Solutions : PCI DSS Compliance

To have the right to process payment card transactions, organizations must comply withthe Payment Card Industry Council’s Data Security Standards (PCI DSS). PCI DSS requires organizations to protect payment cardholder account information throughout the transaction lifecycle, which includes the point of sale, transfer and storage of account information. Organizations that fail to comply or that suffer a breach during a period of non-compliance face heavy fines, can potentially lose the right to process payment card transactions and face severe and costly civil litigation proceedings.

Organizations must comply with the PCI DSS if they process, transmit and store payment card information that includes all data contained on a card’s magnetic stripe or the Primary Account Number (PAN) in conjunction with the cardholder name, expiration date and service code.

The six PCI DSS categories and 12 requirements that organizations processing payment card transactions must adhere to in order to maintain compliance are:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security

Although the categories and requirements are specific about what organizations must do to have the privilege of processing payment card transactions, outside of the firewall, they don’t identify any specific technologies that enable PCI DSS compliance. Organizations that need to achieve PCI DSS compliance must develop and implement their own strategy and solutions.

Challenges:

• Ensuring that access management and control measures can be applied across a broad range of applications, protocols and resources to cover all repositories of PCI DSS data
• Defining logging and audit policies independently of enforcement policies and track PCI DSS specific transactions and user activity
• Authorizing each transaction based on PCI DSS policy to allow rapid provisioning and de-provisioning of access rights to accommodate changes in personnel, regulation changes, business processes and remediation requirements

The Rohati solution allows IT to quickly implement and enforce dynamic policies that achieve PCI DSS compliance. Because the TNS integrates with existing user information repositories and directories like LDAP and Active Directory, authorization for application and data access and usage can be applied consistently based on business policies. Rohati recognizes the compliance gap that exists between PCI DSS design and implementation and that no single technology solution will provide total compliance. However, in response to several challenges, Rohati’s industry-first agent-less access management solution, the Transaction Networking System™ (TNS™), provides benefits in a number of areas:

Benefits:

• Rapid and cost-effective policy enforcement across all applications and all classes of users that access PCI data.
• Policy-based logging for audit and e-discovery across every application that processes or stores PCI data.
• Significantly reduce time to implement and cost to deploy and administer when compared to software based approaches.
• Reduction in Audit, forensics and remediation costs through availability of per-transation and policy based logging