Compliance
Payment Card Industry (PCI)
Regulation Overview
In response to acquirers, merchants, and service providers’ feedback regarding
the need for stronger information security and a single approach to safeguarding sensitive data for all payment card brands,
Visa and MasterCard collaborated and released common industry security requirements in January of 2005. These requirements are
known as the Payment Card Industry (PCI) Data Security Standard. Globally accepted across the payment industry, PCI ensures that
compliance with the following specific, mandated, card scheme programs are met:
- American Express Data Security Operating Policy (DSOP)
- Discover Information Security and Compliance (DISC
- MasterCard Site Data Protection (SDP) Security Certification
- Visa Account Information Security (AIS)
- Visa Cardholder Information Security Program (CISP)
The purpose of PCI is to protect cardholder information, reduce debit and credit card fraud, and identify security issues that
could lead to the compromise of cardholder info rmation by imposing strict security standards on how cardholder data is handled and
stored.
PCI requires that those businesses that process, store, or transmit cardholder account and/or transaction info rmation adhere to
its requirements. This includes all members, merchants, retailers, and payment service providers. Failure to comply with PCI and any
subsequent br each of card data within a merchant’s site may result in substantial fines (up to $500,000) and, potentially, the
inability to accept card payments.
Ensuring Compliance
Most companies aim to comply with PCI without significantly increasing staff and IT costs. With
the potential result of non-compliance being severely damaged financial health and a tarnished company reputation, it is imperative to
find a simple, yet comprehensive, solution. The Sourcefire 3D System™ is the first to unify IPS, NBA, NAC and Vulnerability Assessment
technologies under the same management console. This ETM approach affords customers with an efficient and effective layered security
defense – protecting network assets before, during and after an attack.
With real-time, 24x7 network monitoring and security policy enforcement, customers are protected to the fullest possible extent possible.
3D can also automate the enforcement of security, network access, and usage policies without increasing IT staff for the most effective,
efficient network protection
Sourcefire Supports PCI Data Security Standard Requirements
As the enterprise security system for our customers, Sourcefire provides the following capabilities critical to meeting the core mandates
of the PCI Data Security Standard:
| PCI Requirement |
The Sourcefire 3D Approach |
| 1.1 Documented list of ports, services, and protocols needed for
business - Standard router configuration |
Always-on discovery and profiling of all assets on the
network provides ability to set and automatically enforce configuration and network use policies |
| 2.2 - Development and enforcement of configuration policy |
| 6.2 Identify and remediate vulnerabilities |
3D creates a real time profile of the OS, applications, services, ports
etc. on every host and maps that against a database of 12,000+ known vulnerabilities. Configuration changes
result in a continuously updated risk assessment vs. known vulnerabilities |
| 11.2 Quarterly Vulnerability Scans |
Passive discovery and vulnerability assessments are augmented by integrated
active scanning technology to ensure an up to date picture of all vulnerabilities in the environment |
| 12.5.2 Monitor and analyze events |
Impact flags make it possible to analyze events based on the relative risk
of any event enabling response to high priority alerts first |
| 12.9 Incident response and reporting |
The 3D System supports automated response and alerting on security incidents.
Custom reports are available on security events as well as policy violations |
|
