PCI DSS Compliance solutions
Applies to merchants and processors of Visa or MasterCard transactions. The new version was released on 28th April 2016. There is a six-month overlap between version 3.1 and 3.2 when either can be used. Unless you already have a version 3.1 assessment in progress, it’s best to switch to version 3.2 straight away. Standard 3.2 is due to become fully operational in October of this year.
New extended grace period to remove old SSL / TLS from
systems (after serious vulnerabilities uncovered in the last couple of years
such as HeartBleed and POODLE),
from June 2016 to June 2018.
Securenet Consulting provide solutions to make PCI work for you
> Compliance for cardholder data
> Identify and track people and systems with shared responsibility for PCI compliance, on and off of your network (on-premise and cloud systems).
> PCI version 3.x is an evolution to cover data into the cloud
> Avoid PCI Non-Compliance
Many companies are still struggling to demonstrate compliance, with costs associated with meeting PCI requirements spiraling out of control. And despite the pressure of fines being imposed, organisations continue to struggle with PCI DSS compliance, and worse still some organisations that have achieved PCI DSS compliance are still suffering from costly and embarrassing data losses / breaches.
> End-to-End security Across ALL Transaction Networks
(POS, private and public / internet)
> Secure Distributed Enterprise Networks for PCI DSS
> Solutions address PCI compliance, security and performance in the datacenter
PCI Requirements in summary
Objectives
|
Requirements
|
Build and maintain a secure network
|
|
Protect cardholder data
|
|
Maintain a vulnerability
management program
|
|
Implement strong access control measures
|
|
Regularly monitor and test networks
|
|
Maintain an information security policy
|
|
Overview of Changes in PCI 3.2
New points to note:
>
Segmentation
-
Segment card holder data and penetration test.
|
>
Third Parties / Service Providers
- Must
validate PCI compliance or
- Must
participate in PCI compliance audit
|
> Patch
and Vulnerability Management
- Critical security
patches to be applied within one month of release
|
>
Change Control
- Re-assess and document
changes, check configurations and update documentation such as network
diagrams.
|
> Multi-Factor
Identification
- No longer two-factor but ‘multi-factor’ authentication.
-
Need to authenticate with at least two of the things they know, are or have.
|
>
Security Event Reporting
- Report critical
security control failures as soon as they occur, to allow action to be taken
as soon as possible before an attacker has an opportunity to steal data.
|
Solutions & Features
| > DOS and DDoS Attack Mitigation
> Intrusion Prevention / Intrusion Detection (IPS/IDS) > Integrated Solutions Solution platforms with integrated security layers email anti-malware, anti-spam and email encryption and features such as Built-in templates for PCI. |
> Application security
> Web site Delivery > Authentication Verification and Web Application Firewall (WAF) |
> Data Encryption
|
|
> Virtual Server Security Policy and Compliance Real-time Monitoring
|
|
> PCI compliant e-Commerce Network
Global network also offers built-in web security features that enable our ecommerce customers to more easily check off the items on their PCI compliance checklist
> Data Loss Prevention
- Identify and remediate potential data loss in virtual environments
- Separating virtual machines that contain sensitive information from those that do not.
- Data Loss Prevention for Network, Endpoint, Mobile, Storage.
> Scan for payment card data, and wipe any data retained in unauthorised locations
> Privileged Identities
Detect and secure privileged identities that hold elevated permissions to access electronic payment records, install and run programs, and change configuration settings on servers, workstations, applications and network appliances.
> Wireless Network Security
The wireless network is subject to the same constraints as the fixed network.
Scanning for rogue access points. PCI DSS requires you to verify periodically that wireless networking has not been introduced into the CDE.
If you use wireless networking, the wireless network is only allowed within the PCI DSS scope if it can connect to the CDE.
- Detection of rogue APs
- Support and logging of wireless IDS/IPS
- Support for WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption.
> Firewall Segmentation
Provides tight control over the traffic that can pass between the following network interfaces:
|
|
> WAF (Web Application Firewall)
- Can perform encryption on one or both sides of the network, while decrypting and inspecting traffic internally.
- Specific items of data, e.g. cookies or passwords can be selectively encrypted.
- Transparently encrypt and authenticate all client side cookies used by an application.
> Reporting
Generate reports for assets that store credit card or other sensitive financial information.
> Level 1 service providers
Security Audit approach.
> Professional Services
SecureNet Consulting for all your PCI requirements
|
|
- Phased deployment and testing approach
PCI DSS
requirement
|
Report includes
|
5.1:
Deploy
anti-virus software on all
systems commonly affected
by viruses (particularly
personal
computers and servers)
|
-Computer name -Domain/workgroup -IP address operating system -Sophos version -Last update time -Last full-system scan completed -Last communication time -Endpoint policy compliance status -Anti-virus -Firewall -Update -Application control -Data loss prevention -Device control |
5.2:
Ensure
that all anti-virus mechanisms
are current, actively
running, and capable of
generating
audit logs
|
|
6.2
Ensure
that all system components
and software have the
latest vendor-supplied
security
patches installed. Install relevant
security patches within one
month of release
|
|
10.3
Record
at least the following
audit trail entries for all
system components for each
event:
10.3.1 User
identification
10.3.2 Type of
event
10.3.3 Date and
time
10.3.4 Success
or failure indication
10.3.5 Origination
of event
10.3.6 Identity
or name of affected
data, system component,
or resource
|
-Computer name
-Domain/workgroup -IP address operating system -Event date and time -Threat name -Threat type -Action taken -Username associated with threat -Last logged on user |
On-demand, web-based service
Payment Card Industry (PCI) Security Standards Council (SSC) certified Approved Scanning Vendor (ASV) authorised to provide PCI scanning and compliance reporting as specified by PCI Data Security Standards (DSS).
Specific PCI DSS Requirement Solutions
> Requirement 1: Install and maintain a firewall configuration to protect cardholder data
> Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
> Requirement 3: Protect Stored Cardholder Data
> Requirement 4: Encrypt transmission of cardholder data across open, public networks
> Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
> Requirement 6: Maintain & Secure Applications & Systems
> Requirement 7: Restrict access to cardholder data by business need to know
> Requirement 8: Assign a unique ID to each person with computer access
> Requirement 9: Restrict physical access to cardholder data
> Requirement 10: Track and Monitor all access to network resources and cardholder data
> Requirement 11: Regularly test security systems and processes
> Requirement 12: Maintain a policy that addresses information security of all personnel
Contact us today to discuss your requirements in more detail.
P: +44(0)7714 209927
S: +44(0)1273 329753
| 
info@securenetconsulting.co.uk
|