Clearing the Path to PCI DSS Version 2.0 Compliance

White Paper Secure Configuration Manager Sentinel Change Guardian Clearing the Path to PCI DSS Version 2.0 Compliance

Table of Contents Streamlining Processes for Protecting Cardholder Data... 1 PCI DSS Deconstructed... 2 Greatest Roadblocks in the Path to PCI DSS Compliance... 3 How NetIQ Clears the Path to PCI DSS Compliance... 4 Summary... 6 About NetIQ... 7 page

Streamlining Processes for Protecting Cardholder Data In the past two decades, and particularly the last 10 years, consumer debit and credit card use have exploded as have identity theft and credit card fraud. Regulations, chief among them the Payment Card Industry Data Security Standard (PCI DSS), have sprung up in response, requiring companies to take specific measures to secure consumers data. PCI DSS compliance is the cost of doing business for any company that handles cardholder data. Yet organizations, both large and small, struggle to meet the evolving standard. Compliance demands not a singular effort, but a continuous as well as time-and resourceintensive process of gathering, tracking and analyzing vast amounts of information across the cardholder environment, a complex web of data systems and network resources. An organization that excels at automating, standardizing and monitoring its systems and access controls can comply not only with PCI DSS but also with many other state and federal regulations that have similar mandates. By investing in the proper standardization tools and automation software, the organization can even thrive while so doing, shifting resources freed up by a simpler, most cost-effective way of achieving compliance toward new business initiatives. 1

White Paper Clearing the Path to PCI DSS Version 2.0 Compliance PCI DSS Deconstructed With the protection of cardholder data its core goal, PCI DSS codifies best practices for data security. These practices begin with the formulation of concrete information security policies and follow through with specific measures for securing networks against attack, as well as for regulating and monitoring network access. PCI DSS has outlined six key sections encompassing 12 requirements, which segment into more than 210 specific controls. The main sections break down as follows: The PCI DSS standard outlines best practices for securing cardholder data, and any organization that stores, processes or transmits cardholder data must comply. Section Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Requirement 5: Use and regularly update anti-virus software or programs. Management Program Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Fig. 1 Requirement 7: Restrict access to cardholder data by business need to know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses information security for all personnel. Five global payment brands American Express, Discover Financial Services, JCB International, Visa Inc., and Master-Card Worldwide form the PCI Security Standards council, which introduced the PCI DSS standard in 2006. This standard outlines best practices for securing cardholder data, and any organization that stores, processes or transmits cardholder data must comply. PCI DSS has continued to evolve in step with new security challenges. As of January 2011, companies must comply with PCI DSS version 2.0, which aligns the standard with new industry best practices, clarifies requirements for logging and reporting, and allows greater flexibility in implementation. 2

NetIQ security and compliance management solutions prove their value in the automation of the substantive procedural changes necessary for painless compliance. Greatest Roadblocks in the Path to PCI DSS Compliance Although a few simple steps, such as maintaining up-to-date anti-virus software, can bring a company part of the way to compliance, full compliance entails complex and demanding procedural changes, such as tracking and monitoring access to network resources and cardholder data. Because these processes often cross many departmental boundaries, involve several teams and affect multiple system platforms, the time and expense of implementing them can leave an enterprise floundering short of full compliance. Indeed, the Verizon 2012 Payment Card Industry Compliance Report indicates that only eighteen percent of enterprises complied with the complete requirements for protecting stored data (requirement 3). Only eleven percent fully met the requirement to track and monitor all access to network resources and cardholder data (requirement 10). And even fewer, a paltry six percent, regularly tested security systems and processes (requirement 11). Verizon s findings aren t surprising considering the time and resources required to coordinate auditing and access controls across so many departmental boundaries and system platforms. Companies that underestimate these efforts, and leave themselves bound by manual processes and limited staff, must number themselves among the non-compliant majority vulnerable to regulatory fines. organizations both large and small seem to struggle the most with requirements 3 ( protect stored cardholder data), 7 (restrict access to cardholder data), 10 (track and monitor access), and 11 (regularly test systems and processes). Verizon 2012 Payment Card Industry Compliance Report 3

