BOUNCER is an endpoint security solution that helps organizations meet multiple PCI Data Security Standard requirements by enforcing application whitelists and maintaining system configurations. It protects against viruses, malware, and zero-day exploits. BOUNCER also includes a host-based firewall and monitors network access to detect policy violations. The solution secures payment systems from both internal and external threats while imposing minimal performance overhead.

1. ®
TM
Regulatory Compliance
Protecting PCI Systems and Data
The Payment Card Industry (PCI) computer systems are continually under attack due to the importance of
the information they protect. In response to this threat, the PCI has produced an excellent series of process
and security tool requirements known as the Data Security Standard (DSS). The DSS identifies a series
of principles and accompanying requirements that are critical to the integrity of the industry’s computer
systems. The standard takes a multi-faceted approach to protecting payment card information to include
securing the systems the data resides within, controlling access to the systems and cardholder data, and
protecting the cardholder data itself. BOUNCER by CoreTrace ™ provides an elegant solution for meeting
many of these requirements. It can be used in any PCI environment with sensitive data, from large servers
processing thousands of transactions to small kiosks in the mall. This paper provides a short overview of
the BOUNCER ™ product and a discussion of the relevant PCI DSS requirements where the product provides
a solution.
Meeting the PCI Data Security Standard (DSS) with BOUNCER
The DSS applies to all system components wherein a Primary Account PCI DSS Requirements:
Number is stored, processed, or transmitted. There are 12 major
Build and maintain a secure network
requirements within the DSS that are arranged under 6 major cat-
01: Install and maintain a firewall
egories (see sidebar). configuration
02: Do no use vendor supplied defaults
BOUNCER is an endpoint security solution that maintains the con-
figuration and integrity of critical computer systems. This solution Protect cardholder data
03: Protect stored data
protects the computer from both internal and external changes by 04: Encrypt transmitted data
ensuring that only approved, vetted applications can execute by
Maintain a vulnerability-management
enforcing an application whitelist. The enforcement mechanism
system
resides within the operating system kernel, making it the most tamper 05: Use and maintain antivirus
-proof security solution available. BOUNCER is an enterprise-class 06: Develop and maintain secure systems
product providing centralized management, secure command and Implement strong access-control
control channels, and robust infrastructure for high availability and measures
failover. The sections below explain how BOUNCER meets specific 07: Restrict access by need-to-know
08: Assign a unique ID to all users
DSS requirements. 09: Restrict physical access
One of BOUNCER’s strongest capabilities is the ability to ‘lock down’ Regularly monitor and test networks
and maintain the configuration of a system, even when that system 10: Track and monitor access to data
11: Regularly test security systems
has known vulnerabilities. As will be explained in the following
sections, BOUNCER should be considered for any PCI security Maintain an information security policy
initiative due to the system’s proven anti-malware capabilities (in- 12: Maintain a written policy
cluding the ability to stop root kits and buffer overflow exploits),
strong ability to prevent the addition of unauthorized applications,
along with a built-in network filtering option.

2. ®
TM
Use or regularly update antivirus or other programs
Data or applications can be corrupted via viruses and malware that enter the PCI system through email
attachments, accessing compromised websites, and injected via software vulnerabilities. BOUNCER
stops this type of application assault and more. The application whitelisting technology keeps track of
the applications you want to run, so regardless of how a piece of malicious software enters your network,
it will not be on the list or run. Because it is not based on detecting the malicious software via a signature,
your system is protected against ‘zero-day’ threats and is always up to date, relieving you from the duty
of regularly updating antivirus or malware signatures. Because of its unique design and location in the
operating system kernel, BOUNCER also provides protection against sophisticated attacks including
root kits and memory exploits like buffer overflows. Finally, BOUNCER has an extremely small disk
space and memory ‘footprint’ on protected computer system compared to other antivirus and anti-
malware alternatives, freeing up resources for PCI processing.
Develop and maintain secure systems and applications
This requirement focuses on the task of keeping PCI systems up-to date with the latest security patches.
One of the primary reasons for constantly patching systems is to address the security flaws in the oper-
ating system or its applications. These flaws or vulnerabilities are used by an employee, an automated
‘bot’, or an outsider to access and potentially modify the cardholder data or the system. As mentioned
previously, BOUNCER uses a unique variation of application whitelisting to solve this problem.
A whitelist of known files is created from the PCI system itself and then used to ‘lock’ the system in that con-
figuration, preventing any further modification until desired by the BOUNCER administrator. Executable
files not included in the whitelist cannot run regardless of how they got there. Thus, a malware program
or virus deposited on the system via a vulnerability exploitation is stopped. Likewise, a program copied
to the system by the user, either intentionally or unintentionally, which is not on the whitelist, cannot
run. Through BOUNCER, a process of checks and balances is introduced protecting your critical
PCI systems. Perhaps more importantly, the systems are protected against ‘zero-day’ attacks because
newly announced vulnerabilities do not introduce new risk. The systems can be patched the next time
a configuration change or software update is desired.
Install and maintain a firewall configuration
A large portion of this requirement is devoted to limiting access to PCI networks and systems through
the use of firewall technology. In addition to the network-based firewalls and the creation of a ‘demili-
tarized zone’ (DMZ) within the PCI network as described in the DSS, BOUNCER can provide an added
level of protection on each system. While BOUNCER is not a network firewall itself, each endpoint pro-
tected by the BOUNCER client contains a centrally managed, host-based stateless network firewall.
Like the network firewall recommendations in the DSS, this filter can be tailored by protocol, port, or IP
addresses for both inbound and outbound traffic separately. This provides an unequaled level of flex-
ibility. It is easy to change the filter rules, as well as quickly see all the rules in effect across your PCI
network. Through BOUNCER you can manage and control access to each system with a fine degree
of detail, while still securely managing the enterprise from a central location.

3. ®
TM
Regularly monitor and test networks
Even the most secure networks need to be monitored on a regular basis to ensure their integrity.
BOUNCER continuously monitors network and user access to applications on each protected system.
In conjunction with enforcing which applications can run with respect to the whitelist, an event is generated
and logged anytime a policy violation attempt occurs. This valuable information can be forwarded as an
immediate email alert or rolled up into a report on a daily, weekly, or quarterly basis for compliance reporting.
Through this information, you can determine which systems are seeing the most activity and react
accordingly. In all cases you have peace of mind knowing BOUNCER is maintaining the configuration
and protection you need.
A Single Product that Meets Multiple Requirements
The PCI DSS provides an excellent set of requirements for measuring security compliance. BOUNCER can
help you meet several of these requirements by enforcing and maintaining the configuration of your PCI
systems — with proven efficacy and without impacting system performance. By protecting the operating
system and PCI applications from compromise, you have ensured the system configuration will not change,
thus meeting key DSS requirements and helping assure the systems function efficiently and securely.
www.coretrace.com • P 512-592-4100 • F 512-592-4101 • 6500 River Place Boulevard, Building 2, Suite 105, Austin, Texas 78730
© 2008 CoreTrace Corporation. Trademarks are the property of their respective owners. Rev. 20081009