HomeIndustry/ComplianceCompliance Solutions

PCI

In response to acquirers, merchants, and service providers’ feedback regarding the need for stronger information security and a single approach to safeguarding sensitive data for all payment card brands, Visa and MasterCard collaborated and released common industry security requirements in January of 2005. 

These requirements are known as the Payment Card Industry Data Security Standard (PCI DSS). Globally accepted across the payment industry, PCI ensures that compliance with the following specific, mandated, card scheme programs are met:

  • American Express Data Security Operating Policy (DSOP)
  • Discover Information Security and Compliance (DISC)
  • MasterCard Site Data Protection (SDP) Security Certification
  • Visa Account Information Security (AIS)
  • Visa Cardholder Information Security Program (CISP)

The purpose of PCI is to protect cardholder information, reduce debit and credit card fraud, and identify security issues that could lead to the compromise of cardholder information by imposing strict security standards on how cardholder data is handled and stored. PCI requires that those businesses that process, store, or transmit cardholder account and/or transaction information adhere to its requirements. This includes all members, merchants, retailers, and payment service providers. Failure to comply with PCI and any subsequent breach of card data within a merchant’s site may result in substantial fines (up to $500,000) and, potentially, the inability to accept card payments.

Ensuring Compliance
Most companies aim to comply with PCI without significantly increasing staff and IT costs. With the potential result of non-compliance being severely damaged financial health and a tarnished company reputation, it is imperative to find a simple, yet comprehensive, solution. The Sourcefire 3D® System delivers highly integrated, intelligent network security technologies unified under one easy-to-use management console. This intelligent cybersecurity approach affords customers with an efficient and effective layered security defenseprotecting network assets before, during, and after an attack. With real-time, 24x7 network monitoring and security policy enforcement, customers are protected to the fullest possible extent possible. The 3D System can also automate the enforcement of security, network access, and usage policies without increasing IT staff for the most effective, efficient network protection.

Sourcefire Supports PCI DSS Requirements
As the enterprise security system for our customers, Sourcefire provides the following capabilities critical to meeting the core mandates of the PCI DSS:

PCI Requirement Sourcefire 3D Approach
1.1 Documented list of ports, services, and protocols needed for business - Standard router configuration Always-on discovery and profiling of all assets on the network provides ability to set and automatically enforce configuration and network use policies
2.2 - Development and enforcement of configuration policy
6.2 Identify and remediate vulnerabilities The 3D System creates a real-time profile of the OS, applications, services, ports, etc. on every host and maps that against a database of known vulnerabilities. Configuration changes result in a continuously updated risk assessment vs. known vulnerabilities.
10.1 Identify user’s access to system components Sourcefire RUA® detects Active Directory and LDAP logins and pairs usernames with corresponding IP addresses. The user’s full name, department, and contact information is provided.
10.3 Record audit trail entries for all system components For security and compliance events, RUA provides user connection with currently-assigned IP addresses and time stamps.
11.2 Quarterly Vulnerability Scans Passive discovery and vulnerability assessments are augmented by integrated active scanning technology to ensure an up-to-date picture of all vulnerabilities in the environment.
11.4 Use IDS and/or IPS to monitor network traffic Sourcefire IPS™ satisfies PCI DSS requirements for IDS/IPS.
12.5.2 Monitor and analyze events Impact Flags make it possible to analyze events based on the relative risk of any event enabling response to high-priority alerts first.
12.9 Incident response and reporting The 3D System supports automated response and alerting on security incidents. Custom reports are available on security events as well as policy violations.