Clearing the Path to PCI DSS Version 2.0 Compliance

Similar documents
Clearing the Path to PCI DSS Version 2.0 Compliance

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

NetIQ Cloud Manager 2.0

Staying Secure in a Cloudy World

Safeguarding Cardholder Account Data

Escaping PCI purgatory.

Directory and Resource Administrator and Exchange Administrator Administrator Guide. July 2016

Build a Better Disaster Recovery Plan to Improve RTO & RPO Lubomyr Salamakha

The Problem with Privileged Users

NetIQ Secure Configuration Manager Installation Guide. October 2016

PCI Compliance: It's Required, and It's Good for Your Business

The Honest Advantage

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

SIEM: Five Requirements that Solve the Bigger Business Issues

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

PCI DSS COMPLIANCE DATA

Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions

CA Security Management

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Combatting advanced threats with endpoint security intelligence

When Tinfoil Hats Aren t Enough: Effective Defenses Against APTs

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Reinvent Your 2013 Security Management Strategy

Total Protection for Compliance: Unified IT Policy Auditing

in PCI Regulated Environments

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

Symantec Security Monitoring Services

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Reduce Your Breach Risk: File Integrity Monitoring for PCI DSS Compliance and Data Security

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

When Tinfoil Hats Aren t Enough: Effective Defenses Against APTs

Carbon Black PCI Compliance Mapping Checklist

Best Practices for PCI DSS Version 3.2 Network Security Compliance

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

PCI DSS and the VNC SDK

PCI COMPLIANCE IS NO LONGER OPTIONAL

align security instill confidence

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Digital Wind Cyber Security from GE Renewable Energy

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

What is Penetration Testing?

ALIENVAULT USM FOR AWS SOLUTION GUIDE

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Complying with PCI DSS 3.0

the SWIFT Customer Security

Total Security Management PCI DSS Compliance Guide

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Addressing PCI DSS 3.2

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

Data Sheet The PCI DSS

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

RSA INCIDENT RESPONSE SERVICES

Automating the Top 20 CIS Critical Security Controls

TRUE SECURITY-AS-A-SERVICE

WHITE PAPER. Achieve PCI Compliance and Protect Against Data Breaches with LightCyber

IBM Security Services Overview

Continuous protection to reduce risk and maintain production availability

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Evolution of Cyber Attacks

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

A QUICK PRIMER ON PCI DSS VERSION 3.0

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

locuz.com SOC Services

PCI DSS and VNC Connect

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

PCI compliance the what and the why Executing through excellence

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

SIEM Solutions from McAfee

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

ForeScout Extended Module for Splunk

NEN The Education Network

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

McAfee Public Cloud Server Security Suite

RSA INCIDENT RESPONSE SERVICES

The Future of PCI: Securing payments in a changing world

Privileged Account Security: A Balanced Approach to Securing Unix Environments

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Comodo HackerGuardian PCI Approved Scanning Vendor

Comprehensive Database Security

SIEMLESS THREAT MANAGEMENT

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

SUSE Xen VM High Availability Configuration Guide. Cloud Manager 2.1.5

Teradata and Protegrity High-Value Protection for High-Value Data

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Daxko s PCI DSS Responsibilities

Transcription:

WHITE PAPER Clearing the Path to PCI DSS Version 2.0 Compliance Streamlining processes for protecting cardholder data In the past two decades, and particularly the last 10 years, consumer debit and credit card use have exploded as have identity theft and credit card fraud. Regulations, chief among them the Payment Card Industry Data Security Standard, or PCI DSS, have sprung up in response, requiring companies to take specific measures to secure consumers data. PCI DSS compliance is the cost of doing business for any company that handles cardholder data. Yet organizations, both large and small, struggle to meet the evolving standard. Compliance demands not a singular effort, but a continuous as well as time- and resource-intensive process of gathering, tracking and analyzing vast amounts of information across the cardholder environment, a complex web of data systems and network resources. An organization that excels at automating, standardizing and monitoring its systems and access controls can comply not only with PCI DSS, but with many other state and federal regulations that have similar mandates. By investing in the proper standardization tools and automation software, the organization can even thrive while so doing, shifting resources freed up by a simpler, most cost-effective way of achieving compliance toward new business initiatives.

