PCI Compliance
We Can Help Make it Happen
Compliance Matters
The PCI Data Security Standard (DSS) was developed by the founding payment brands of the PCI Security Standards Council
(American Express®, Discover® Financial Services, JCB®, MasterCard® Worldwide and Visa® International) to help facilitate
the broad adoption of consistent data security measures on a global basis. Its primary goal is to provide a standard by which the
Payment Card Industry can “self-regulate.” In addition, a number of initiatives are currently underway from state legislatures and
federal regulators to increase the penalties for non-compliant organizations. More so now than ever before … compliance matters.
Reporting
Process
Technology
Compliance Discovery, Security Alerts, Stealth Attacks, Prioritized Threats,
Policy Violations, Access Violations, Audit Trails
IDS / IPS, UTM, NBA, AV, AS, CF, Firewalls, Threat Management, Log Management,
SIEM
24/7 Monitoring, Firewall Mgmt & Monitoring, Log File Mgmt & Monitoring,
Quarterly Vulnerability Scans, Quarterly Perimeter
Scans, Annual Audit, Consulting Policy, Procedure, Assessment, Gap Analysis,
Remediation, Vulnerability Scans, Perimeter Scans, PCI Consulting Services
PCI Compliance
Rethinking PCI Compliance
PCI DSS is a multi-faceted security standard that includes specific requirements for security management, policies, procedures,
network architecture, software design, training and other critical, protective measures. Coupled with Premium PCI Managed and
Professional Services, Masergy’s Unified Enterprise Security ™ (UES) systems take a holistic approach to helping customers
achieve and maintain PCI compliance, seamlessly integrating process, technology, service and reporting.
Key technology elements center around and complement Masergy’s patented adaptive behavioral analysis and correlation
engine—like a complex credit card fraud detection system on steroids. The technology enables the discovery and tracking of odd
behaviors over time—the kind of activity that eventually makes newspaper headlines—providing you with the opportunity to take
preemptive action.
Make Life Easier.
Partner with Masergy, A Certified PCI Vendor.
What does all this mean to your organization? The alleviation of business risk (along with demonstrating the expected “due care”
related to storage, processing, and transmission of critical cardholder data as defined by the PCI DSS) is complex and
resource-dependent.
At Masergy, we understand that compliance depends on a number of critical factors. From auditing to technology, process, and
policy, Masergy understands that each organization has different requirements depending on where they currently stand on
the “compliance path.” That’s why we approach the challenge of compliance in a holistic fashion, tailoring our services to your
organization’s current needs and specific requirements.
You can be confident that Masergy, one of the few PCI-certified companies, can provide the partnership required to help you
efficiently achieve and maintain PCI compliance.
2009 Best Products & Services – Reader’s Trust Award
Network Products Guide has named Masergy a winner of the 2009 Best Products and Services - Reader’s Trust Award for Unified Security.
2009 Global Product Excellence - Customer Trust Award
Info Security Products Guide has named Masergy a winner of the 2009 Global Product Excellence Customer Trust Award for Integrated Security.
2009 Product Innovation Award
Network Products Guide has named Masergy’s Enterprise UTM++ a winner of the 2009 Product Innovation Award for the overall Security Solution (Hardware and Software) category. Masergy also receive the Product Innovation award in 2008 for its All-n-One Security Module for Enterprise UTM.
2009 ‘Tomorrow’s Technology Today’ Award
Info Security Products Guide has named Masergy’s Enterprise UTM++ a winner of the 2009 Tomorrow’s Technology Today Award for the Integrated Security Solution (Hardware and Software) category. Masergy has also received the Tomorrow’s Technology Today award in prior years (2006, 2007 & 2008) for Unified Security, Network Security and Security Risk Management Managed Security Services.
SC Magazine 2008 Industry Innovator
PCI Compliance
Protect
Monitor
Alert
Report
Users Servers Firewalls Syslogs Switches Routers Policies Threats
Unified Administration, Monitoring, Reporting
Internet
Trusted Computing
Base
A fully integrated, highly scalable, passive network security suite with
patented behavioral analysis & correlation shared by all applications
A holistic, non-intrusive, layered approach to PCI compliance
Enterprise UTM
Network Behavioral Analysis & Correlation
PCI Compliance
COMPREHENSIVE PCI COMPLIANCE REPORTING
Using the most advanced algorithms in the industry, Masergy automatically analyzes your threat status and continually compiles
comprehensive sets of reports on suspicious activity. Specific to PCI compliance, we offer the following reporting services:
• Current Risk Report • Current Risk Summary • Ignored Vulnerabilities Report • Vulnerability Escalation Report • Vulnerability History Report • Report by Vulnerability
• Detailed description • Consequences
• Detailed remediation steps • Risk factor
• Links to CVEs, patches, etc.
• Prioritized Vendor Threats • Prioritized Network Threats • Prioritized Global Threats • Prioritized Vulnerabilities • Prioritized Threat List (all) • Links Threats with:
• Threat sources, ports, protocols • Targeted assets
• Required remediation steps & patches • Rolling 30-day Threat Remediation Report • Network Access Policy Violation Report • Geographic Origin of Attackers
• Identifies/documents external usage of enterprise services and resources
• Identifies/documents internal usage of external services and resources
♦ Web Usage
♦ Encrypted Web Usage ♦ SMTP Mail Usage
♦ Encrypted SMTP Mail Usage (SSL) ♦ POP3 Mail Usage
♦ Encrypted POP (SSL) Usage ♦ IMAP Mail Usage
♦ Encrypted IMAP Mail Usage ♦ FTP Usage ♦ Telnet Usage ♦ SSH Usage ♦ LDAP Usage ♦ Socks Usage ♦ News Usage
♦ Encrypted News Usage (SSL) ♦ Windows Share Usage (netbios-ssn) ♦ Napster Usage
♦ IM Usage
♦ Proprietary (other)
VULNERABILITY SCAN REPORTS
VULNERABILITY MANAGEMENT REPORTS
PCI Compliance
Masergy’s 12 Steps to PCI Compliance.
A. Build and Maintain a Secure Network
1.
We can guide your organization in establishing, optimizing, and maintaining industry best practice firewall
configuration standards, as well as install and maintain a firewall configuration to protect cardholder data. This
optimizes the protection of all systems from unauthorized Internet access. We’ll also share/develop with you
industry best practice configuration standards for the rest of your major system components.
2.
Monthly configuration scans are performed to ensure your organization is not using vendor-supplied defaults for
system passwords or other security parameters. Not only are defaults well known in hacker communities, but
they can easily be found in public information—making your organization an easy target.
B. Protect Cardholder Data
3.
Monthly testing and assessments of your cardholder data processing, storage and encryption methodology are
performed to ensure the cardholder data is properly protected.
4.
Testing and assessment will ensure your organization is using the required strong cryptography and security
protocols to protect sensitive information during transmission across open public networks.
C. Maintain a Vulnerability Management Program
5.
Periodic audits are conducted to assist with the necessary oversight to make sure your organization’s
anti-virus software or programs are updated.
6.
Our Enterprise UTM compliance offering includes an integrated threat management solution to help your
organization ensure its network and device vulnerabilities are discovered, prioritized and resolved in an effective
manner.
D. Implement Strong Access Control Measures
7.
Our professional services organization can guide your organization related to security process, policy,
and technology to ensure access to cardholder data is appropriate based upon business “need-to-know.” This
ensures critical data is untouchable by unauthorized personnel.
8.
Our periodic audits and testing make sure a unique ID is assigned to each person with computer access.
9.
We also help you confirm that the necessary restrictions are in place regarding physical access to cardholder
PCI Compliance
E. Regularly Monitor and Test Networks
10.
