|
www.netforensics.com
NETFORENSICS WHITE PAPER
PCI: How to Safeguard
Customer Data Against
Real ThreatsNETFORENSICS WHITE PAPER | PPCCII
Contents
1 Executive Summary
1 Introduction: An Update on the PCI Standard
2 Protecting Cardholder Information
3 Security Information Management: The Foundation of Effective Security
3 The netForensics Solution: Aligning with PCI Requirements
4 Conclusion
4 About netForesics
5 Appendix A: Additional ResourcesNETFORENSICS WHITE PAPER | PPCCII
Executive Summary PCI DSS applies to merchants, acquiring banks, issuing banks,Incidents of ID theft and payment card fraud have skyrocketed in payment processors and other allied service providers that process,the last two years. Organizations that process card transactions store, transmit and/or dispose of consumer card information.and/or store payment information are scrambling to keep up withthese attacks and effectively safeguard consumer information. To The target for PCI is the cardholder data environment, which isassist in that effort, the card associations updated the Payment Card typically a subset of the corporate computing environment, andIndustry (PCI) Data Security Standard in 2006. VISA, MasterCard, specifically defined within the standard as ".any networkNovus and American Express collaborated in developing the PCI component, server, or application that is included in or connectedDSS to ensure a consistent approach to protecting consumers' to the cardholder data environment. The cardholder datasensitive data. By adhering to this security standard, retailers, environment is that part of the network that possesses cardholderservice providers and allied organizations can dramatically reduce the data or sensitive authentication data. Adequate networkvulnerabilities that are easily exploited for the purpose of segmentation, which isolates systems that store, process, orcompromising corporate data. transmit cardholder data from those that do not, may reduce thescope of the cardholder data environment. Network componentsThe PCI DSS is a multifaceted security standard that includes include but are not limited to firewalls, switches, routers, wirelessrequirements for security management, policies, procedures, access points, network appliances, and other security appliances.network architecture, software design and other critical protective Server types include but are not limited to the following: web,measures associated with payment card account data. It is intended database, authentication, mail, proxy, network time protocol (NTP),to help organizations proactively protect account data. All and domain name server (DNS). Applications include all purchasedmerchants doing business with VISA, MasterCard, Novus, American and custom applications, including internal and external (Internet)Express and other association members, regardless of the annual applications."transaction volume, are required to follow the standard, or face 1substantial fines levied by the card associations. Although there were a number of changes from the originalversion of the standard, the majority of them were editorial inHowever, adhering to the standard is often easier said than done. PCI nature. For example, the use of the terms cardholder data andcontains a fairly comprehensive set of technical, physical and sensitive authentication data were made consistent, the terms mustadministrative requirements. Implementing a compliance program, and should were normalized, and certain examples, such as strongand maintaining a strong security posture capable of warding off cryptography, were moved from the body of the standard to theattacks has proved to be a significant challenge for a majority of glossary section. A number of clarifications were added, for itemsaffected organizations. Gathering information for self-assessments such as key rotation, wireless protocols and open networks. Theand preparing for third-party audits only increases the workload of the final classes of changes were few, but more substantive, including:IT staff. Many affected organizations lack the performancemeasurement capabilities and validation processes necessary to . Clause 6.6 - Addition of a requirement for application codeprove compliance and appropriate diligence in managing review or application firewall.cardholder information. . Clause 12.10 - Addition of a requirement for a policy tomanage c... [download for more]
|
