White PapersMost industry standards are specified only for a group of companies or individuals. PCI expands the impact to include a wide variety of computer systems as well. The types of companies who are impacted include all members, merchants, and service providers that store, process, or transmit cardholder data.
Additionally, these security requirements apply to all “system components” (i.e., any network component, server, or application included in, or connected to, the cardholder data environment):
• Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances
• Servers include, but are not limited to, Web, database, authentication, DNS, mail, proxy, and NTP
• Applications include all purchased and custom applications, including internal and external (Web) applications
www.securecomputing.comWhite PaperMeeting and exceeding PCI 1.1 compliance todaySecure Computing has been solving the most difficult network and application security challenges for over 20 years, and is uniquely qualified to be the global security solutions provider to organizations of all sizes.Secure Computing CorporationOverview .......................................................................................................................................2Who is impacted? ..........................................................................................................................2Secure Computing portfolio ..........................................................................................................3Secure Computing for basic PCI compliance .................................................................................3Over and above the basics ............................................................................................................4Penalties ........................................................................................................................................5Conclusion ....................................................................................................................................5Table of contentsCorporate Headquarters4810 Harwood RoadSan Jose, CA 95124 USATel +1.800.379.4944Tel +1.408.979.6100Fax +1.408.979.6501European HeadquartersNo 1 The ArenaDownshire WayBracknellBerkshire, RG12 1PU UKTel +44.0.870.460.4766Fax +44.0.870.460.4767Asia/Pac Headquarters1606-8 MLC Tower248 Queen s East RoadWan Chai Hong KongTel +852.2598.9280Fax +852.2587.1333Japan HeadquartersShinjuku Mitsui Bldg. 2, 7FNishi-Shinjuku 3-2-11Shinjuku-ku, Tokyo, 160-0023JapanTel +81.3.5339.6310Fax +81.3.4496.4537 2007 Secure Computing Corporation. All Rights Reserved. Bess, enterprise strong, IronMail, MobilePass, PremierAccess, SafeWord, Secure Computing, SecureOS, SecureSupport, Sidewinder G2, SmartFilter, SofToken, Strikeback, Type Enforcement, CyberGuard, and Webwasher are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. Access begins with identity, Anti-Virus Multi-Scan, Anti-Virus PreScan, Application Defenses, Compliance, Dynamic Quarantine, Edge, Encryption, G2 Enterprise Manager, Global Command Center, IronIM, IronNet, Live Reporting, Message Profiler, MethodMix, On-Box, Outbreak Defender, Power-It-On!, Radar, RemoteAccess, SecureEdge, Secure Encryption, SecureWire, SmartReporter, SnapGear, SpamProfiler, Threat Response, Total Stream Protection, TrustedSource,TrustedSource Portal, Webmail Protection, ZAP, and ZombieAlert are trademarks of Secure Computing Corporation. All other trademarks used herein belong to their respective owners.Untitled Documentwww.securecomputing.comWhite paperMeeting and exceeding PCI 1.1 compliance today2This paper discusses how Secure Computing s portfolio of security solutions can help enterprises exceed the basic compliance requirements of the Payment Card Industry Data Security Standards requirements (PCI), version 1.1.OverviewVisa, MasterCard, American Express, Diner s Club, Discover, and JCB collaborated to create a new set of standards based on CISP (Cardholder Information Security Policy), and known as the Payment Card Industry Data Security Standard (PCI). All merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, are required to be compliant with PCI or face contract penalties or even termination by the credit card issuers. The primary purpose of this standard is to protect credit card data by reducing fraud and theft. The PCI standard seeks to accomplish this through a defense-in-depth strategy. There are six primary areas covered by PCI, divided into 12 requirements:Build and maintain a secure network1. Install and maintain firewall configurations2. Do not use vendor-supplied or default passwordsProtect cardholder data3. Protect stored data4. Encrypt transmissions of cardholder data across public networksMaintain a vulnerability management program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applicationsImplement Strong Access Control Measures7. Restrict access to need-to-know 8. Assign unique IDs to each person with computer access9. Restrict physical access to cardholder dataRegularly monitor and test networks10. Monitor and track all access to network resources and cardholder data11. Regularly test security systems and processesMaintain an information security policy12. Maintain a policy that addresses information securityWho is impacted?Most industry standards are specified only for a group of companies or individuals. PCI expands the impact to include a wide variety of computer systems as well. The types of companies who are impacted include all members, merchants, and service providers that store, process, or transmit cardholder data.Additionally, these security requirements apply to all system components (i.e., any network component, server, or application included in, or connected to, the cardholder data environment): " Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances" Servers include, but are not limited to, Web, database, authentication, DNS, mail, proxy, and NTP" Applications include all purchased and custom applications, including internal and external (Web) applicationsUntitled Documentwww.securecomputing.comWhite paperMeeting and exceeding PCI 1.1 compliance today3Secure Computing portfolioSecure Computing offers four comprehensive product portfolios to help you comply with all industry and government regulations." Provides strong, two-factor authentication tokens which never expire and can access any application, integrate seamlessly into any LDAP, and deploy with standard Microsoft tools" Provides secure, anytime, anywhere access to sensitive applications, data and networks " Provides end-point security, so that only properly configured devices have network access" Easily manages remote, wired, or wireless access for employees, contractors and guests" Provides the most comprehensive, self-defending application proxy firewall appliance in the world, protecting the network from all types of threats, both known and unknown" Allows only tightly defined and granular application traffic through at gigabit speeds, while providing zero-tolerance for all suspicious and undesirable traffic " Protects against all classes of threats including packet fragmentation, spoofing, denial of service (DoS), viruses, worms, Trojans, spam, spyware, SQL injection, and more" The only security appliance to never have required an emergency security patch in more than 11 years, due to its patented SecureOS technology " The only security appliance to have achieved the preeminent EAL4+ common criteria certification for application-layer firewalls" Protects sensitive content from leaving the enterprise unprotected, through email, IM, peer-to-peer, FTP, or VoIP protocols" Scans all portions of a message with sophisticated technologies, including fingerprinting, clustering, image scanning, and adaptive learning" Provides multiple encryption technologies, including both push and pull to ensure usability as well as manageability " Provides 12 unique actions that can be taken when sensitive content is discovered, including archiving and end-user education" Protects against all inbound threats from the Web, including spyware, active content, and Trojans" Protects against sensitive content leaving the enterprise through blogs, webmail, or peer-to-peer networking" Increases employee productivity by blocking objectionable surfing" Controls encrypted traffic by applying security policies over SSL sessionsIdentity and Access Management solutionsNetwork Gateway Security solutionsMessaging Gateway Security solutionsWeb Gateway Security solutionsSecure Computing for basic PCI complianceSecure Computing s extensive portfolio provides strong solutions for the following requirements:Requirement 1: Install and maintain firewall configurations Secure Computing s award-winning frewalls are delivered, out-of-the-box with the strongest configuration settings available.Requirement 4: Encrypt transmissions of cardholder across public networks Secure Computing s Messaging Encryption and Web encryption capabilities ensure that cardholder data is always protected over email, IM, FTP, P2P, HTTP, and HTTPS protocols.Requirement 5: Use and regularly update anti-virus software Anti-virus software is built into all Secure Computing s Gateway products and is automatically updated for the user.Requirement 6: Develop and maintain secure systems and applications Secure Computing s hardened operating systems are impervious to attacks and provide the strongest protection available for every file, directory and application.Requirement 7: Restrict access to need-to-know Secure Computing s Identity and Access solutions provide integrated access controls that can be deployed within hours.Requirement 8: Assign unique IDs to each person with computer access Secure Computing provides strong two-factor authentication in a token that doesn t expire and never needs to be reissued.Requirement 10: Monitor and track all access to network resources and cardholder data Secure Computing provides extensive reporting and forensic tracking tools.Requirement 11: Regularly test security systems and processes Secure Computing s network intrusion diction and prevention systems ensure that hackers are kept in the dark.Requirement 12: Maintain a policy that addresses information security Secure Computing provides out-of-the-box policy templates that can jumpstart an enterprises policy development.Untitled Documentwww.securecomputing.comWhite paperMeeting and exceeding PCI 1.1 compliance today4Above and beyond the basicsSecure Computing s advanced technologies can help enterprises exceed these basic requirements in several critical areas.PCI requirementSecure Computing solution1.2: Build a firewall configuration that denies all traffic from untrusted networks and hosts1.3.5: Restrict inbound and outbound traffic to necessary only1.3.7: Deny all other inbound and outbound trafficSecure Computing has developed a set of positive security model tools in its firewalls built on an in-depth knowledge of how a wide range of applications work. Positive security is based on identifying those bits of traffic and communication sessions which are known to be good, and then allowing only them to proceed, thereby excluding all other traffic and communications. Secure Computing s positive security tools dramatically reduce an organization s attack surface area by inherently eliminating exposure to all sorts of attacks, both unknown and known. These positive-model countermeasures are essentially immune to the trends of faster threat generation and propagation.1.3.3: Implement stateful inspection fltering6.6: Install an application layer frewall in front of web-facing applications (recommendation until June 30, 2008; requirement after that date)Firewalls that perform stateful inspection function at the Network and Transport Layers (3 and 4). They examine only the source, destination and state of each packet sent over a public network. They do a good job of policy checking across a series of packets, but provide limited protection against ill-formed packets or application layer attacks.Secure Computing provides Sidewinder and CyberGuard , the world s strongest application-layer firewalls. In addition to all of the functionality of a stateful inspection frewall, Secure Computing s firewalls check IP addresses, subnets, TCP, UDP port numbers, HTTP, HTTPS, request and reply headers, and TCP/IP rules at the Application Layer (7). This provides an extremely secure perimeter network defense.5.1.1: Ensure anti-virus programs are capable of detecting, removing and protecting against malicious software, including spyware and adwareNot only do Secure Computing products have anti-virus software built into them, but they go several steps beyond. Sidewinder G2 s Zero-Hour Attack Protections use a positive security model that only recognizes tightly defined and known traffic. Everything else is considered suspicious. Sidewinder s unique protections provide a shield against both known and unknown attack vectors, long before anti-virus signature files can be created and deployed.6.1: Ensure that all system components have the latest vendor-supplied security patches installed within one monthSecure Computing s Sidewinder is the only firewall in the industry which has never needed a security patch in over 11 years of deployments. Sidewinder s hardened operating system is impervious to attacks and has never been compromised. Black Hat Consulting, the preeminent group associated with the globally renowned Black Hat Conference, tried their best to break Sidewinder, and couldn t. It s the only firewall they ve never penetrated. They called it, by far the sturdiest system we ve audited& and the most stable and reliable firewall we have tested. 8.3: Implement two-factor authentication for remote access by employees, admins and third parties8.5.6: Enable accounts used by vendors only during the time period needed8.5.13: Limit repeated access attempts 8.5.15: Require the user to re-authenticate if the session has been idle for more than 15 minutes Secure Computing s SafeWord tokens provide strong, two-factor, one-time-use passwords that can be easily and quickly deployed to employees, contractors, guest workers and auditors. These token never expire and integrate with Active Directory or other LDAP repositories. Tokens are terminated along with the user account for up-to-the-second credential validation.Secure Computing s Enterprise Solution Pack for SafeWord provides the first zero-footprint authenticator on the market, delivering secure one-time passwords to mobile devices such as cell phones, pagers and PDAs. It can also support PKI user authentication, including digital signatures, smart cards, fingerprint scanners, signature readers, other biometric and USB devices.SafeWord protects access to any application by freezing out users after repeated access attempts and also by requiring them to re-authenticate if their session has been idle. These security measures are easily deployed to Web-based applications or other access-controlled services.11.4: Use network intrusion detection and prevention systemsIntrusion detection systems try to detect attacks by looking for data patterns in network messages that have also appeared in messages carrying a known attack. These patterns or signatures are developed in much the same way that anti-virus vendors produce signatures to detect viruses. Unfortunately, they aren t nearly as reliable as virus detection signatures. They often generate false alarms when innocent traffic accidentally matches an attack pattern. If the site tries to reduce the false alarm rate by making the pattern matching less sensitive, they may also fail to detect attacks. Secure Computing s rules-based Strikeback feature allows companies to define what happens if someone attempts to violate policy or gain unauthorized access, or execute an attack against their network. It is based on detecting security relevant events directly, like an attempt to connect to a blocked service. As such, there are no false alarms. The combination of Sidewinder event monitoring and Strikeback action provides an exceptionally powerful set of tools to the security administrator: not only is it possible to gather information that can be analyzed and used to proactively adjust policies to prevent future attacks, it also allows for an immediate response to be taken as those attacks occur.Untitled Documentwww.securecomputing.comWhite paperMeeting and exceeding PCI 1.1 compliance today5PenaltiesThe credit card issuers are taking these requirements very seriously. As of December, 2006 VISA is fining violators up to 500,000 per event and they are taking the money directly out of the violator s bank accounts. American Express is fining merchants up to 15,000 per day for failures to comply and forcing them to bring in a third-party contractor to bring systems into compliance. ConclusionPCI is probably the most comprehensive standard developed to date. The credit card companies are serious about proving to the world that consumer information is safe in their hands. Demonstrating compliance with PCI is about following best practices, which is in the enterprises best interests as well as the consumers. Secure Computing s extensive portfolio of best-in-breed network, Web, and message gateway security appliances, as well as award-winning identity and access solutions provide a cohesive approach to achieving and demonstrating compliance with PCI and any other government, industry and/or corporate regulations facing today s enterprises.For more information about any of Secure Computing s products or services, please contact us or an authorized partner.
