PCI DSS Compliance
If your organization handles credit card data you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Created by the major payment card brands the PCI DSS codifies a set of security best practices that help organizations protect cardholder data. PCI compliance allows organizations to process credit cards and avoid hefty fines but—more importantly—it drastically reduces the risk of a devastating data breach.
Imperva SecureSphere solutions help organizations meet 8 of the 12 high-level requirements, including the key requirements that strategically impact Web, database and file security:
- Requirement 6.6: Protect public-facing Web applications
- Requirement 10: Audit all access to cardholder data
- Requirement 7: Limit access to systems and data on a business need to know
- Requirement 8.5: Identify and disable dormant user accounts and access rights
- Requirement 11.5: Alert personnel to unauthorized modification of files
PCI 6.6: Protect Public-Facing Web Applications
Requirement 6.6 offers two options to address Web security risks: install a Web application firewall (WAF) or review all Web applications annually and after all changes. WAFs provide continuous protection, not just immediately after an application review. In addition, because maintenance is automated, WAFs will neither impose burdensome consulting costs nor impact Web development processes. For defense in-depth, organizations can integrate WAFs with application assessment tools to virtually patch vulnerabilities, eliminating the window of exposure associated with manual code fixes.
PCI 10: Audit All Access to Cardholder Data
PCI DSS requires that organizations track and monitor all access to network resources and cardholder data. Among the 25 detailed sub-requirements delineated in section 10, organizations must track all activity to individual users, monitor every individual transaction, and audit privileged user activity. Even access to audit trails must be restricted and logged. With such exacting demands, it is not surprising that 71% of assessed merchants fail to meet this requirement.1 Purpose-built database and file security solutions satisfy section 10 without degrading server performance, necessitating application changes, or requiring in-house audit management tools.
PCI 7: Limit Access to Cardholder Data by Business Need to Know
Restricting access to authorized personnel greatly reduces the risk of a data breach. According to PCI DSS requirement 7, organizations should limit user access to the least necessary to perform job functions. A dedicated User Rights Management (URM) solution can automate the aggregation, management, and auditing of user access rights across all databases and file servers. URM will also help identify excessive and unused user rights and streamline compliance efforts and processes.
PCI 8.5: Disable Dormant User Accounts
PCI DSS mandates secure user authentication and password management processes. According to PCI requirement 8.5.5, user accounts must be disabled after 90 days of inactivity. In addition, access privileges of terminated users should be revoked. A User Rights Management solution helps organizations aggregate and report on user activity, identify dormant accounts, and generate reports for PCI compliance.
Requirement 11.5: Alert Personnel to Unauthorized Modification of Files
PCI DSS mandates that critical system, configuration, and content files be monitored for unauthorized modification, and that personnel be altered to changes. Section 11.5 describes the need to deploy file integrity monitoring to accomplish this. A file security solution can monitor all access activity, including changes, and can generate alerts when modifications or other policy deviations are seen.
To learn why Imperva SecureSphere solutions are the ideal choice for several of the most challenging PCI DSS requirements, see the Imperva PCI solution center.
1Lessons Learned: Top Reasons for PCI Audit Failure and how to Avoid Them, Verisign
|Web Application Security|
2Blocking accesses to sensitive data in databases requires SecureSphere DBF
3Blocking access to sensitive files required SecureSphere FFW