White Paper Clearing the Path to PCI DSS Version 2.0 Compliance How NetIQ Clears the Path to PCI DSS Compliance As compliance demands comprehensive protection of cardholder data, enterprises require comprehensive solutions that support heterogeneous environments with a multitude of servers, operating systems, devices and applications. NetIQ security and compliance management solutions prove their value in the automation of the substantive procedural changes necessary for painless compliance. The solutions help you to monitor a heterogeneous network environment, analyze systems security and regulate user access to them. In addition to helping you to achieve and maintain compliance with data security standards such as PCI DSS, NetIQ solutions prove compliance with reports that clearly show properly provisioned user rights and strongly secured systems. In addition to helping you to achieve and maintain compliance with data security standards such as PCI DSS, NetIQ solutions prove compliance with reports that clearly show properly provisioned user rights and strongly secured systems. Built-In Compliance Guidance NetIQ has embedded the intelligence of years of expertise in security and compliance solutions into pre-built templates that guide security teams toward achieving compliance. NetIQ Secure Configuration Manager detects misconfigured systems that leave a company vulnerable to attacks and non-compliance penalties. It assesses system configurations against best practices and performs out-of-the-box checks for compliance with specific standards such as PCI DSS. Its full-user entitlement reporting further ensures that only users who require access to specific systems have access. NetIQ Secure Configuration Manager helps you to: Assess network and application configurations against PCI directives. Apply industry best practices for network and data security. Better manage access through identifying user entitlements. Vulnerability Management To comply with key components of PCI DSS, security teams must pinpoint, and then remediate, network or system vulnerabilities. NetIQ Secure Configuration Manager determines systems vulnerabilities using credential-based and host-based processes. It checks for weaknesses listed in the National Vulnerability Database, continually updating its assessment tool with an automated security content service. 4

An industry-leading user activity monitoring solution, NetIQ Sentinel leverages identity management to tie users to specific actions across systems. NetIQ Secure Configuration Manager helps you to: Assess system configurations against internal standards, regulatory requirements and best practices. See at a glance which risks are and are not managed. Close vulnerabilities before they lead to problems. User Activity Monitoring One of PCI DSS s overarching goals, restricting access to those who need to know, poses a particular challenge to industries like retail and service that typically have high employee turnover. Yet such access controls remain a vital component of compliance, not only to distinguish users from each other, but, more importantly, to defend against insider threats to information assets. An industry-leading user activity monitoring solution, NetIQ Sentinel leverages identity management to tie users to specific actions across systems. NetIQ Sentinel monitors system changes and user activity in real-time, detects threats and intrusions, manages and correlates security events, manages logs, and automates incident responses all with a single, integrated and scalable infrastructure. With NetIQ Sentinel linking user identities to actions, compliance officers and auditors get the who, what, when and where of security events, allowing them to improve enterprise defenses without compromising user productivity. NetIQ Sentinel helps you to: Enforce your security policies and best practices in real time while meeting PCI DSS s log-retention, review and reporting requirements. Gain visibility into the complete cardholder data environment using data correlated from multiple endpoints and applications. Leverage the improved visibility to improve security and reduce risks. Reduce risks of data breach and other losses by quickly responding to real-time alerts. Additionally, NetIQ Change Guardian solutions offer rapid, real-time change detection for critical files, systems, directories or objects. This product family consists of applicationspecific software targeting Active Directory, Windows and Group Policy. The product line provides detailed, comprehensive alerts and reports on the activities of privileged users, on unauthorized changes and on other behavior that may represent an attack in progress. NetIQ Change Guardian integrates with NetIQ Sentinel or other vendors security information, 5

