The document discusses PCI (Payment Card Industry) compliance and assessments. It describes the 12 requirements of PCI compliance including installing firewalls, encrypting cardholder data transmission, restricting access to data, and maintaining security policies. It outlines how the Gazzang data security solution, including its ezNcrypt encryption tool and Key Storage System, can help organizations meet these requirements by encrypting database data and securing encryption keys. The document provides guidance on preparing for a PCI audit and designing a secure credit card data system architecture in the cloud.

1. Essentials of PCI AssessmentSucceeding with GazzangMike Frank, Director of Products, Gazzang

2. OverviewBenefits of the CloudWhat to expect - preparing for an auditThe Gazzang data security solutionMapping into the 12 PCI sectionsExamples/Ideas before your PCI AuditQ&A7/13/2011

3. Cloud Adoption 1017/13/2011

4. PCI (Payment Card Industry) Created by major credit card issuers to Protect personal information Ensure security when transactions are processed Members of the payment card industry arefinancial institutions, credit card companies and merchantsRequired to comply with these standardsFailure to meet compliance standards can result inFines from credit card companies and banks Loss of the ability to process credit cards.7/13/2011

5. PCIPCI (Payment Card Industry) DSS (Data Security Standard)The PCI assessment process focuses solely on the security of cardholder dataHas a company effectively implemented information security policies and processes?Are there adequate security measures that comply with the requirements to protect cardholder data?7/13/2011

6. PCI AssessmentsDetermine if you are employing payment industry best-practices Assessment result in Recommendations & Remediation toProcesses Procedures System configurationsVulnerabilities The “Fixes” needed to comply7/13/2011

7. What is Gazzang’sezNcrypt for MySQLInstalled as a Cloud Database Server

8. Sits between the storage engine and file system

9. Encrypts data before it hits the disk.7/13/2011

10. Key Storage System (KSS)Gazzangs KSS “service” runs in the CloudEast and West CurrentlyHighly Available – uses F5Solution for“Where do I store my key?”Multiple layers of security ensure that your key is protected and available when you need it.7/13/20118

11. PCI Security Problems Gazzang Helps Solve Unauthorized attempts to read data off the database filesTheft of the data files Tampering of dataProtection of data on tapes and backupsData at Rest - Protecting disks In case physical hardware is stolen or incorrectly disposedKey ProtectionAutomated, Zero Maintenance Key ManagementEncrypts, Protects and Secures MySQL7/13/2011

12. The PCI “12”Install and maintain a firewallDo not use vendor-supplied defaults for passwords. Develop configuration standards.Protect stored dataEncrypt transmission of cardholder data across public networksUse and regularly update anti-virus softwareDevelop and maintain secure systems and applicationsRestrict access to data by business need-to-knowAssign a unique ID to each person with computer accessRestrict physical access to cardholder dataTrack and monitor all access to network resources and cardholder dataSystems should be tested to ensure security is maintained over time and through changesMaintain an information security policy7/13/2011

13. 1 Install and maintain a firewallThe Auditor will inspectSystem/Firewall ConfigurationsYour Network DiagramSeveral options Can be provided by the cloud hostFortinet Firewall Cisco ASA 5510 dedicated hardware firewall7/13/2011

14. 2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.GazzangMySQL Linux account has strong initial passwordOnly local mysql root is createdStrong Initial Password is enforcedConfiguration for MySQL is SecuredAdded Access File ProtectionThe Auditor willInterview staff, review documentation, view setup7/13/2011

15. 3 Protect stored dataGazzangAllows you to: Encrypt the entire database

16. Encrypt individual tables

17. Encrypt related files (log files)

18. Control who can decrypt the data, beyond normal database and file system protections.

19. Manage and secure keys7/13/2011

20. 3 Protect stored dataThe Auditor willLook at the entire data lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more.YouWill need to document explain and show that process to the auditor.For Req 3 Sections 4, 5, and 6 are often the trickiest7/13/2011

21. 3 Protect stored dataGazzangezNcrypthelps:Manage access control Only authorized users running authorized applications can decrypt cardholder data.

22. 3.4.1.aIf disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms7/13/2011

23. 3 Protect stored dataGazzangezNcrypthelps:Secure key management proceduresPCI 3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:

24. PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data

25. 3.6.1- The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt7/13/2011

26. 4 Encrypt transmission of cardholder data across public networksYouVerify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networksRequire SSL Connections in MySQL Access Control Settings for any “remote” User7/13/2011

27. 4 Encrypt transmission of cardholder data across public networksGazzangCloud data storage in cloud systems sends data across the network to storageWith ezNcrypt your critical data is encrypted before it moves into the physical file system – All data from ezNcrypt is encrypted across the network or through other devices that could be monitored or tapped.7/13/2011

28. 5 Use and regularly update anti-virus softwareThe Auditor willVerify that all OS types commonly affected by malicious software have anti-virus software implemented.YouMake sure AV is setup and deployed properlyX7/13/2011

29. 6 Develop and maintain secure systems and applicationsGazzangAdding a new layer of securityAs-Is the system is more secureYou will be downloading the latest MySQL VersionWe will secure the configuration and protect the data and logs7/13/2011

30. 7 Restrict access to data by business need-to-knowGazzangHelps meet this by Restricting Access using encryption, key control, and application only access controlsLinux Users can’t read the data – only MySQLYouEnsure that cloud host allows customers to manage local server credentials themselves7/13/2011

31. 8 Assign a unique ID to each person with computer accessYou Need to manage your usersCreate a unique login for each user with access to the server Create unique accounts within MySQL and LinuxLimit access to only what the account requiresThe Auditor willWant reports on each of the systemsWant to know who and what authentication methodsVerify documentation on processes and procedures7/13/2011

32. 8 Assign a unique ID to each person with computer access8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.YouEnsure your cloud host provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNsTwo-factor - Requiring user/password and certificate7/13/2011