Payment Card Industry (PCI) Compliance

Sponsored by a collaboration between MasterCard, Visa, American Express, Diners Club and the Discover Card, the Payment Card Industry Standard (PCI) is an effort to protect consumer information and fight Internet fraud through required best practices for securing credit card data that is stored, processed or transmitted by an online retailer. All merchants who process or store credit card transaction data must comply with PCI regulations.

Objectives to Meet PCI Compliance

To achieve compliance, merchants and service providers must adhere to PCI security standards, which offer a single approach to safeguarding sensitive data for all card brands. The PCI security standard is a framework of twelve basic requirements supported by more detailed sub-requirements. Log monitoring and reporting is mandated under Requirement 10 in PCI’s 12-step process that instructs companies on how to achieve compliance.

Specifically, PCI requires organizations to:

• Regularly monitor and test networks
• Track and monitor all access to network resources and cardholder data

RSA enVision® has automated this compliance requirement by creating mapped reports that allow organizations to capture and report on the logs from network, security, infrastructure and application-layer events. RSA enVision reports provide your organization with a complete picture of network usage and audit trails for user identification, success and failure indication, origination of event and validation of user views of information.

To achieve those objectives, PCI requires that companies monitor and audit the following types of activities:

• Access Control monitors attempts to access anything on a company’s systems including files, directories, database records or applications.
• Configuration Control monitors the configuration, policies and software installed on systems covered by a particular compliance regulation and all systems with access to that system.
• Malicious Software capabilities detect, collect and report malicious activities caused by viruses or other malicious code.
• Policy Enforcement verifies that all users are complying with regulations to reduce the chance of accidental exposure of sensitive information.
• User Monitoring and Management creates a complete audit of the activities of non-employees with access to private data and takes steps to minimize the risk from compromised accounts.
• Environmental and Transmission Security involves the ongoing monitoring of the environment to ensure that security threats are detected and corrected as quickly as possible through proactive measures such as VA scans. Additional monitoring is required to ensure that the transmission of sensitive data is secured and done with the proper encryption levels.

To achieve and maintain compliance in those areas, companies must use the following functions with respect to the data collected by the RSA enVision Log Management solution:

• Collect, Protect and Store data in a non-filtered, non-normalized fashion that is stored in an efficient and protected manner.
• Establish Baseline levels of activity for the entire system and network environment to define “normal activity” and detect unusual levels of activity.
• Report summary and detailed reports for the mandated periods of time.
• Alert companies to deviations from baseline activities and complex patterns of activity across multiple, disparate devices.
• Debug systems to correct policies and settings on systems and provide a debug-level view of all changes and the effect they have on the environment.
• Establish Incident Management capabilities for close monitoring and correction of violations to make sure they are recorded, escalated and corrected in a timely and thorough manner.

These functions ensure that the administrative, physical and technical control demanded by PCI regulations are maintained. RSA enVision solutions address all of the technical standards required.

The RSA enVision Internet Protocol Database

Using its advanced LogSmart® Internet Protocol Database™ (IPDB) architecture that is deployed in hundreds of enterprises worldwide, RSA enVision is able to capture All the Data™ from network, security, host, application and storage layers across the enterprise. The LogSmart IPDB analyzes both real-time and historical data and presents information in views and reports designed to meet the far-ranging needs of everyone in your organization from the IT department, to the security department, to the compliance and risk officers and executive management.

The benefits of the LogSmart IPDB include:

• Designed to store and work efficiently with unstructured data natively without any filtering or data normalization
• Maintains a digital chain of custody for all data which assures that once data is committed to the database, it can never be altered - unlike most data schemas used in RDBMS-based solutions
• No agents are required
• Distributed peer-to-peer architecture enables high scalability and performance

Compliance Alerts

RSA enVision provides the ability to automatically generate alerts based on non-compliance with specific regulations and the detection of unusual levels of activity. Such incidents trigger alerts so action can be taken to maintain compliance.

The PCI standard identifies several core IT Security technologies, as well as various processes and procedures, needed to protect cardholder data. To address these requirements, RSA, The Security Division of EMC and Akibia can help your organization by delivering a PCI Solution, which encompasses a range of IT Security technologies, as well as assessment and policy development services.

For more information, contact your Akibia sales representative.