Core Trace PCI DSS Compliance
0 likes259 views
BOUNCER is an endpoint security solution that helps organizations meet multiple PCI Data Security Standard requirements by enforcing application whitelists and maintaining system configurations. It protects against viruses, malware, and zero-day exploits. BOUNCER also includes a host-based firewall and monitors network access to detect policy violations. The solution secures payment systems from both internal and external threats while imposing minimal performance overhead.
Core Trace PCI DSS Compliance
- 1. ® TM Regulatory Compliance Protecting PCI Systems and Data The Payment Card Industry (PCI) computer systems are continually under attack due to the importance of the information they protect. In response to this threat, the PCI has produced an excellent series of process and security tool requirements known as the Data Security Standard (DSS). The DSS identifies a series of principles and accompanying requirements that are critical to the integrity of the industry’s computer systems. The standard takes a multi-faceted approach to protecting payment card information to include securing the systems the data resides within, controlling access to the systems and cardholder data, and protecting the cardholder data itself. BOUNCER by CoreTrace ™ provides an elegant solution for meeting many of these requirements. It can be used in any PCI environment with sensitive data, from large servers processing thousands of transactions to small kiosks in the mall. This paper provides a short overview of the BOUNCER ™ product and a discussion of the relevant PCI DSS requirements where the product provides a solution. Meeting the PCI Data Security Standard (DSS) with BOUNCER The DSS applies to all system components wherein a Primary Account PCI DSS Requirements: Number is stored, processed, or transmitted. There are 12 major Build and maintain a secure network requirements within the DSS that are arranged under 6 major cat- 01: Install and maintain a firewall egories (see sidebar). configuration 02: Do no use vendor supplied defaults BOUNCER is an endpoint security solution that maintains the con- figuration and integrity of critical computer systems. This solution Protect cardholder data 03: Protect stored data protects the computer from both internal and external changes by 04: Encrypt transmitted data ensuring that only approved, vetted applications can execute by Maintain a vulnerability-management enforcing an application whitelist. The enforcement mechanism system resides within the operating system kernel, making it the most tamper 05: Use and maintain antivirus -proof security solution available. BOUNCER is an enterprise-class 06: Develop and maintain secure systems product providing centralized management, secure command and Implement strong access-control control channels, and robust infrastructure for high availability and measures failover. The sections below explain how BOUNCER meets specific 07: Restrict access by need-to-know 08: Assign a unique ID to all users DSS requirements. 09: Restrict physical access One of BOUNCER’s strongest capabilities is the ability to ‘lock down’ Regularly monitor and test networks and maintain the configuration of a system, even when that system 10: Track and monitor access to data 11: Regularly test security systems has known vulnerabilities. As will be explained in the following sections, BOUNCER should be considered for any PCI security Maintain an information security policy initiative due to the system’s proven anti-malware capabilities (in- 12: Maintain a written policy cluding the ability to stop root kits and buffer overflow exploits), strong ability to prevent the addition of unauthorized applications, along with a built-in network filtering option.
- 2. ® TM Use or regularly update antivirus or other programs Data or applications can be corrupted via viruses and malware that enter the PCI system through email attachments, accessing compromised websites, and injected via software vulnerabilities. BOUNCER stops this type of application assault and more. The application whitelisting technology keeps track of the applications you want to run, so regardless of how a piece of malicious software enters your network, it will not be on the list or run. Because it is not based on detecting the malicious software via a signature, your system is protected against ‘zero-day’ threats and is always up to date, relieving you from the duty of regularly updating antivirus or malware signatures. Because of its unique design and location in the operating system kernel, BOUNCER also provides protection against sophisticated attacks including root kits and memory exploits like buffer overflows. Finally, BOUNCER has an extremely small disk space and memory ‘footprint’ on protected computer system compared to other antivirus and anti- malware alternatives, freeing up resources for PCI processing. Develop and maintain secure systems and applications This requirement focuses on the task of keeping PCI systems up-to date with the latest security patches. One of the primary reasons for constantly patching systems is to address the security flaws in the oper- ating system or its applications. These flaws or vulnerabilities are used by an employee, an automated ‘bot’, or an outsider to access and potentially modify the cardholder data or the system. As mentioned previously, BOUNCER uses a unique variation of application whitelisting to solve this problem. A whitelist of known files is created from the PCI system itself and then used to ‘lock’ the system in that con- figuration, preventing any further modification until desired by the BOUNCER administrator. Executable files not included in the whitelist cannot run regardless of how they got there. Thus, a malware program or virus deposited on the system via a vulnerability exploitation is stopped. Likewise, a program copied to the system by the user, either intentionally or unintentionally, which is not on the whitelist, cannot run. Through BOUNCER, a process of checks and balances is introduced protecting your critical PCI systems. Perhaps more importantly, the systems are protected against ‘zero-day’ attacks because newly announced vulnerabilities do not introduce new risk. The systems can be patched the next time a configuration change or software update is desired. Install and maintain a firewall configuration A large portion of this requirement is devoted to limiting access to PCI networks and systems through the use of firewall technology. In addition to the network-based firewalls and the creation of a ‘demili- tarized zone’ (DMZ) within the PCI network as described in the DSS, BOUNCER can provide an added level of protection on each system. While BOUNCER is not a network firewall itself, each endpoint pro- tected by the BOUNCER client contains a centrally managed, host-based stateless network firewall. Like the network firewall recommendations in the DSS, this filter can be tailored by protocol, port, or IP addresses for both inbound and outbound traffic separately. This provides an unequaled level of flex- ibility. It is easy to change the filter rules, as well as quickly see all the rules in effect across your PCI network. Through BOUNCER you can manage and control access to each system with a fine degree of detail, while still securely managing the enterprise from a central location.
- 3. ® TM Regularly monitor and test networks Even the most secure networks need to be monitored on a regular basis to ensure their integrity. BOUNCER continuously monitors network and user access to applications on each protected system. In conjunction with enforcing which applications can run with respect to the whitelist, an event is generated and logged anytime a policy violation attempt occurs. This valuable information can be forwarded as an immediate email alert or rolled up into a report on a daily, weekly, or quarterly basis for compliance reporting. Through this information, you can determine which systems are seeing the most activity and react accordingly. In all cases you have peace of mind knowing BOUNCER is maintaining the configuration and protection you need. A Single Product that Meets Multiple Requirements The PCI DSS provides an excellent set of requirements for measuring security compliance. BOUNCER can help you meet several of these requirements by enforcing and maintaining the configuration of your PCI systems — with proven efficacy and without impacting system performance. By protecting the operating system and PCI applications from compromise, you have ensured the system configuration will not change, thus meeting key DSS requirements and helping assure the systems function efficiently and securely. www.coretrace.com • P 512-592-4100 • F 512-592-4101 • 6500 River Place Boulevard, Building 2, Suite 105, Austin, Texas 78730 © 2008 CoreTrace Corporation. Trademarks are the property of their respective owners. Rev. 20081009