The Enterprise UTM component of our PCI compliance offering tracks and monitors all
access to network resources and cardholder data so that the cause of any policy violation can be determined
through system alerts and activity logs.
11.
As a PCI Approved Scanning Vendor, we will provide the required periodic vulnerability scans and penetration
testing of your systems, processes and custom software to ensure security is maintained
over time and throughout software changes.
F. Maintain an Information Security Policy
12.
Based on your specific requirements, the Masergy professional services team can work
with your organization to establish and maintain policies that address information security, as well
as processes that confirm all employees, contractors, and vendor partners are aware of the sensitivity
of your data and their responsibility for protecting it.
PCI compliance is a significant undertaking for most organizations. The criticality for organizations that process, store, or transmit
cardholder data to achieve and maintain PCI compliance continues to increase. Masergy’s Premium PCI Managed Services and
Enterprise UTM Technology have the necessary flexibility to meet the specific compliance needs of your organization.
PCI Compliance
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into
more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions
that do not meet the specified security criteria.
All systems must be protected from unauthorized Internet access, whether entering the system as e-commerce, employees’
Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from
the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer
network.
PCI
Requirement
Product/Service Solution
Description
1.1.1
Formal Change
Approval
Process
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy has developed a formal process for approving and testing all external network connections and changes to the firewall configuration.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will develop a formal process for approving and testing all external network connections and changes to the firewall configuration.
Professional Services
• Working with your organization, the Masergyprofessional services team will develop a formal process for approving and testing all external network connections and changes to the firewall configuration.
1.1.2
Current
Network
Diagram
Professional Services
• Working as an extension of your organization, Masergy will develop a current network diagram with all connections to cardholder data, including any wireless networks.1.1.3
Firewall
Requirements
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
PCI Compliance
Build and Maintain a Secure Network
Requirement 1
Install and maintain a firewall configuration to protect cardholder data.
Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into
more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions
that do not meet the specified security criteria.
All systems must be protected from unauthorized Internet access, whether entering the system as e-commerce, employees’
Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from
the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer
network.
PCI
Requirement
Product/Service Solution
Description
1.1.1
Formal Change
Approval
Process
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy has developed a formal process for approving and testing all external network connections and changes to the firewall configuration.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will develop a formal process for approving and testing all external network connections and changes to the firewall configuration.
Professional Services
• Working with your organization, the Masergy professional services team will develop a formal process for approving and testing all external network connections and changes to the firewall configuration.1.1.2
Current
Network
Diagram
Professional Services
• Working as an extension of your organization,Masergy will develop a current network diagram with all connections to cardholder data, including any wireless networks.
1.1.3
Firewall
Requirements
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.1.3
Firewall
Requirements
Continued
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.
Professional Services
• Based upon your IT infrastructure/businessrequirements, the Masergy professional services team will define formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network.
1.1.4
Groups, Roles,
Responsibilities
Professional Services
• Working with your team, Masergy will develop a current description of groups, roles, andresponsibilities for logical management of network components.
1.1.5
Services, Ports
Necessary for
Business
Behavioral Intrusion Detection /Prevention
Security Monitoring Service
Requires A-5000-G Behavioral Correlation
Module (BCM)
• Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business.
• Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request.
• A specific report can be requested at any time by simply contacting the SCC (Security Control Center).
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
Requires A-2500-G Behavioral Correlation
Module Software
• Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business.
• Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request.
• A specific report can be requested at any time by simply contacting the SCC.
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.1.6
Justification for
Non-Standard
Protocols
Behavioral Intrusion Detection /Prevention
Security Monitoring Service
Requires A-5000-G Behavioral Correlation
Module (BCM)
• Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). This information is always up-to-date and readily available upon request.
• A specific report is available at any time by simply contacting the SCC.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
Requires A-2500-G Behavioral Correlation
Module Software
• Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).This information is always up-to-date and readily available upon request.
• A specific report is available at any time by simply contacting the SCC.