WHITE PAPER Table of Contents PCI DSS Deconstructed... 1 Greatest Roadblocks in the Path to PCI DSS Compliance... 2 How NetIQ Clears the Path to PCI DSS Compliance... 2 Built-in Compliance Guidance... 2 Vulnerability Management... 3 User Activity Monitoring... 3 Anomalous Behavior Tracking... 3 Summary... 4 About NetIQ... 5 WHITE PAPER: Clearing the Path to PCI DSS Version 2.0 Compliance

PCI DSS Deconstructed With the protection of cardholder data its core goal, PCI DSS codifies best practices for data security. These practices begin with the formulation of concrete information security policies and follow through with specific measures for securing networks against attack, as well as for regulating and monitoring network access. PCI DSS has outlined six key sections encompassing 12 requirements, which segment into more than 210 specific controls. The main sections break down as follows: Section Build and Maintain a Secure Network Protect Cardholder Data Requirements Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software or programs. Requirement 6: Develop and maintain secure systems and applications. Requirement 7: Restrict access to cardholder data by business need to know. Implement Strong Access Control Measures Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Maintain an Information Security Policy Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for all personnel. Figure 1. Five global payment brands American Express, Discover Financial Services, JCB International, Visa Inc., and MasterCard Worldwide form the PCI Security Standards council, which introduced the PCI DSS standard in 2006. This standard outlines best practices for securing cardholder data, and any organization that stores, processes or transmits cardholder data must comply. PCI DSS has continued to evolve in step with new security challenges. As of January 2011, companies must comply with PCI DSS version 2.0, which aligns the standard with new industry best practices, clarifies requirements for logging and reporting, and allows greater flexibility in implementation. WHITE PAPER: Clearing the Path to PCI DSS Version 2.0 Compliance 1

Greatest Roadblocks in the Path to PCI DSS Compliance Although a few simple steps, such as maintaining up-to-date anti-virus software, can bring a company part of the way to compliance, full compliance entails complex and demanding procedural changes, such as tracking and monitoring access to network resources and cardholder data. Because these processes often cross many departmental boundaries, involve several teams and affect multiple system platforms, the time and expense of implementing them can leave an enterprise floundering short of full compliance. Indeed, the Verizon 2012 Payment Card Industry Compliance Report indicates that only 18 percent of enterprises complied with the complete requirements for protecting stored data (requirement 3). Only 11 percent fully met the requirement to track and monitor all access to network resources and cardholder data (requirement 10). And even fewer, a paltry 6 percent, regularly tested security systems and processes (requirement 11). Verizon s findings aren t surprising considering the time and resources required to coordinate auditing and access controls across so many departmental boundaries and system platforms. Companies that underestimate these efforts, and leave themselves bound by manual processes and limited staff, must number themselves among the non-compliant majority vulnerable to regulatory fines. organizations both large and small seem to struggle the most with requirements 3 (protect stored cardholder data), 7 (restrict access to cardholder data), 10 (track and monitor access), and 11 (regularly test systems and processes). Verizon 2012 Payment Card Industry Compliance Report How NetIQ Clears the Path to PCI DSS Compliance As compliance demands comprehensive protection of cardholder data, enterprises require comprehensive solutions that support heterogeneous environments with a multitude of servers, operating systems, devices and applications. NetIQ security and compliance management solutions prove their value here in the automation of the substantive procedural changes necessary for painless compliance. The solutions help you to monitor a heterogeneous network environment, analyze systems security and regulate user access to them. In addition to helping you to achieve and maintain compliance with data security standards such as PCI DSS, NetIQ solutions prove compliance with reports that clearly show properly provisioned user rights and strongly secured systems. Built-in Compliance Guidance NetIQ has embedded the intelligence of years of expertise in security and compliance solutions into pre-built templates that guide security teams toward achieving compliance. NetIQ Secure Configuration Manager detects misconfigured systems that leave a company vulnerable to attacks and non-compliance penalties. It assesses system configurations against best practices and performs out-of-the-box checks for compliance with specific standards such as PCI DSS. Its full-user entitlement reporting further ensures that only users who require access to specific systems have access. NetIQ Secure Configuration Manager helps you to: Assess network and application configurations against PCI directives. Apply industry best practices for network and data security. Better manage access through identifying user entitlements. WHITE PAPER: Clearing the Path to PCI DSS Version 2.0 Compliance 2

