! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise stores, processes, or transmits the customer s cardholder data or sensitive authentication data. All of Daxko's PCI DSS responsibilities have been reviewed as being PCI compliant by a certified third party QSA (Quality Security Assessor). The following is Daxko s PCI DSS responsibility for the Daxko Operations application. Requirement 1 Install & maintain a firewall configuration to protect cardholder data Daxko engages a managed services partner named Hosting.com (Hosting) for the purpose of managing the hosting environment and equipment. As part of this agreement, Hosting provides exclusive management of the hosting environment s network infrastructure for Daxko Operations servers. The formal process for configuring the firewalls, load balancers, VPN concentrators, etc. utilized within the Hosting infrastructure is owned by the Daxko TechOps team. Daxko has verified their formal process regarding firewall configuration and leverages a combination of Daxko policies/procedures to meet the PCI DSS requirements. It should be noted that Daxko also hosts infrastructure components at Amazon Web Services (AWS) that contain PCI data. The formal process for configuring the firewalls utilized within the Daxko AWS infrastructure is owned by the Daxko TechOps team. Daxko has verified their formal process regarding firewall configuration and leverages a combination of Daxko policies/procedures to meet the PCI DSS requirements. A critical criterion in the evaluation of potential hosting partners such as Hosting and AWS was whether or not the particular vendor under consideration was PCI DSS compliant. Compliance of the hosting partner with the PCI DSS requirements ensures that Daxko is therefore compliant with a subset of the PCI DSS requirements by virtue of the fact that we fully outsource those services to a PCI DSS compliant vendor. In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Daxko has established a formal policy and supporting procedures regarding Production Change Control. Change control has become a critical issue due in large part to regulatory compliance purposes and the need to fully document the change control process for accountability and tracking changes. Hence, Daxko has developed and implemented a comprehensive Change Control program for Daxko Operations application.!
Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters. Daxko has reviewed and implemented industry-accepted configuration/hardening standards for Daxko Operations server components for the purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives. The list of industry-leading security standards, benchmarks and frameworks reviewed includes, but is not limited to the following (Security Standards Council 2017): SysAdmin Audit Network Security (SANS) http://www.sans.org National Institute of Standards and Technology (NIST) http://www.nist.gov Center for Internet Security (CIS) http://www.cisecurity.org Requirement 3 Protect stored cardholder data Daxko will ensure that the displaying of the Primary Account Number (PAN) within Daxko Operations adheres to the following condition in order to comply with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017): Primary Account Numbers (PAN) displayed on screen will always be masked, with the first six and last four digits being the maximum number of digits to be displayed. Daxko has encrypted cardholder data based on the requirements with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017). Requirement 4 Encrypt transmission of cardholder data across open, public networks Daxko employs secure file transmission techniques to ensure the successful and secure delivery of all files for Daxko Operations application. In each case, a nightly job runs and generates the files for transmission and encrypts them. These files are either uploaded on our SFTP site or sent via a web service call. The method of transmission and the format of the files are pre-determined with the third party vendor during contract negotiation. Requirement 5 Protect all systems against malware and regularly update anti-virus software or programs Daxko has established a formal policy and supporting procedures regarding Anti -Virus software and updates for Daxko Operations servers. Daxko will ensure that the Anti-Virus policy adheres to the conditions that comply with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017)
Requirement 6 Develop & maintain secure systems and application Daxko has established a formal policy and supporting procedures regarding security patch management for Daxko Operations servers. As such, all patches and security updates are to be pushed out in a formalized and secure manner, with all critical patches installed within one (1) month of release from a vendor or other approved third party. Requirement 7 Restrict access to cardholder data by business need to know Daxko will ensure that the data control and access control of it's team members for Daxko Operations servers adhere to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017): Access rights for privileged users are restricted to the fewest privileges necessary to perform job responsibilities Privileges are assigned to individuals based on job classification and function, such as Role -Based Access Control (RBAC) An authorization form is required for all access, which must specify required privileges, and must be approved by appropriate management Access controls are implemented via an automated access control system Access control systems are in place on all system components Access control systems are configured to enforce privileges assigned to individuals based on job classification and function Access control systems have a deny all setting User access to, user queries of, and user actions on databases within the cardholder environment are through programmatic methods only Direct access or queries to databases are restricted to database administrators Application IDs for databases within the cardholder environment can only be used by applications, and not be individual users and other processes
Requirement 8 Identify and authenticate access to system component Daxko will ensure that the Unique I.D. and Authentication Methods policy adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017) for all team members that have access to Daxko Operations servers. All users are assigned a unique I.D. for access to system components or cardholder data. All users are assigned a unique password for access to system components or cardholder data. Incorporate multi-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators and third parties. Render all passwords unreadable during transmission and storage on all system components. Requirement 9 Restrict physical access to cardholder data It should be noted that Daxko outsources product hosting to a managed service provider called Hosting and Amazon Web Services (AWS). A critical criterion in the evaluation of potential hosting partners was whether or not the particular vendor under consideration was PCI DSS compliant. Compliance of the hosting partner with the PCI DSS requirements ensures that Daxko is therefore compliant with a s ubset of the PCI DSS requirements by virtue of the fact that we fully outsource those services to a PCI DSS compliant vendor. Requirement 10 Track & monitor all access to network resources and cardholder data Daxko will ensure that systems auditing for the Daxko Operations application adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017): Procedures are in place to ensure all Daxko Operations system components in the cardholder environment are audited for access, with the audit event tied to the individual user accessing the system. Audit trails are implemented for all system components to capture the following events: o Individual accesses to cardholder data o All actions taken by any individual with root or administrative privileges o Access to all audit logs o Invalid logical access attempts o Use of identification and authentication mechanisms o Initialization of the audit logs o Creation and deletion of system-level objects
Requirement 11 Regularly test security systems and processes Daxko has partnered with Alert Logic, an intrusion-detection system to detect and/or prevent intrusions into the Daxko Operations network. Alert Logic monitors all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alerts Daxko personnel to suspected compromises. Daxko deploys a file-integrity monitoring tool to alert personnel to unauthorized modification of critical Daxko Operations files, configuration files, or content files. The file-integrity monitoring system is configured to perform critical file comparisons on a weekly basis. Daxko executes internal and external network vulnerability scans quarterly for Daxko Operations servers. Daxko, through a third-party qualified security assessor, performs external, internal and application penetration testing of Daxko Operations at least once a year Requirement 12 Maintain a policy that addresses information security for all personnel Daxko takes security very seriously and as a result publishes various information security policies on our internal web site for all team members to access and review. In addition, new team members to Daxko are required to take a PCI Compliance and Essentials course. Each year all Daxko team members must complete a security awareness refresher course. Also, the Daxko Incident Response Team also undergoes annual security breach training.