Professional Services
• Masergy will work with your organization to identifynon-standard protocols in use. We will be responsible for developing a formal justification for required non-standard protocols.
1.1.7
Justification for
Risky Protocols
(e.g., FTP)
Behavioral Intrusion Detection /Prevention
Security Monitoring Service
Requires A-5000-G Behavioral Correlation
Module (BCM)
• Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and
document services and ports necessary for business, including any risky protocols allowed such as file transfer protocol (FTP).
• There are also several reports that catalog the use of FTP and other risky protocols.
• Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request.
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.1.7
Justification for
Risky Protocols
(e.g., FTP)
ContinuedAll-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
Requires A-2500-G Behavioral Correlation
Module Software
• Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for
business, including any risky protocols allowed such as file transfer protocol (FTP).
• There are also several reports that catalog the use of FTP and other risky protocols.
• Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request.
• A specific report can be requested at any time by simply contacting the SCC.
Professional Services
• Masergy will work with your organization to identify risky protocols in use. We will be responsible for developing a formal justification for required risky protocols.1.1.8
Quarterly
Review of FW &
Router Rules
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue
a complete report.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue a complete report.
Professional Services
• The Masergy professional services team will performa quarterly review of the firewall and router rule sets.
1.1.9
Router
Configuration
Standards
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy offers industry best practice configuration standards for routers.
Professional Services
• The Masergy professional services team willPCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.2
FW Rules
to Deny
“Untrusted”
Networks
& Hosts
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy builds a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy builds a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment.
Network Access Monitoring
via Network Security Zones
Enterprise UTM++ Configurations, Requires
Z-1000-G Software
ASM Configurations, Requires Z-2500-G
Software
• Network Security Zones (NSZ) is the first network access monitoring (NAM) solution based solely on behavioral network analysis and correlation. Each Network Security Zone is a user-defined network access policy comprised of specific
network resource objects: users, systems, applications, date/time, etc. — with secure boundaries for specific systems, applications and users.
• Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.
• NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response.
• NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert.
• Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service.
Professional Services
• The Masergy professional services team offers aPCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.3
FW Rules
to Restrict
Connections
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements 1.3.1 – 1.3.9.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements 1.3.1 – 1.3.9.
Professional Services
• The Masergy professional services team will builda firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements 1.3.1 – 1.3.9.
1.3.1
Ingress
Filters
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy restricts inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters).
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will restrict inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters).
Professional Services
• Based upon your business environment, theMasergy professional services team will deliver a recommended configuration design, restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters).
1.3.2
Inhibit Internal
Address from
Reaching
Internet via
DMZ
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.3.2
Inhibit Internal
Address from
Reaching
Internet via
DMZ
ContinuedAll-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will not allow internal addresses to pass from the Internet into the DMZ.
Professional Services
• Working with your particular infrastructure, theMasergy professional services team will recommend a design and not allow internal addresses to pass from the Internet into the DMZ.
1.3.3
Implement
Stateful
Inspection
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are allowed into the network).
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are allowed into the network).
Professional Services
• The Masergy professional services team will offer a design and periodically verify that stateful inspection, also known as dynamic packet filtering (that is, only “established” connections are allowed into the network), is properly implemented.1.3.4
Segregate
DMZ and
Database(s)
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will ensure the firewall configuration logically places any database(s) in an internal network zone, segregated from the DMZ.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, Masergy will ensure the firewall
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.3.4
Segregate
DMZ and
Database(s)
Continued
Network Security Zones
For UTM++ Configurations, Requires
Z-1000-G Network Security Zones Feature
For ASM Configurations, Requires Z-2500-G
Network Security Zones Feature
No Additional HW or SW Agents are
Required.
• As part of the NSZ capability and service, secure computing policies are established to logically place database(s) in an internal network zone, segregated from the DMZ.
• Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.
• NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response.
• NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert.
• Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service.
Professional Services
• As part of the service, Masergy will recommend adesign and periodically verify that the database is in an internal network zone, segregated from the DMZ.
1.3.5
Restrict I/O
Traffic
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will logically configure network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.3.5
Restrict I/O
Traffic
ContinuedNetwork Security Zones
For UTM++ Configurations, Requires
Z-1000-G Network Security Zones Feature
For ASM Configurations, Requires Z-2500-G
Network Security Zones Feature
No Additional HW or SW Agents are
Required.
• As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
• Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.
• NSZ policy violations are reported as alerts to the monitoring console where trained security analysts perform incident response.
• NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert.
• Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service.
Professional Services
• As part of the service, Masergy will offer a designand periodically confirm that network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment is properly implemented.
1.3.6
Secure &
Synch Router
Configuration
Files
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
• Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.
• NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response.
Professional Services
• As part of the service, Masergy will periodicallyPCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.3.7
Deny all Other
Nonessential
I/O Traffic
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will configure network access to deny all other inbound and outbound traffic not specifically allowed.
Network Security Zones
Requires Z-1000-G Network Security Zones
Feature
Requires N-2800-G Firewall Syslog Module
to Block/Deny NSZ Policy Violations
No Additional HW or SW Agents are
Required.
• As part of the NSZ capability and service, secure computing policies can be established to deny all other inbound and outbound traffic not specifically allowed.
• Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.
• NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response.
• NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert.
• Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service.
Professional Services
• As part of the service, Masergy willoffer a design and periodically confirm that network access to deny all other inbound and outbound traffic not specifically allowed is properly implemented.
1.3.8
Install
Perimeter
FW Between
Wireless
Networks and
PCI Data
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes).
Professional Services
• As part of the service, Masergy will install perimeterPCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.3.9
Install PC FW
on any Mobile
and
Employee-Owned
Computers with
Direct Internet
Connections
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will monitor personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.
• Requires software syslog agent be installed on each monitored laptop that will transmit to FSM, or syslog output from PC FW management/ administration console.
Professional Services
• As part of the service, Masergy will periodicallyconfirm the appropriate installation of personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.
• Customer must supply the personal firewall software.
1.4
Prohibit Direct
Public Access
to any PCI Data
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files).
Network Security Zones
Requires Z-1000-G Network Security Zones
Feature
No Additional HW or SW Agents are
Required.
Requires N-2800-G Firewall Syslog Module
to Enable Blocking at Firewalls and/or
Switches and Routers.
• As part of the NSZ capability and service, secure computing policies will prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files).
• Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.
• NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response.
• NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert.
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.4
Prohibit Direct
Public Access
to any PCI Data
Continued
Professional Services
• As part of the service, Masergy will recommenda design to logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files).
1.4.1
Prohibit Direct
Routes in
the DMZ
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic.
Professional Services
• As part of the service, Masergy will offer a detaileddesign to implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic.
1.4.2
Restrict
Outbound
Traffic from PCI
Applications in
the DMZ
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will restrict outbound traffic from payment card applications to IP
addresses within the DMZ.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic.
Professional Services
• As part of the service, Masergy will offer a detailedPCI Compliance
PCI
Requirement
Product/Service Solution
Description
1.5
Implement IP
Masquerading
Firewall Management & Monitoring Service
Requires N-2800-G Firewall Syslog Module
• As part of the service, Masergy will implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
• The All-n-One Security Module (ASM) has a built-in firewall service.
• For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).
Professional Services
• As part of the service, Masergy will offer a designand periodically confirm that IP masquerading to prevent internal addresses from being
PCI Compliance
Build and Maintain a Secure Network
Requirement 2
Do not use vendor-supplied defaults for system passwords and other security parameters.
Hackers (both external and internal to a company) often use vendor default passwords and other vendor default settings to
compromise systems. These passwords and settings are well known in hacker communities and easily determined via public
information.
PCI
Requirement
Product/Service Solution
Description
2.1
Change
Vendor-Supplied
Defaults for
New Systems
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
• As part of the service, Masergy will audit any newly installed system for vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).
• Periodically scan and provide suggested system remediation for detected vulnerabilities.
2.1.1
Change
Wireless Vendor
Defaults for
New Systems
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
• As part of the service, Masergy will audit any newly installed system for vendor-supplied defaults for wireless environments, including but not limited to wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, SNMP community strings, as well as disable SSID broadcasts and enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
• Periodically scan and provide suggested system remediation for detected vulnerabilities.
2.2
Configuration
Standards for
all System
Components
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
• As part of the service, Masergy will offer recommended configuration standards for all system components, assure that these standards address all known security vulnerabilities, and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).
2.2.1
Implement Only
One Primary
Function per
PCI Server
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
• As part of the service, Masergy will periodically audit to ensure only one primary function per server (for example, Web servers, database servers, and DNS should be implemented on separate servers).
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
2.2.2
Disable all
Unnecessary
and Insecure
Services for
all PCI System
Components
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
• As part of the service, Masergy will disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function). • Periodically scan and provide suggested system remediation
for detected vulnerabilities.
2.2.3
Configure
System Security
Parameters
to Prevent
Misuse for all
PCI System
Components
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
• As part of the service, Masergy will audit and recommend the optimal system security parameters to prevent misuse. • Periodically scan and provide suggested system remediation
for detected vulnerabilities.
2.2.4
Remove all
Unnecessary
Functionality for
all PCI System
Components
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
• As part of the service, Masergy will identify unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers.
• Periodically scan and provide suggested system remediation for detected vulnerabilities.
2.3
Encrypt all
Non-Console
Administrative
Access
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
• As part of the service, Masergy will identify and recommend appropriate encryption methods for all non-console administrative
access, and implement technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access.
• Periodically scan and provide suggested system remediation for detected vulnerabilities.
2.4
Hosting
Providers
Requirements
Professional Services
• As part of the service, Masergy audits any hosting providersPCI Compliance
Protect Cardholder Data
Requirement 3
Protect stored cardholder data.
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and
gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other
effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods
for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full primary
account number (PAN) is not needed, and not sending PAN in unencrypted e-mails.
PCI
Requirement
Product/Service Solution
Description
3.1
Minimize
Cardholder
Data Storage
Professional Services
• As part of the service, Masergy will audit cardholder datastorage minimum requirements, and make recommendations for cardholder data storage reductions.
• Working with your organization, we will develop a data retention and disposal policy.
• Establish storage amount limitation(s) and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.
3.2
Sensitive
Authentication
Data Policy
Professional Services
• As part of the service, Masergy willaudit PCI server authentication implementation(s) to ensure sensitiveauthentication data subsequent to authorization is not stored anywhere (even if encrypted).
• Working with your organization, we will develop a compliant authentication and disposal policy.
• Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 — 3.2.3.
3.2.1
Magnetic Stripe
Data Handling
Policy
Professional Services
• Working as an extension of your organization, Masergy willdevelop and implement policies to ensure there is no storage of the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data.
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
3.2.2
Card-Validation
Code Handling
Policy
Professional Services
• As part of the service, Masergy willaudit cardholder PIN usage and retention practices and identify corrective measures to ensure
PCI compliance.
• Working with your organization, we will develop PIN retention and disposal policy.
• Establish personal identification number (PIN) limitation(s) and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in the data retention policy.
3.3
PAN Masking
Policy
Professional Services
• As part of the service, Masergywill audit cardholder PAN usage, retention, and practices, and identify corrective measures to
ensure PCI compliance.
• Develop primary account number (PAN) usage policy and practices to ensure masking the PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).
• Establish primary account number (PAN) limitation(s) and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in the data retention policy.
3.4
PAN Rendering
Policy
Professional Services
• As part of the service, Masergy will audit cardholder PANrendering usage, retention, and practices, and identify corrective measures to ensure PCI compliance.
• Develop primary account number (PAN) rendering policy and practices to ensure rendered PAN, at minimum, is unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the
following approaches:
♦ Strong one-way hash functions (hashed indexes)
♦ Truncation
♦ Index tokens and pads (pads must be securely stored)
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
3.4.1
Disk Encryption
Policy
Professional Services
• As part of the service, Masergy will audit disk encryptionusage, practices, and identify corrective measures to ensure PCI compliance.
• Develop disk encryption usage policy and practices to ensure logical access is managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts), and that decryption keys are not tied to user accounts.
• Establish disk encryption application(s)/ implementation(s) required for business, legal, and/or regulatory purposes, as documented in the disk encryption usage policy.
3.5
Encryption
Key Protection
Policy
(3.5.1 — 3.5.2)
Professional Services
• As part of the service, Masergy will audit protection ofencryption keys used for encryption of cardholder data against both disclosure and misuse.
• Develop encryption key protection policy and practices to ensure against data compromise by both disclosure and misuse.
• Establish and document applications and practices required for business, legal, and/or regulatory purposes, utilizing encryption keys:
♦ Restrict access to keys to the fewest number of custodians necessary.
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
3.6
Encryption Key
Management
Procedures
(3.6.1— 3.6.10)
Professional Services
• As part of the service, Masergy will audit all key managementprocesses and procedures for keys used for encryption of cardholder data, and identify corrective measures to ensure PCI compliance.
• Masergy will develop, fully document, and implement all key management processes and procedures for keys used for encryption of cardholder data, including:
♦ Generation of strong keys ♦ Secure key distribution ♦ Secure key storage
♦ Periodic changing of keys as deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically, or at least annually ♦ Destruction of old keys
♦ Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key)
♦ Prevention of unauthorized substitution of keys
♦ Replacement of known or suspected compromised keys ♦ Revocation of old or invalid keys
PCI Compliance
Protect Cardholder Data
Requirement 4
Encrypt transmission of cardholder data across open, public networks.
Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept,
modify, and divert data while in transit.
PCI
Requirement
Product/Service Solution
Description
4.1
Use Strong
Cryptography
and Security
Protocols
Professional Services
As part of the service, Masergy will audit use of cryptography andsecurity protocols intended to safeguard sensitive cardholder data during transmission over open public networks and identify corrective measures to ensure PCI compliance.
Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS).
• Develop and document strong cryptography and security protocol policy and procedures required to safeguard sensitive cardholder data during transmission over open public networks.
• Establish and document all application(s)/ implementation(s)
transmitting sensitive cardholder data over open public networks that may be required for business, legal, and/or regulatory purposes, as documented in the cryptography and security protocol usage policy.
4.1.1
Wireless
Networks
Transmitting
Cardholder
Data
Professional Services
• As part of the service, Masergy will audit use of cryptography and security protocols intended to safeguard sensitive cardholder data during transmission over wireless networks and identify corrective measures to ensure PCI compliance.• Develop and document strong cryptography and security protocol policy and procedures for wireless networks transmitting cardholder data, including methods to encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. • Establish and document all application(s)/ implementation(s)
transmitting sensitive cardholder data over wireless networks that may be required for business, legal, and/or regulatory purposes, as documented in the cryptography and security protocol usage policy.
4.2
PAN e-mail
Usage Policy
Professional Services
• As part of the service, Masergy will audit cardholder primary accountnumber (PAN) e-mail usage, retention, and practices, and identify corrective measures to ensure PCI compliance.
• Develop primary account number (PAN) e-mail transmission policy and practices to ensure unencrypted PANs are never sent by e-mail. • Establish and document all application(s) transmitting sensitive
PCI Compliance
Maintain Vulnerability Management Program
Requirement 5
Use and regularly update anti-virus software or programs
Many vulnerabilities and malicious viruses enter the network via employees’ e-mail activities. Anti-virus software must be used
on all systems commonly affected by viruses to protect systems from malicious software.
PCI
Requirement
Product/Service Solution
Description
5.1— 5.2
Anti-Virus
Software Policy
Professional Services
Requires V-3001-G
Vulnerability Scanner Module
• As part of the service, Masergy will audit anti-virus software usage and practices for all servers, desktops, laptops, and mobile devices, and identify corrective measures to ensure PCI compliance.
• Develop and document anti-virus software policy and practices to: ♦ Ensure that anti-virus programs are capable of detecting, removing,
and protecting against other forms of malicious software, including spyware and adware.
♦ Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.
• Identify and document all application(s)/systems using anti-malware that may be required for business, legal, and/or regulatory purposes, as documented in the anti-virus software policy.
5.1— 5.2
Anti-Virus
Software Policy
Continued
Firewall Management &
Monitoring Service
Requires N-2800-G Firewall
Syslog Module
• As part of the service, for wireless environments, change wireless vendor defaults, including but not limited to wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
PCI Compliance
Maintain Vulnerability Management Program
Requirement 6
Develop and maintain secure systems and applications
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed
by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect
against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that
have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For
in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and
secure coding techniques.
PCI
Requirement
Product/Service Solution
Description
6.1 – 6.2
Vulnerability
Management
Security Dashboard
Requires:
V-3001-G Vulnerability Scanner
Module
I-6000-G Security
Dashboard Module
As part of the managed service offering, Masergy will implement scheduled vulnerability scanning and security dashboard to: • Ensure that all system components and software have the latest
vendor-supplied security patches installed.
• Prioritize and monitor all detected vulnerabilities to ensure remediation occurs within one month of detection and/or patch availability.
• Automatically identify and prioritize newly discovered security vulnerabilities by correlating detected assets with posted vendors threats daily.
• Provision IT responders with detailed remediation instructions (including links to CVEs and available patches) allowing IT responders to install relevant security patches, etc.
All-n-One Security Module (ASM)
N-2500-S 10/100/1000Mb
N-2501-S 10Mb
N-2510-S 100Mb
N-2520-S 1000Mb
Required Upgrade to I-2500-G
Security Dashboard Feature
With upgrade to optional Security Dashboard feature to the base All-n-One Security Module, Masergy will implement scheduled vulnerability scanning and security dashboard to:
• Ensure that all system components and software have the latest vendor-supplied security patches installed.
• Prioritize and monitor all detected vulnerabilities to ensure remediation occurs within one month of detection and/or patch availability.
• Automatically identify and prioritize newly discovered security vulnerabilities by correlating detected assets with posted vendor threats daily.
PCI Compliance
PCI
Requirement
Product/Service Solution
Description
6.1 – 6.2
Vulnerability
Management
Continued
Professional Services
The Masergy professional services team will perform a vulnerabilityassessment to:
• Ensure that all system components and software have the latest vendor-supplied security patches installed.
• Establish and document a comprehensive remediation process and procedure to install relevant security patches within one month of detection and/or patch availability.
• Establish and document a comprehensive process to identify newly discovered security, and update standards to address new vulnerability issues.
• Customer may require subscription to vendor alert services.
6.3
Software
Development
Security
Practices
Professional Services
Requires V-3001-G Vulnerability
Scanner Module
The Masergy professional services team will establish and document software development security best practices and incorporate information security throughout the software development life cycle, including:
• Testing of all security patches, and system and software configuration changes before deployment.
• Separate development, test, and production environments. • Separate duties between development, test, and production
environments.
• Ensure production data (live PANs) are not used for testing or development.
• Removal of test data and accounts before production systems become active.
• Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers.
• Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.
6.4
Software
Development
Change Control
Procedures
Professional Services
The Masergy professional services team willaudit/establish and document software development change control procedures for all system and software configuration changes, including:
• Documentation of impact
• Management sign-off by appropriate parties • Testing of operational functionality