workstations can also be regularly scheduled, minimizing the window of time between mis-configurations arising and remediation occurring. Control Compliance Suite uses closed loop remediation, and will automatically generate a new ticket within your helpdesk solution. The ticket will contain remediation guidance provided by CCS on the specific steps needed to solve the problem. The ticket progress will be tracked and once closed CCS will re-evaluate the server or workstation to ensure the remediation has occurred. PCI Requirement 3: Protect stored cardholder data. Through the CCS Entitlements reporting and workflow a list of users deemed necessary to have these credentials are regularly monitored and approved by the appropriate manager. Also, a written policy is disseminated to network engineers that explicitly state appropriate configuration and access rights requirement. PCI Requirement 4: Encrypt transmission of cardholder data across open, public networks. Symantec Control Compliance Suite has the ability to schedule configuration checks throughout the environment. As it relates to section 4 of PCI, CCS allows organizations to verify that SSL 128bit is implemented on all relevant machines in their environment. If SSL is not implemented, the company can utilize change controlled remediation to resolve the issue. PCI Requirement 5: Use and regularly update anti-virus software or programs. CCS Standards module runs scans on a scheduled basis to assure that all related anti-virus software or programs are in place, running, and related definitions are up to date. PCI Requirement 6: Develop and maintain secure systems and applications. Ensuring all system components have the latest patches installed to protect against exposure is not only a requirement for PCI, but also is a stable in practicing good governance. Control Compliance Suite, through its agentless technology, will scan your 1. PCI DSS Requirement 2 specifically points users to the Center for Internet Security Benchmarks in support of sub-requirement 2.2 for configuration standards. Page 3 of 6

entire environment to ensure all configurations adhere to best practices, and that the latest patches are installed. Customers can set up customized profiles for tracking mis-configurations with scheduled automated scans. The agentless CCS scans provide notifications on patch revision levels (or un-patched systems) on every machine in an environment. PCI Requirement 7: Restrict access to cardholder data by business need-to-know. Control Compliance Suite is the only solution in the market today that reports on entitlements and permissions beyond the ACL layer. CCS gathers permissions from file share and NTFS (both directly assigned and inherited), effective group memberships (including nested groups), effective local and network access rights, and effective user privileges (backup, restore, take ownership) in a heterogeneous environment. All this data is taken into account when creating a resultant set of permission for each end user. CCS answer the question of what a user has access to, what a group has access to, and what objects have rights to access specific data. In order to be compliant with PCI, organizations must have a thorough and accurate report of user and group permissions. CCS also delegates user access and permissions to the business owner. PCI Requirement 8: Assign a unique ID to each person with computer access. This section focus is on identity management. Control Compliance Suite isn t an identity management solution, but the reports gathered works in conjunction with identity management solutions. CCS reports on if stale user accounts are being deleted or if the password polices are being adhered to. With CCS s upcoming entitlement reporting, permissions to critical data stores can be easily reconciled and managed via their unique ID. PCI Requirement 9: Restrict physical access to cardholder data. CCS allows customers to develop policies and scheduled self-assessments specific to restricting physical access to cardholder data, to make sure key stake holders are aware and are implementing the required policies. CCS out of the box integrates the proof or attestation from the executed self-assessments directly into the appropriate policy providing evidence or compliance or non-compliance with that policy. PCI Requirement 10: Monitor and Test Network. Routinely monitor key groups for membership and change to an approved state. PCI Requirement 11: Regularly test security systems and processes. Control Compliance Suite allows for automated scheduled vulnerability scans across a heterogeneous environment. CCS focuses on internal, credentialed vulnerability scans, which give operations groups a richer understanding of their security posture. Our automated scans allows for audits to occur more routinely because of the minimal staff required to generate compliance evidence. PCI Requirement 12: Maintain a policy that addresses information security Policy Manager provides the ability assists with the creation, dissemination, and user acceptance tracking of security policies and procedures. This tool includes templates, best practices guidance and the ability to securely distribute via an easy-to-use, Web-based format. Policy Manager can help policy creators understand how their policies map to controls mandated by PCI (and other regulation). It also can track user acceptance of these policies, proving that employees and contactors have read, understood, and accepted their responsibilities as they pertain to securing cardholder data. Page 4 of 6

OS Benchmark Standard Total Checks CIS Windows 2003 Domain Member Server 450 CIS Windows 2000 Server 453 CIS Windows 2003 Domain Controller 448 CIS Windows 2000 1.2.2 185 CIS Sun Solaris 1.3 1761 NSA Guidelines for Exchange 124 NSA Guidelines for SQL 358 Total PCI-DSS Checks 3779 Summary The Control Compliance Suite meets the requirements of PCI-DSS compliance head on by providing a holistic and automated method to gather both procedural and technical control evidence. Most importantly, CCS provides a consolidated visualization of compliance to SOX and other mandates and provides a means to quickly identify and remediate deficiencies before they come under auditor scrutiny. Figure 2: View Results of Technical Evaluations Page 5 of 6

Contact Us Today Call toll-free 1 (800) 745 6054 Visit Our Web Site http://enterprise.symantec.com About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help businesses and consumers secure and manage their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com. Symantec World Headquarters 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA +1 (408) 517 8000 1 (800) 721 3934 www.symantec.com Copyright 2008 Symantec Corporation. All rights reserved. Symantec and the Symantec logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 09/08 14121575 Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback