PCI Data Security Standard

The continuation of massive credit card data breaches at many high profile organizations, prompted the development of the Payment Card Industry Data Security Standard (PCI DSS), which standardizes how credit card data should be protected. Under the PCI DSS, a business or organization should be able to assure their customers that its credit card data/account information and transaction information is safe from hackers or any malicious system intrusion, whether from those outside the organization or from within:
  • 65 percent of financial services institutions worldwide experienced repeated external breaches within the past 12 months¹
  • 30 percent of these global institutions suffered repeated internal breaches during the same timeframe¹

To achieve compliance with the PCI Security Standard, vendors and service providers must adhere to six major categories of requirements, with a total of twelve PCI-required controls, covering access management, network security, incident response, network monitoring and testing and information security policies.

Security Management Solutions from Lumension Help Credit Card Issuers and Processors Comply with PCI DSS

Endpoint management and security software from Lumension enables credit card issuers and processors to ensure the confidentiality of customers’ financial records and to ensure a stable and secure network environment. These solutions include:
  • Lumension® Patch and Remediation – Reduces organizational risk and optimizes IT operations through the timely, proactive elimination of OS and application vulnerabilities across all endpoints and servers. Heterogeneous platform and 3rd party vulnerability content support includes Microsoft® Windows®, UNIX®, Linux®, Apple®, Adobe®, Oracle®, Java™ and more.
  • Lumension® Content Wizard – Delivers customized extensibility through wizard-driven and custom scripting tools to take any action on endpoints including deploying and removing software, remediating configurations, performing systems management tasks and delivering custom patches.
  • Lumension® Security Configuration Management – Ensures that endpoints are securely configured and in compliance with industry best practices and regulatory mandates while reducing configuration drift.
  • Lumension® AntiVirus – Provides blacklist protection and removal for all malware including viruses, worms, spyware, Trojans and adware.
  • Lumension® Application Control – Defines and enforces trusted application usage through whitelist policies to ensure that only applications explicitly authorized or trusted are allowed to execute. Includes Advanced Memory Protection to defend against sophisticated memory injection attacks.
  • Lumension® Device Control – Enforces usage policies for device and ports while providing FIPS 140-2 level 2 validated encryption of data on removable media to prevent data loss / theft.
  • Lumension® Disk Encryption – Enables full disk encryption to maximize endpoint security and performance with proven, FIPS 140-2 validated encryption algorithms; and offers encrypted swap and hibernation files for complete security.
  • Lumension® Risk Manager – Comprehensive IT-GRC software that streamlines and automates audit workflows and IT risk management to provide crucial visibility and continuous monitoring across the IT environment to ensure compliance with HIPAA as well as with other pertinent regulations (i.e. PCI), mandates, and internal policies.

Lumension proactively addresses PCI standards by continuously monitoring and assessing enterprise networks for software and configuration vulnerabilities, rapidly patching and remediating vulnerabilities and applying user access control policies across applications and devices, including traditional endpoints and removable devices / media.

PCI DSS

Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored data
Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: Restrict access to data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Restrict access to data by business need-to-know
Requirement 11: Assign a unique ID to each person with computer access
Maintain an Information Security Policy
Requirement 12: Restrict physical access to cardholder data

 

The Cost of Non-Compliance

Non-compliance with PCI can result in financial penalties levied against any vendor or service provider or even the denial of the ability of the merchant to accept or process credit card transactions. Costs also include:
  • Monthly fines for noncompliance range from $5,000-$25,000
  • Lost business - if acquirer refuses to process card payments for a merchant after data breach occurs
  • Damaged reputation - consumers prefer to conduct business with company whose reputation is untarnished and never experienced data breach

To see how Lumension’s endpoint security solutions can help your organization achieve PCI compliance, please click here.

Source:
  1. Deloitte Global Financial Services Industry 2007 Global Security Survey