Vulnerability Management To comply with key components of PCI DSS, security teams must pinpoint, and then remediate, network or system vulnerabilities. NetIQ Secure Configuration Manager determines systems vulnerabilities using credential-based and host-based processes. It checks for weaknesses listed in the National Vulnerability Database, continually updating its assessment tool with an automated security content service. NetIQ Secure Configuration Manager helps you to: Assess system configurations against internal standards, regulatory requirements and best practices. See at a glance which risks are and are not managed. Close vulnerabilities before they lead to problems. User Activity Monitoring One of PCI DSS s overarching goals, restricting access to those who need to know, poses a particular challenge to industries like retail and service that typically have high employee turnover. Yet such access controls remain a vital component of compliance, not only to distinguish users from each other, but, more importantly, to defend against insider threats to information assets. An industry-leading user activity monitoring solution, NetIQ Sentinel leverages identity management to tie users to specific actions across systems. NetIQ Sentinel monitors system changes and user activity in real-time, detects threats and intrusions, manages and correlates security events, manages logs, and automates incident responses all with a single, integrated and scalable infrastructure. With NetIQ Sentinel linking user identities to actions, compliance officers and auditors get the who, what, when and where of security events, allowing them to improve enterprise defenses without compromising user productivity. NetIQ Sentinel helps you to: Enforce your security policies and best practices in real time while meeting PCI DSS s log-retention, review and reporting requirements. Gain visibility into the complete cardholder data environment using data correlated from multiple endpoints and applications. Leverage the improved visibility to improve security and reduce risks. Reduce risks of data breach and other losses by quickly responding to real-time alerts. Additionally, NetIQ Change Guardian solutions offer rapid, real-time change detection for critical files, systems, directories or objects. This product family consists of application-specific software targeting Active Directory, Windows and Group Policy. The product line provides detailed, comprehensive alerts and reports on the activities of privileged users, on unauthorized changes and on other behavior that may represent an attack in progress. NetIQ Change Guardian integrates with NetIQ Sentinel or other vendors security information, event management or ticketing software. This integration, coupled with NetIQ Change Guardian s on-demand reporting and 24/7 coverage, helps you to flag anomalies and seal leaks before attackers can extract data from them. NetIQ Change Guardian helps you to: Monitor system configurations, files and applications for issues before harm ensues. Monitor user activity for suspicious or unauthorized behavior as it occurs. Immediately identify unmanaged changes and unauthorized access or activities anywhere in the enterprise. Anomalous Behavior Tracking The first tip off of many attacks, including attacks thieves launch through payment processors, is an unusual or sudden change in network behavior. Retailers, for instance, may notice a high volume of activity during off-hours when transactions should cease. NetIQ Sentinel detects many threats out-of-the-box without time-consuming configuration. WHITE PAPER: Clearing the Path to PCI DSS Version 2.0 Compliance 3

Built-in anomaly detection automatically establishes baselines of normal activity and detects changes that can represent emerging threats. NetIQ Sentinel helps you to: Detect and act on anomalies as quickly as possible. Strengthen your network at traditionally weak points, such as point-of-sales devices. Reduce the risk of succumbing to an attack. Summary Six years after the initial release of PCI DSS, and in the wake of the 2.0 update, less than 40 percent of businesses beholden to the standard have succeeded in meeting every requirement. The greatest roadblocks in the path to full compliance remain: Sufficiently monitoring user activity Managing vulnerabilities as they are discovered during assessments Establishing and enforcing sound security policies Surmounting these challenges requires more than a punch list of action items; it demands evolving processes for monitoring systems and users. Yet implementing these processes across heterogeneous systems has proven difficult for some organizations, which lack the IT resources to conduct proper assessments and then to take adequate steps toward remediation. Proven tools, such as those offered by NetIQ, give security teams the real-time information and automated processes that they need to achieve PCI DSS compliance painlessly. With more effective processes and a more productive IT staff, your company benefits from compliance as much as your customers do. The NetIQ solutions guide your company quickly and cost-effectively to compliance; with them, you can: Use out-of-the-box templates, which distill years of NetIQ expertise in data security, to bring platforms and applications into compliance with best practices and specific regulations. Check systems for vulnerabilities in the National Vulnerability Database s most up-to-date list. Find and close vulnerabilities before attackers exploit them. Monitor and log user activity, linking security events to the people involved. Detect in real-time and immediately respond to anomalous behavior that might indicate an attack. Strengthen an enterprise s security posture to meet PCI DSS 2.0 as well as other regulations involving data and network security. Prove compliance using automated logs and reports WHITE PAPER: Clearing the Path to PCI DSS Version 2.0 Compliance 4

About NetIQ NetIQ is a global, IT enterprise software company with relentless focus on customer success. Customers and partners choose NetIQ to cost-effectively tackle information protection challenges and manage the complexity of dynamic, highly-distributed business applications. Our portfolio includes scalable, automated solutions for Identity, Security and Governance, and IT Operations Management that help organizations securely deliver, measure, and manage computing services across physical, virtual, and cloud computing environments. These solutions and our practical, customer-focused approach to solving persistent IT challenges ensure organizations are able to reduce cost, complexity and risk. To learn more about our industry-acclaimed software solutions, visit www.netiq.com. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright 2012 NetIQ Corporation and its affiliates. All Rights Reserved. ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the USA. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. Worldwide Headquarters 1233 West Loop South, Suite 810 Houston, Texas 77027 USA Worldwide: +713.548.1700 U.S. / Canada Toll Free: 888.323.6768 info@netiq.com www.netiq.com http://community.netiq.com For a complete list of our offices In North America, Europe, the Middle East Africa, Asia-Pacific and Latin America, please visit www.netiq.com/contacts WHITE PAPER: Clearing the Path to PCI DSS Version 2.0 Compliance 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback