PCI DSS

PCI DSS compliance

PCI DSS Compliance solutions

Applies to merchants and processors of Visa or MasterCard transactions.
The new version was released on 28th April 2016. There is a six-month overlap between version 3.1 and 3.2 when either can be used. Unless you already have a version 3.1 assessment in progress, it’s best to switch to version 3.2 straight away. Standard 3.2 is due to become fully operational in October of this year.

New extended grace period to remove old SSL / TLS from systems (after serious vulnerabilities uncovered in the last couple of years such as HeartBleed and POODLE), from June 2016 to June 2018.

Securenet Consulting provide solutions to make PCI work for you


> Compliance for cardholder data

> Identify and track people and systems with shared responsibility for PCI compliance, on and off of your network (on-premise and cloud systems).

> PCI version 3.x is an evolution to cover data into the cloud
 

> Avoid PCI Non-Compliance
Many companies are still struggling to demonstrate compliance, with costs associated with meeting PCI requirements spiraling out of control. And despite the pressure of fines being imposed, organisations continue to struggle with PCI DSS compliance, and worse still some organisations that have achieved PCI DSS compliance are still suffering from costly and embarrassing data losses / breaches.

> End-to-End security Across ALL Transaction Networks  
(POS, private and public / internet)

> Secure Distributed Enterprise Networks for PCI DSS


> Solutions address PCI compliance, security and performance in the datacenter




PCI Requirements in summary


Objectives
Requirements

Build and maintain a secure network

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied default for systems passwords and other security parameters

Protect cardholder data

  • Protect stored cardholder data
  • Encrypt transmission of card holder data across open, public networks

Maintain a vulnerability
management program

  • Use and regularly update anti-virus software on all systems commonly affected by malware
  • Develop and maintain secure systems and applications


Implement strong access control measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Regularly monitor and test networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an information security policy


  • Maintain a policy that addresses information security


Overview of Changes in PCI 3.2

New points to note:



> Segmentation
- Segment card holder data and penetration test.
> Third Parties / Service Providers
- Must validate PCI compliance or 
- Must participate in PCI compliance audit

> Patch and Vulnerability Management
- Critical security patches to be applied within one month of release

> Change Control
- Re-assess and document changes, check configurations and update documentation such as network diagrams.

> Multi-Factor Identification
- No longer two-factor but ‘multi-factor’ authentication.
- Need to authenticate with at least two of the things they know, are or have.
> Security Event Reporting
- Report critical security control failures as soon as they occur, to allow action to be taken as soon as possible before an attacker has an opportunity to steal data.





Solutions & Features



> DOS and DDoS Attack Mitigation

> Intrusion Prevention / Intrusion Detection (IPS/IDS)
 

> Integrated Solutions

Solution platforms with integrated security layers email anti-malware, anti-spam and email encryption and features such as Built-in templates for PCI.
> Application security
 

> Web site Delivery

> Authentication Verification and Web Application Firewall (WAF)



> Data Encryption

  • Centralised data encryption
  • Email encryption
  • Full disk encryption
  • Protection of PCs and removable media
  


> Virtual Server Security Policy and Compliance Real-time Monitoring


  • Server security policies
  • Monitor suspicious activity in real time
  • Limit administrative control


  • Restrict network communications and prevent file and configuration
  • Tampering of the virtual infrastructure
  • Stop unauthorised services from running on servers and protect against zero day attacks.




> PCI compliant e-Commerce Network

Global network also offers built-in web security features that enable our ecommerce customers to more easily check off the items on their PCI compliance checklist


> Data Loss Prevention
  • Identify and remediate potential data loss in virtual environments
  • Separating virtual machines that contain sensitive information from those that do not.
  • Data Loss Prevention for Network, Endpoint, Mobile, Storage.

> Scan for payment card data, and wipe any data retained in unauthorised locations


> Privileged Identities

Detect and secure privileged identities that hold elevated permissions to access electronic payment records, install and run programs, and change configuration settings on servers, workstations, applications and network appliances.


> Wireless Network Security

The wireless network is subject to the same constraints as the fixed network.

Scanning for rogue access points. PCI DSS requires you to verify periodically that wireless networking has not been introduced into the CDE.

If you use wireless networking, the wireless network is only allowed within the PCI DSS scope if it can connect to the CDE.
  • Detection of rogue APs
  • Support and logging of wireless IDS/IPS
  • Support for WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption.


> Firewall Segmentation

Provides tight control over the traffic that can pass between the following network interfaces:

  • Internet
  • CDE wired LAN
  • CDE wireless LAN
  • Other internal networks



> WAF (Web Application Firewall)
  • Can perform encryption on one or both sides of the network, while decrypting and inspecting traffic internally.
  • Specific items of data, e.g. cookies or passwords can be selectively encrypted.
  • Transparently encrypt and authenticate all client side cookies used by an application.


> Reporting

Generate reports for assets that store credit card or other sensitive financial information.


> Level 1 service providers

Security Audit approach.


> Professional Services

SecureNet Consulting for all your PCI requirements

  • PCI workshops
  • PCI Scoping
  • Assistance with Self Assessment questionnaires
  • Partners with accredited PCI ASV & QSAs. 
  • Gap Analysis
  • ASV Scanning
  • PCI-DSS Audits  
  • Phased deployment and testing approach
Successfully migrating security solutions can be complex, and ensuring up-time during a migration is critical. We understand, and provide a framework for testing and deployment. 


PCI DSS requirement
Report includes
5.1:
Deploy anti-virus software on all systems commonly affected by viruses (particularly
personal computers and servers)
-Computer name
-Domain/workgroup
-IP address operating system
-Sophos version
-Last update time
-Last full-system scan completed
-Last communication time
-Endpoint policy compliance status
-Anti-virus
-Firewall
-Update
-Application control
-Data loss prevention
-Device control

5.2:
Ensure that all anti-virus mechanisms are current, actively running, and capable of
generating audit logs

6.2
Ensure that all system components and software have the latest vendor-supplied
security patches installed. Install relevant security patches within one month of release

10.3
Record at least the following audit trail entries for all system components for each
event:
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource

-Computer name
-Domain/workgroup
-IP address operating system
-Event date and time
-Threat name
-Threat type
-Action taken
-Username associated with threat
-Last logged on user


On-demand, web-based service
Payment Card Industry (PCI) Security Standards Council (SSC) certified Approved Scanning Vendor (ASV) authorised to provide PCI scanning and compliance reporting as specified by PCI Data Security Standards (DSS).




Specific PCI DSS Requirement Solutions


> Requirement 1: Install and maintain a firewall configuration to protect cardholder data

> Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

> Requirement 3: Protect Stored Cardholder Data

> Requirement 4: Encrypt transmission of cardholder data across open, public networks

> Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

> Requirement 6: Maintain & Secure Applications & Systems

> Requirement 7: Restrict access to cardholder data by business need to know

> Requirement 8: Assign a unique ID to each person with computer access

> Requirement 9: Restrict physical access to cardholder data

> Requirement 10: Track and Monitor all access to network resources and cardholder data

> Requirement 11: Regularly test security systems and processes

> Requirement 12: Maintain a policy that addresses information security of all personnel








Contact us today to discuss your requirements in more detail.



P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk