Whitepaper Abstract The Payment Card Industry (PCI) computer systems are continually under attack due to the importance of the information they protect. In response to this threat, the PCI has produced an excellent series of process and security tool requirements known as the Data Security Standard (DSS). The DSS identifies a series of principles and accompanying requirements that are critical to the integrity of the industry's computer systems. This paper outlines relevant PCI DSS requirements and discusses how BOUNCER by CoreTrace provides an elegant solution for meeting many of the requirements — in any PCI environment with sensitive data, from large servers processing thousands of transactions to small kiosks in the mall.

1. ®
TM
Regulatory Compliance
Protecting PCI Systems and Data
The Payment Card Industry (PCI) computer systems are continually under attack due to the importance of
the information they protect. In response to this threat, the PCI has produced an excellent series of process
and security tool requirements known as the Data Security Standard (DSS). The DSS identifies a series
of principles and accompanying requirements that are critical to the integrity of the industry’s computer
systems. The standard takes a multi-faceted approach to protecting payment card information to include
securing the systems the data resides within, controlling access to the systems and cardholder data, and
protecting the cardholder data itself. BOUNCER by CoreTrace ™ provides an elegant solution for meeting
many of these requirements. It can be used in any PCI environment with sensitive data, from large servers
processing thousands of transactions to small kiosks in the mall. This paper provides a short overview of
the BOUNCER ™ product and a discussion of the relevant PCI DSS requirements where the product provides
a solution.
Meeting the PCI Data Security Standard (DSS) with BOUNCER
The DSS applies to all system components wherein a Primary Account PCI DSS Requirements:
Number is stored, processed, or transmitted. There are 12 major
Build and maintain a secure network
requirements within the DSS that are arranged under 6 major cat-
01: Install and maintain a firewall
egories (see sidebar). configuration
02: Do not use vendor supplied defaults
BOUNCER is an endpoint security solution that maintains the con-
figuration and integrity of critical computer systems. This solution Protect cardholder data
03: Protect stored data
protects the computer from both internal and external changes by 04: Encrypt transmitted data
ensuring that only approved, vetted applications can execute by
Maintain a vulnerability-management
enforcing an application whitelist. The enforcement mechanism
system
resides within the operating system kernel, making it the most tamper 05: Use and maintain antivirus
-proof security solution available. BOUNCER is an enterprise-class 06: Develop and maintain secure systems
product providing centralized management, secure command and Implement strong access-control
control channels, and robust infrastructure for high availability and measures
failover. The sections below explain how BOUNCER meets specific 07: Restrict access by need-to-know
08: Assign a unique ID to all users
DSS requirements. 09: Restrict physical access
One of BOUNCER’s strongest capabilities is the ability to ‘lock down’ Regularly monitor and test networks
and maintain the configuration of a system, even when that system 10: Track and monitor access to data
11: Regularly test security systems
has known vulnerabilities. As will be explained in the following
sections, BOUNCER should be considered for any PCI security Maintain an information security policy
initiative due to the system’s proven anti-malware capabilities (in- 12: Maintain a written policy
cluding the ability to stop root kits and memory exploits) and its
strong ability to prevent the addition of unauthorized applications.

2. ®
TM
Use or regularly update antivirus or other programs
Data or applications can be corrupted via viruses and malware that enter the PCI system through email
attachments, accessing compromised websites, and injected via software vulnerabilities. BOUNCER
stops this type of application assault and more. The application whitelisting technology keeps track of
the applications you want to run, so regardless of how a piece of malicious software enters your network,
it will not be on the list or run. Because it is not based on detecting the malicious software via a signature,
your system is protected against ‘zero-day’ threats and is always up to date, relieving you from the duty
of regularly updating antivirus or malware signatures. Because of its unique design and location in the
operating system kernel, BOUNCER also provides protection against sophisticated attacks, including
root kits and memory exploits such as DLL injections. Finally, BOUNCER has an extremely small disk
space and memory ‘footprint’ on protected computer system compared to other antivirus and anti-
malware alternatives, freeing up resources for PCI processing.
Develop and maintain secure systems and applications
This requirement focuses on the task of keeping PCI systems up-to date with the latest security patches.
One of the primary reasons for constantly patching systems is to address the security flaws in the oper-
ating system or its applications. These flaws or vulnerabilities are used by an employee, an automated
‘bot’, or an outsider to access and potentially modify the cardholder data or the system. As mentioned
previously, BOUNCER uses a unique variation of application whitelisting to solve this problem.
A whitelist of known files is created from the PCI system itself and then used to ‘lock’ the system in that con-
figuration, preventing any further modification until desired by the BOUNCER administrator. Executable
files not included in the whitelist cannot run regardless of how they got there. Thus, a malware program
or virus deposited on the system via a vulnerability exploitation is stopped. Likewise, a program copied
to the system by the user, either intentionally or unintentionally, which is not on the whitelist, cannot
run. Through BOUNCER, a process of checks and balances is introduced protecting your critical
PCI systems. Perhaps more importantly, the systems are protected against ‘zero-day’ attacks because
newly announced vulnerabilities do not introduce new risk. The systems can be patched the next time
a configuration change or software update is desired.
A Single Product that Meets Multiple Requirements
The PCI DSS provides an excellent set of requirements for measuring security compliance. BOUNCER can
help you meet several of these requirements by enforcing and maintaining the configuration of your PCI
systems — with proven efficacy and without impacting system performance. By protecting the operating
system and PCI applications from compromise, you have ensured the system configuration will not change,
thus meeting key DSS requirements and helping assure the systems function efficiently and securely.
www.coretrace.com • P 512-592-4100 • F 512-592-4101 • 6500 River Place Boulevard, Building 2, Suite 105, Austin, Texas 78730
© 2009 CoreTrace Corporation. Trademarks are the property of their respective owners. Rev. 20090914