White Paper Clearing the Path to PCI DSS Version 2.0 Compliance event management or ticketing software. This integration, coupled with NetIQ Change Guardian s on-demand reporting and 24/7 coverage, helps you to flag anomalies and seal leaks before attackers can extract data from them. NetIQ Change Guardian helps you to: Monitor system configurations, files and applications for issues before harm ensues. Monitor user activity for suspicious or unauthorized behavior as it occurs. Immediately identify unmanaged changes and unauthorized access or activities anywhere in the enterprise. Six years after the initial release of PCI DSS, and in the wake of the 2.0 update, less than 40 percent of businesses beholden to the standard have succeeded in meeting every requirement. Anomalous Behavior Tracking The first tip off of many attacks, including attacks thieves launch through payment processors, is an unusual or sudden change in network behavior. Retailers, for instance, may notice a high volume of activity during off-hours when transactions should cease. NetIQ Sentinel detects many threats out-of-the-box without time-consuming configuration. Built-in anomaly detection automatically establishes baselines of normal activity and detects changes that can represent emerging threats. NetIQ Sentinel helps you to: Detect and act on anomalies as quickly as possible. Strengthen your network at traditionally weak points, such as point-of-sales devices. Reduce the risk of succumbing to an attack. Summary Six years after the initial release of PCI DSS, and in the wake of the 2.0 update, less than 40 percent of businesses beholden to the standard have succeeded in meeting every requirement. The greatest roadblocks in the path to full compliance remain: Sufficiently monitoring user activity Managing vulnerabilities as they are discovered during assessments Establishing and enforcing sound security policies 6

Customers and partners choose NetIQ to cost-effectively tackle information protection challenges and manage the complexity of dynamic, highly distributed business applications. Surmounting these challenges requires more than a punch list of action items; it demands evolving processes for monitoring systems and users. Yet implementing these processes across heterogeneous systems has proven difficult for some organizations, which lack the IT resources to conduct proper assessments and then to take adequate steps toward remediation. Proven tools, such as those offered by NetIQ, give security teams the real-time information and automated processes that they need to achieve PCI DSS compliance painlessly. With more effective processes and a more productive IT staff, your company benefits from compliance as much as your customers do. The NetIQ solutions guide your company quickly and cost-effectively to compliance; with them, you can: Use out-of-the-box templates, which distill years of NetIQ expertise in data security, to bring platforms and applications into compliance with best practices and specific regulations. Check systems for vulnerabilities in the National Vulnerability Database s most up-to-date list. Find and close vulnerabilities before attackers exploit them. Monitor and log user activity, linking security events to the people involved. Detect in real-time and immediately respond to anomalous behavior that might indicate an attack. Strengthen an enterprise s security posture to meet PCI DSS 2.0 as well as other regulations involving data and network security. Prove compliance using automated logs and reports. About NetIQ NetIQ is a global, IT enterprise software company with relentless focus on customer success. Customers and partners choose NetIQ to cost-effectively tackle information protection challenges and manage the complexity of dynamic, highly distributed business applications. Our portfolio includes scalable, automated solutions for Identity, Security and Governance, and IT Operations Management that help organizations securely deliver, measure, and manage computing services across physical, virtual, and cloud computing environments. These solutions and our practical, customer-focused approach to solving persistent IT challenges ensure organizations are able to reduce cost, complexity and risk. To learn more about our industry-acclaimed software solutions, visit: 7

Worldwide Headquarters 515 Post Oak Blvd., Suite 1200 Houston, Texas 77027 USA +1 713 548 1700 888 323 6768 info@netiq.com /communities/ For a complete list of our offices in North America, Europe, the Middle East, Africa, Asia-Pacific and Latin America, please visit: /contacts 562-001008-002 Q 04/16 2016 NetIQ Corporation and its affiliates. All rights reserved. NetIQ, the NetIQ logo, Secure Configuration Manager, and Sentinel are trademarks or registered trademarks of NetIQ Corporation in the USA. All other company and product names may be trademarks of their respective companies.