PCI DSS and the VNC SDK

Similar documents
PCI DSS and VNC Connect

VNC SDK security whitepaper

Cloud versus direct with VNC Connect

VNC Connect security whitepaper. Cloud versus direct with VNC Connect

VNC Connect security whitepaper. VNC Connect. Instant support FAQs

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

VNC Connect security whitepaper. VNC Connect security whitepaper

Safeguarding Cardholder Account Data

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

SECURITY PRACTICES OVERVIEW

Google Cloud Platform: Customer Responsibility Matrix. December 2018

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

PCI DSS Compliance. White Paper Parallels Remote Application Server

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

PCI Compliance: It's Required, and It's Good for Your Business

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Achieving PCI Compliance: Long and Short Term Strategies

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Ready Theatre Systems RTS POS

Complying with PCI DSS 3.0

Simple and Powerful Security for PCI DSS

A QUICK PRIMER ON PCI DSS VERSION 3.0

PCI Compliance. with O365 Manager Plus.

Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

Total Security Management PCI DSS Compliance Guide

The Honest Advantage

Daxko s PCI DSS Responsibilities

GlobalSCAPE EFT Server. HS Module. High Security. Detail Review. Facilitating Enterprise PCI DSS Compliance

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Enabling compliance with the PCI Data Security Standards December 2007

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Merchant Guide to PCI DSS

PCI COMPLIANCE IS NO LONGER OPTIONAL

PCI DSS COMPLIANCE 101

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

CHOOSING A REMOTE ACCESS SOFTWARE SOLUTION

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

Navigating the PCI DSS Challenge. 29 April 2011

Security and PCI Compliance for Retail Point-of-Sale Systems

PCI DSS COMPLIANCE DATA

Technician s guide to instant support

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

System Security Features

Employee Security Awareness Training Program

Stripe Terminal Implementation Guide

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

Best Practices (PDshop Security Tips)

Fore! Reservations PA-DSS Implementation Guide

Applying Oracle Technologies in PCI DSS certification process

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

LOGmanager and PCI Data Security Standard v3.2 compliance

Payment Card Industry (PCI) Data Security Standard

PCI Compliance Updates

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Xerox Audio Documents App

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

GUIDE TO STAYING OUT OF PCI SCOPE

Addressing PCI DSS 3.2

SECURITY PLATFORM FOR HEALTHCARE PROVIDERS

Ritz Camera Leverages Whitelisting for Picture Perfect Security

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Compliance with CloudCheckr

Security Principles for Stratos. Part no. 667/UE/31701/004

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Pulseway Security White Paper

Oracle Data Cloud ( ODC ) Inbound Security Policies

PCI DSS Illuminating the Grey 25 August Roger Greyling

SoftLayer Security and Compliance:

Checklist: Credit Union Information Security and Privacy Policies

PCI compliance the what and the why Executing through excellence

ADDRESSING PCI DSS 3.0 REQUIREMENTS WITH THE VORMETRIC DATA SECURITY PLATFORM

COMPLETING THE PAYMENT SECURITY PUZZLE

Mapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma

Tokenisation for PCI-DSS Compliance

in PCI Regulated Environments

PCI DSS 3.2 COMPLIANCE WITH TRIPWIRE SOLUTIONS

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

PCI Compliance Whitepaper

WHITEPAPER. Security overview. podio.com

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transcription:

RealVNC Limited 2016. 1

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) compliance is mandated by many major credit card companies, including Visa, MasterCard, American Express, Discover and JCB, to ensure the safe handling of credit card information. To achieve PCI compliance, your business must adhere to the following security requirements: Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 2

