Ten Actions Merchants Must Take Immediately To Avoid PCI Failure


Published on

The Impact of the New PCI-DSS Compliance Rules Issued on March 15, 2010 -- netVigilance, Inc., the only vulnerability assessment and PCI Approved Scanning Vendor (ASV) vendor that goes Beyond Compliance to detect up to 97% of
all common vulnerabilities, today issued an urgent bulletin warning all merchants and retailers subject to PCI-DSS Compliance that new PCI regulations significantly increase their chances of PCI failure during mandatory quarterly external vulnerability scans, unless the merchants take
corrective actions. While these new regulations officially go into effect on September 1, 2010, preparing for them can take months. The time to start is now, because merchants who wait will be at a high risk of failing and being unable
to quickly remediate.

The need for this bulletin arose because on March 15, 2010, the PCI Security Standards
Council’s (PSI SSC) released “ASV Program Guide v1.0,” which tightens and changes existing rules governing both customers requiring PCI scans and the Approved Scanning Vendors (ASVs) who perform those scans. netVigilance also calls attention to the fact that, despite being numbered as v1.0, the new ASV Program Guide governs PCI v1.2 and enhances, improves and
supersedes the Technical and Operation Requirements for ASVs v1.1 and Security Scanning Procedures v1.1.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ten Actions Merchants Must Take Immediately To Avoid PCI Failure

  1. 1. Ten Actions Merchants Must Take Immediately To Avoid PCI Failure The Impact of the New PCI Compliance Rules Issued on March 15, 2010
  2. 2. 1. Identify & verify out-of-scope components <ul><li>New discovery rules make formerly out-of-scope components in-scope </li></ul><ul><li>Identify & verify before quarterly scan fails </li></ul><ul><li>Examples: </li></ul><ul><ul><li>Spam filters </li></ul></ul><ul><ul><li>Mail servers </li></ul></ul><ul><ul><li>Web servers that don’t process credit cards </li></ul></ul>
  3. 3. 2. Prove your ISP complies with PCI <ul><li>Your ISP can pass by itself; or </li></ul><ul><li>You need their permission to scan them </li></ul><ul><li>Otherwise, get a new ISP </li></ul><ul><li>Ultimately, the responsibility is yours, not your ISP’s </li></ul>
  4. 4. 3. Take all secure database servers off the Internet and place them behind a firewall <ul><li>If any secure database server remains publicly accessible, you will automatically fail PCI </li></ul>
  5. 5. 4. Scan your website for HTTP response splitting/header injection <ul><li>Be prepared to remediate all problems found </li></ul>
  6. 6. 5. Verify that your DNS server prohibits zone transfers <ul><li>Zone transfers allow unaffiliated, unapproved third parties to see and obtain all the servers comprising your domain </li></ul><ul><li>If someone else hosts your domain, you are still responsible </li></ul><ul><li>Consequence of allowed zone transfers is automatic PCI failure </li></ul>
  7. 7. 6. Ensure your ASV uses a PCI-qualified Professional Security Engineer to review each and every scan <ul><li>ASVs often use fully automated processes </li></ul><ul><li>These automated processes are never acceptable under the new rules </li></ul><ul><li>To pass PCI you must use an ASV that adheres to the new rules </li></ul>
  8. 8. 7. Turn off SSL v2 <ul><li>Next, ensure that servers using TLS v1.0 or newer are not backwards compatible with the weak SSL v2 </li></ul><ul><li>Use a qualified ASV to verify and remediate </li></ul>
  9. 9. 8. Remove all non-critical uses of all remote access software <ul><li>Examples: </li></ul><ul><ul><li>pcAnywhere </li></ul></ul><ul><ul><li>VNC </li></ul></ul><ul><ul><li>RDP </li></ul></ul><ul><ul><li>Even VPN </li></ul></ul><ul><li>For critical uses: </li></ul><ul><ul><li>Ensure strong authentication </li></ul></ul>
  10. 10. 9. Move all POS (Point-of-Sale) systems behind the firewall <ul><li>ASVs that discover POS systems are now required to pay special attention to them </li></ul>
  11. 11. 10. Named employees must sign and attest to their company’s responsibility <ul><li>Attestation concerns proper scoping of the external scan </li></ul><ul><li>Attestation can no longer be anonymous </li></ul>
  12. 12. netVigilance Key Advantages <ul><li>Beyond Compliance™ Compliance is simply not enough. It is a minimum, rather than a maximum standard. Only netVigilance detects up to 97% of all common vulnerabilities, far more than competitors. </li></ul><ul><li>Labor- and Time-Saving Reports Our reports provide a wealth of specific detail on precisely how to remediate the vulnerabilities we detect. Instead of spending time researching a fix, engineers and support personnel spend their time making the fix. </li></ul>
  13. 13. For More Information <ul><li>netVigilance, Inc. 14525 SW Millikan #34423 Beaverton, OR, USA 97005-2343 (+1) 503-524-5758 </li></ul><ul><li>PR & Analyst Contact: Steven Mason </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>(+1) 650-776-7968 </li></ul></ul>