Complying with Payment Card Industry Data Security Standard (PCI-DSS)

What is it? The PCI Data Security Standard is a common approach to safeguarding sensitive data initiated by Visa and MasterCard and now adopted by the major card brands.

Who does it apply to? The Payment Card Industry (PCI) Data Security Requirements apply to all merchants, and service providers that store, process or transmit cardholder data.

How is it assessed? Compliance is validated annually by on-site assessment audits (or self-assessment for smaller merchants & payment processors) and additionally by network scans.

Why be compliant and how to achieve it?

Compliance may protect your organisation against potentially very large fines if your card-holder data environment is compromised. Complying with the PCI standard is achievable through a straight-forward pre-compliance check and remediation process before your audit or assessment.

What does the standard require merchants and payment processors to do?

• Build and Maintain a Secure Network Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Regularly test security systems and processes
• Maintain an Information Security Policy

Which components must comply with the standard?

The PCI security requirements apply to any network component, server, or application included in, or connected to, the cardholder data environment.

Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.

Event Log Management for PCI-DSS

Collection of event log data to track access to card holder data is a key element of the PCI-DSS standard (section 10). This requires implementation of an enterprise class event log management system. Ancoris recommends the deployment of NetIQ Security Manager.

Recent Projects undertaken by Ancoris

Design, implementation and rollout of NetIQ Security Manager for PCI DSS compliance at:

• one of the UKs leading internet payment service providers

• an operator of fuel cards and a world leader in card fraud prevention and payment processing

• a major garment manufacturer (merchant and payment processor)

• a leading European provider of card and internet payment processing systems

• one of the UK's largest credit card companies

• a leading fashion retailer

For more information please contact us.

PCI-DSS Compliance Pack for NetIQ Security Manager

The Ancoris PCI-DSS Compliance Pack comprises a set of pre-configured rules in a management pack to configure NetIQ Security Manager for PCI-DSS compliance.

The rules have been approved by one of the UK’s leading auditors as meeting the requirements for PCI-DSS event collection for Windows and UNIX servers when used in conjunction with a supplied list of required operating system audit logging settings.

Deploying the Compliance Pack ensures that only the required events are collected, this reduces the implementation time for the event log management system and can also reduce considerably the storage requirements for event logs compared with a “collect all” approach. Using these rules will ensure that the PCI-DSS audit requirements for event log collection are met.  more>>>

PCI-DSS Compliance with LogLogic appliances

LogLogic appliances are an enterprise scaleable solution for security event log collection and reporting ideal for heterogenous environments  more>>>