• Overview
  • Related Products
  • PCI DSS Compliance

    Imperva is a participating member of the PCI Security Standards Council

    If your organization handles credit card data you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). Created by the major payment card brands the PCI DSS codifies a set of security best practices that help organizations protect cardholder data. PCI compliance allows organizations to process credit cards and avoid hefty fines but—more importantly—it drastically reduces the risk of a devastating data breach.

    Imperva SecureSphere solutions help organizations meet 8 of the 12 high-level requirements, including the key requirements that strategically impact Web, database and file security:

    • Requirement 6.6: Protect public-facing Web applications
    • Requirement 10: Audit all access to cardholder data
    • Requirement 7: Limit access to systems and data on a business need to know
    • Requirement 8.5: Identify and disable dormant user accounts and access rights
    • Requirement 11.5: Alert personnel to unauthorized modification of files

    PCI 6.6: Protect Public-Facing Web Applications

    Requirement 6.6 offers two options to address Web security risks: install a Web application firewall (WAF) or review all Web applications annually and after all changes. WAFs provide continuous protection, not just immediately after an application review. In addition, because maintenance is automated, WAFs will neither impose burdensome consulting costs nor impact Web development processes. For defense in-depth, organizations can integrate WAFs with application assessment tools to virtually patch vulnerabilities, eliminating the window of exposure associated with manual code fixes.

    PCI 10: Audit All Access to Cardholder Data

    PCI DSS requires that organizations track and monitor all access to network resources and cardholder data. Among the 25 detailed sub-requirements delineated in section 10, organizations must track all activity to individual users, monitor every individual transaction, and audit privileged user activity. Even access to audit trails must be restricted and logged. With such exacting demands, it is not surprising that 71% of assessed merchants fail to meet this requirement.1 Purpose-built database and file security solutions satisfy section 10 without degrading server performance, necessitating application changes, or requiring in-house audit management tools.

    PCI 7: Limit Access to Cardholder Data by Business Need to Know

    Restricting access to authorized personnel greatly reduces the risk of a data breach. According to PCI DSS requirement 7, organizations should limit user access to the least necessary to perform job functions. A dedicated User Rights Management (URM) solution can automate the aggregation, management, and auditing of user access rights across all databases and file servers. URM will also help identify excessive and unused user rights and streamline compliance efforts and processes.

    PCI 8.5: Disable Dormant User Accounts

    PCI DSS mandates secure user authentication and password management processes. According to PCI requirement 8.5.5, user accounts must be disabled after 90 days of inactivity. In addition, access privileges of terminated users should be revoked. A User Rights Management solution helps organizations aggregate and report on user activity, identify dormant accounts, and generate reports for PCI compliance.

    Requirement 11.5: Alert Personnel to Unauthorized Modification of Files

    PCI DSS mandates that critical system, configuration, and content files be monitored for unauthorized modification, and that personnel be alerted to changes. Section 11.5 describes the need to deploy file integrity monitoring to accomplish this. A file security solution can monitor all access activity, including changes, and can generate alerts when modifications or other policy deviations are seen.

    1Lessons Learned: Top Reasons for PCI Audit Failure and how to Avoid Them, Verisign

    • Database Security
      Product Name Capabilities
      SecureSphere Database Activity Monitoring
      or
      SecureSphere Database Firewall
      • Addresses PCI 10
      • Audits all access to sensitive database data
      • Alerts and optionally blocks2 abnormal access to sensitive data
      • Offers a tamper-proof audit trail
      • Discovers databases and classifies data to determine scope of PCI audit
      • Provides pre-defined compliance reports with customization capabilities
      User Rights Management for Databases
      • Addresses PCI 7 and 8.5
      • Detects dormant users and excessive access rights
      • Aggregates and reports on user access rights
      • Provides a built-in workflow for database access rights review
    • File Security
      Product Name Capabilities
      SecureSphere File Activity Monitoring
      or
      SecureSphere File Firewall
      • Addresses PCI 10 and 11.5
      • Audits all access to unstructured data
      • Alerts and optionally blocks3 abnormal access to sensitive data
      • Offers a tamper-proof audit trail
      • Provides pre-defined compliance reports with customization capabilities
      User Rights Management for Files
      • Addresses PCI 7 and 8.5
      • Detects dormant users and excessive access rights
      • Aggregates and reports on user access rights
      • Provides a built-in workflow for file access rights review
    • Web Application Security
      Product Name Capabilities
      SecureSphere Web Application Firewall
      • Addresses PCI 6.6
      • Continuously protects against known and zero-day application attacks
      • Prevents common application vulnerabilities, including the OWASP Top Ten
      • Provides transparent protection with no changes to existing applications or network
      • Automates security management by dynamically learning application usage
      • Integrates with application scanners for instant virtual patching of vulnerabilities
      • Offers compliance reports
      1. 2Blocking accesses to sensitive data in databases requires SecureSphere DBF
      2. 3Blocking access to sensitive files required SecureSphere FFW