How does the VNC SDK enable PCI compliance? With the VNC SDK, you can build remote access capabilities into your product without sacrificing PCI 3.2 compliance. Note: No single aspect of your product makes it PCI-compliant. To achieve PCI compliance, your product must adhere in full to the security policies outlined in the table above; your choice of remote access SDK is merely one aspect of that. Here s how the VNC SDK meets each of the guidelines above: Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data a. The VNC SDK does not require any inbound firewall configuration, meaning your existing PCI-compliant firewall need not be changed. If you wish to connect via the cloud (and outbound rules are in place), certain domains must be whitelisted. 2. Do not use vendor-supplied defaults for system passwords and other security parameters a. The developer can configure the Server app to request a username/password before an incoming connection is accepted. No default password / security parameter is provided, and no connection is accepted by default. b. The VNC SDK supports two connection types: cloud and direct. The developer can choose to disable either of these. Protect cardholder data 3. Protect stored cardholder data a. It is possible to transmit credit card information via the VNC SDK (e.g. via remote control or by copying and pasting between the Viewer and Server apps). These features are disabled by default and must be explicitly enabled by the developer, who can then limit their use to certain users. b. Keys used to secure encrypted remote access sessions can be stored and protected according to your requirements. 4. Encrypt transmission of cardholder data across open, public networks a. The VNC SDK uses the RFB 5 protocol, which mandates the use of modern cipher suites and uses strong cryptography throughout. Developers can use the VNC SDK s logging functionality to verify cipher suites in use. b. All connections are protected by at least 128-bit AES-GCM encryption. c. All connections have perfect forward secrecy, ensuring they cannot be decrypted now or in the future. d. Access to the VNC Developer online portal is protected by mandatory TLS. We follow best practices for secure web development, and our website is graded A in the Qualys SSL Labs test. 3

Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware a. The VNC SDK is compatible with your existing PCI-compliant firewall/anti-virus software. b. Our own online infrastructure is similarly protected from malware. 6. Develop and maintain secure systems and applications a. We release free security updates for the VNC SDK as and when new threats emerge. Any new code is subject to a security review. These security updates are available on the VNC Developer website. b. Our technical operations team monitors our online infrastructure 24 hours a day, 365 days a year. These systems are regularly patched. Any critical vulnerabilities in upstream dependencies are assessed and patched outside our regular patch schedule. Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know a. For VNC Cloud connections, access control lists regulate who can attempt to connect. For direct TCP connections, the developer can filter connections by IP address to achieve the same effect. For either connection type, the developer can grant permissions based on the authenticated user ID of the person connecting (certain users can be denied access entirely). The developer can look up appropriate permissions using a mechanism of their choice. b. Developers can ensure successful and failed connection attempts are appropriately recorded in audit logs. 8. Assign a unique ID to each person with computer access a. The developer can configure the VNC SDK to require an authenticated user ID before remote access is established. Without this configuration, all connections are rejected by default. b. The developer can tell the VNC SDK where to find an up-to-date list of authorized user IDs. This ensures unauthorized users do not gain access. It can also restrict users to access during certain times. c. Developers have full control over how many authentication failures a connecting user can make before being locked out, or how long a session may remain idle before the connected user is automatically disconnected. d. Public versions of the VNC SDK allow authentication by user ID and password/passphrase. Pre-release versions of the VNC SDK additionally include APIs to allow multi-factor authentication by a range of different mechanisms. e. Developers can configure the VNC SDK to meet any password length/complexity requirements, and to enforce any password change policy. 9. Restrict physical access to cardholder data a. Out of scope for a remote access SDK. Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 4

a. You can configure the VNC SDK to audit any quality of logging, to any destination you choose. b. If your VNC Developer account s security settings (e.g. its password) are altered, an email is automatically sent confirming these changes. 11. Regularly test security systems and processes a. Out of scope for a remote access SDK. Maintain an information security policy 12. Maintain a policy that addresses information security a. The features and functionality detailed above should help you complete the appropriate portions of your information security strategy. If you require any more details, please contact RealVNC. 5

RealVNC s remote access and management software is used by hundreds of millions of people worldwide in every sector of industry, government and education. Our software helps organizations cut costs and improve the quality of supporting remote computers and applications. RealVNC is the original developer of VNC remote access software and supports an unrivalled mix of desktop and mobile platforms. Using our software SDKs, third-party technology companies also embed remote access technology direct into their products through OEM agreements. Copyright RealVNC Limited 2017. RealVNC and VNC are trademarks of RealVNC Limited and are protected by trademark registrations and/or pending trademark applications in the European Union, United States of America and other jurisdictions. Other trademarks are the property of their respective owners. Protected by UK patents 2481870, 2491657; US patents 8760366, 9137657; EU patent 2652951. www.realvnc.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback