PCI DSS Compliance

If your organization handles credit card data you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Created by the major payment card brands the PCI DSS codifies a set of security best practices that help organizations protect cardholder data. PCI compliance allows organizations to process credit cards and avoid hefty fines but—more importantly—it drastically reduces the risk of a devastating data breach.

Imperva SecureSphere solutions help organizations meet 8 of the 12 high-level requirements, including the key requirements that strategically impact Web, database and file security:

• Requirement 6.6: Protect public-facing Web applications
• Requirement 10: Audit all access to cardholder data
• Requirement 7: Limit access to systems and data on a business need to know
• Requirement 8.5: Identify and disable dormant user accounts and access rights
• Requirement 11.5: Alert personnel to unauthorized modification of files
  

PCI 6.6: Protect Public-Facing Web Applications

Requirement 6.6 offers two options to address Web security risks: install a Web application firewall (WAF) or review all Web applications annually and after all changes. WAFs provide continuous protection, not just immediately after an application review. In addition, because maintenance is automated, WAFs will neither impose burdensome consulting costs nor impact Web development processes. For defense in-depth, organizations can integrate WAFs with application assessment tools to virtually patch vulnerabilities, eliminating the window of exposure associated with manual code fixes.

PCI 10: Audit All Access to Cardholder Data

PCI DSS requires that organizations track and monitor all access to network resources and cardholder data. Among the 25 detailed sub-requirements delineated in section 10, organizations must track all activity to individual users, monitor every individual transaction, and audit privileged user activity. Even access to audit trails must be restricted and logged. With such exacting demands, it is not surprising that 71% of assessed merchants fail to meet this requirement.1 Purpose-built database and file security solutions satisfy section 10 without degrading server performance, necessitating application changes, or requiring in-house audit management tools.

PCI 7: Limit Access to Cardholder Data by Business Need to Know

Restricting access to authorized personnel greatly reduces the risk of a data breach. According to PCI DSS requirement 7, organizations should limit user access to the least necessary to perform job functions. A dedicated User Rights Management (URM) solution can automate the aggregation, management, and auditing of user access rights across all databases and file servers. URM will also help identify excessive and unused user rights and streamline compliance efforts and processes.

PCI 8.5: Disable Dormant User Accounts

PCI DSS mandates secure user authentication and password management processes. According to PCI requirement 8.5.5, user accounts must be disabled after 90 days of inactivity. In addition, access privileges of terminated users should be revoked. A User Rights Management solution helps organizations aggregate and report on user activity, identify dormant accounts, and generate reports for PCI compliance.

Requirement 11.5: Alert Personnel to Unauthorized Modification of Files

PCI DSS mandates that critical system, configuration, and content files be monitored for unauthorized modification, and that personnel be altered to changes. Section 11.5 describes the need to deploy file integrity monitoring to accomplish this. A file security solution can monitor all access activity, including changes, and can generate alerts when modifications or other policy deviations are seen.

Related Products:

Database Security
Product Name:	Capabilities:
SecureSphere Database Activity Monitoring or SecureSphere Database Firewall	Addresses PCI 10 Audits all access to sensitive database data Alerts and optionally blocks2 abnormal access to sensitive data Offers a tamper-proof audit trail Discovers databases and classifies data to determine scope of PCI audit Provides pre-defined compliance reports with customization capabilities
User Rights Management for Databases	Address PCI 7 and 8.5 which require management of user access rights based on business need to know

File Security
Product Name:	Capabilities:
SecureSphere File Activity Monitoring or SecureSphere File Firewall	Addresses PCI 10 and 11.5 Audits all access to unstructured data Alerts and optionally blocks3 abnormal access to sensitive data Offers a tamper-proof audit trail Provides pre-defined compliance reports with customization capabilities
User Rights Management for Files	Addresses PCI 7 and 8.5 Detects dormant users and excessive access rights Aggregates and reports on user access rights Provides a built-in workflow for file access rights review

Web Security
Product Name:	Capabilities:
SecureSphere Web Application Firewall	Addresses PCI 6.6 Continuously protects against known and zero-day application attacks Prevents common application vulnerabilities, including the OWASP Top Ten Provides transparent protection with no changes to existing applications or network Automates security management by dynamically learning application usage Integrates with application scanners for instant virtual patching of vulnerabilities Offers compliance reports