PCI DSS Compliance

If your organization handles credit card data you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Created by the major payment card brands the PCI DSS codifies a set of security best practices that help organizations protect cardholder data. PCI compliance allows organizations to process credit cards and avoid hefty fines but—more importantly—it drastically reduces the risk of a devastating data breach.

Imperva SecureSphere solutions help organizations meet 8 of the 12 high-level requirements, including the key requirements that strategically impact Web, database, and file security:

• Requirement 6.6: Protect public-facing Web applications
• Requirement 10: Audit all access to cardholder data
• Requirement 7: Limit access to systems and data on a business need to know
• Requirement 8.5: Identify and disable dormant user accounts and access rights
• Requirement 11.5: Alert personnel to unauthorized modification of files

PCI 6.6: Protect Public-Facing Web Applications

Requirement 6.6 offers two options to address Web security risks: install a Web application firewall (WAF) or review all Web applications annually and after all changes. WAFs provide continuous protection, not just immediately after an application review.

PCI 10: Audit All Access to Cardholder Data

PCI DSS requires that organizations track and monitor all access to network resources and cardholder data. Among the 25 detailed sub-requirements delineated in section 10, organizations must track all activity to individual users, monitor every individual transaction, and audit privileged user activity.

PCI 7: Limit Access to Cardholder Data by Business Need to Know

Restricting access to authorized personnel greatly reduces the risk of a data breach. According to PCI DSS requirement 7, organizations should limit user access to the least necessary to perform job functions.

PCI 8.5: Disable Dormant User Accounts

PCI DSS mandates secure user authentication and password management processes. According to PCI requirement 8.5.5, user accounts must be disabled after 90 days of inactivity. In addition, access privileges of terminated users should be revoked.

Requirement 11.5: Alert Personnel to Unauthorized Modification of Files

PCI DSS mandates that critical system, configuration, and content files be monitored for unauthorized modification, and that personnel be altered to changes. Section 11.5 describes the need to deploy file integrity monitoring to accomplish this. A file security solution can monitor all access activity, including changes, and can generate alerts when modifications or other policy deviations are seen.