CoreTrace Whitepaper: Protecting PCI Systems And Data

451 views

Published on

Whitepaper Abstract
The Payment Card Industry (PCI) computer systems are continually under attack due to the importance of the information they protect. In response to this threat, the PCI has produced an excellent series of process and security tool requirements known as the Data Security Standard (DSS). The DSS identifies a series of principles and accompanying requirements that are critical to the integrity of the industry's computer systems.

This paper outlines relevant PCI DSS requirements and discusses how BOUNCER by CoreTrace provides an elegant solution for meeting many of the requirements — in any PCI environment with sensitive data, from large servers processing thousands of transactions to small kiosks in the mall.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

CoreTrace Whitepaper: Protecting PCI Systems And Data

  1. 1. ® TM Regulatory Compliance Protecting PCI Systems and Data The Payment Card Industry (PCI) computer systems are continually under attack due to the importance of the information they protect. In response to this threat, the PCI has produced an excellent series of process and security tool requirements known as the Data Security Standard (DSS). The DSS identifies a series of principles and accompanying requirements that are critical to the integrity of the industry’s computer systems. The standard takes a multi-faceted approach to protecting payment card information to include securing the systems the data resides within, controlling access to the systems and cardholder data, and protecting the cardholder data itself. BOUNCER by CoreTrace ™ provides an elegant solution for meeting many of these requirements. It can be used in any PCI environment with sensitive data, from large servers processing thousands of transactions to small kiosks in the mall. This paper provides a short overview of the BOUNCER ™ product and a discussion of the relevant PCI DSS requirements where the product provides a solution. Meeting the PCI Data Security Standard (DSS) with BOUNCER The DSS applies to all system components wherein a Primary Account PCI DSS Requirements: Number is stored, processed, or transmitted. There are 12 major Build and maintain a secure network requirements within the DSS that are arranged under 6 major cat- 01: Install and maintain a firewall egories (see sidebar). configuration 02: Do not use vendor supplied defaults BOUNCER is an endpoint security solution that maintains the con- figuration and integrity of critical computer systems. This solution Protect cardholder data 03: Protect stored data protects the computer from both internal and external changes by 04: Encrypt transmitted data ensuring that only approved, vetted applications can execute by Maintain a vulnerability-management enforcing an application whitelist. The enforcement mechanism system resides within the operating system kernel, making it the most tamper 05: Use and maintain antivirus -proof security solution available. BOUNCER is an enterprise-class 06: Develop and maintain secure systems product providing centralized management, secure command and Implement strong access-control control channels, and robust infrastructure for high availability and measures failover. The sections below explain how BOUNCER meets specific 07: Restrict access by need-to-know 08: Assign a unique ID to all users DSS requirements. 09: Restrict physical access One of BOUNCER’s strongest capabilities is the ability to ‘lock down’ Regularly monitor and test networks and maintain the configuration of a system, even when that system 10: Track and monitor access to data 11: Regularly test security systems has known vulnerabilities. As will be explained in the following sections, BOUNCER should be considered for any PCI security Maintain an information security policy initiative due to the system’s proven anti-malware capabilities (in- 12: Maintain a written policy cluding the ability to stop root kits and memory exploits) and its strong ability to prevent the addition of unauthorized applications.
  2. 2. ® TM Use or regularly update antivirus or other programs Data or applications can be corrupted via viruses and malware that enter the PCI system through email attachments, accessing compromised websites, and injected via software vulnerabilities. BOUNCER stops this type of application assault and more. The application whitelisting technology keeps track of the applications you want to run, so regardless of how a piece of malicious software enters your network, it will not be on the list or run. Because it is not based on detecting the malicious software via a signature, your system is protected against ‘zero-day’ threats and is always up to date, relieving you from the duty of regularly updating antivirus or malware signatures. Because of its unique design and location in the operating system kernel, BOUNCER also provides protection against sophisticated attacks, including root kits and memory exploits such as DLL injections. Finally, BOUNCER has an extremely small disk space and memory ‘footprint’ on protected computer system compared to other antivirus and anti- malware alternatives, freeing up resources for PCI processing. Develop and maintain secure systems and applications This requirement focuses on the task of keeping PCI systems up-to date with the latest security patches. One of the primary reasons for constantly patching systems is to address the security flaws in the oper- ating system or its applications. These flaws or vulnerabilities are used by an employee, an automated ‘bot’, or an outsider to access and potentially modify the cardholder data or the system. As mentioned previously, BOUNCER uses a unique variation of application whitelisting to solve this problem. A whitelist of known files is created from the PCI system itself and then used to ‘lock’ the system in that con- figuration, preventing any further modification until desired by the BOUNCER administrator. Executable files not included in the whitelist cannot run regardless of how they got there. Thus, a malware program or virus deposited on the system via a vulnerability exploitation is stopped. Likewise, a program copied to the system by the user, either intentionally or unintentionally, which is not on the whitelist, cannot run. Through BOUNCER, a process of checks and balances is introduced protecting your critical PCI systems. Perhaps more importantly, the systems are protected against ‘zero-day’ attacks because newly announced vulnerabilities do not introduce new risk. The systems can be patched the next time a configuration change or software update is desired. A Single Product that Meets Multiple Requirements The PCI DSS provides an excellent set of requirements for measuring security compliance. BOUNCER can help you meet several of these requirements by enforcing and maintaining the configuration of your PCI systems — with proven efficacy and without impacting system performance. By protecting the operating system and PCI applications from compromise, you have ensured the system configuration will not change, thus meeting key DSS requirements and helping assure the systems function efficiently and securely.   www.coretrace.com  •  P  512-592-4100  •  F  512-592-4101  •  6500 River Place Boulevard, Building 2, Suite 105, Austin, Texas 78730 © 2009 CoreTrace Corporation. Trademarks are the property of their respective owners. Rev. 20090914

×