PCI Compliance We Can Help Make it Happen

(1)

PCI Compliance

We Can Help Make it Happen

Compliance Matters

The PCI Data Security Standard (DSS) was developed by the founding payment brands of the PCI Security Standards Council

(American Express®, Discover® Financial Services, JCB®, MasterCard® Worldwide and Visa® International) to help facilitate

the broad adoption of consistent data security measures on a global basis. Its primary goal is to provide a standard by which the

Payment Card Industry can “self-regulate.” In addition, a number of initiatives are currently underway from state legislatures and

federal regulators to increase the penalties for non-compliant organizations. More so now than ever before … compliance matters.

Reporting

Process

Technology

Compliance Discovery, Security Alerts, Stealth Attacks, Prioritized Threats,

Policy Violations, Access Violations, Audit Trails

IDS / IPS, UTM, NBA, AV, AS, CF, Firewalls, Threat Management, Log Management,

SIEM

24/7 Monitoring, Firewall Mgmt & Monitoring, Log File Mgmt & Monitoring,

Quarterly Vulnerability Scans, Quarterly Perimeter

Scans, Annual Audit, Consulting Policy, Procedure, Assessment, Gap Analysis,

Remediation, Vulnerability Scans, Perimeter Scans, PCI Consulting Services

(2)

PCI Compliance

Rethinking PCI Compliance

PCI DSS is a multi-faceted security standard that includes specific requirements for security management, policies, procedures,

network architecture, software design, training and other critical, protective measures. Coupled with Premium PCI Managed and

Professional Services, Masergy’s Unified Enterprise Security ™ (UES) systems take a holistic approach to helping customers

achieve and maintain PCI compliance, seamlessly integrating process, technology, service and reporting.

Key technology elements center around and complement Masergy’s patented adaptive behavioral analysis and correlation

engine—like a complex credit card fraud detection system on steroids. The technology enables the discovery and tracking of odd

behaviors over time—the kind of activity that eventually makes newspaper headlines—providing you with the opportunity to take

preemptive action.

Make Life Easier.

Partner with Masergy, A Certified PCI Vendor.

What does all this mean to your organization? The alleviation of business risk (along with demonstrating the expected “due care”

related to storage, processing, and transmission of critical cardholder data as defined by the PCI DSS) is complex and

resource-dependent.

At Masergy, we understand that compliance depends on a number of critical factors. From auditing to technology, process, and

policy, Masergy understands that each organization has different requirements depending on where they currently stand on

the “compliance path.” That’s why we approach the challenge of compliance in a holistic fashion, tailoring our services to your

organization’s current needs and specific requirements.

You can be confident that Masergy, one of the few PCI-certified companies, can provide the partnership required to help you

efficiently achieve and maintain PCI compliance.

2009 Best Products & Services – Reader’s Trust Award

Network Products Guide has named Masergy a winner of the 2009 Best Products and Services - Reader’s Trust Award for Unified Security.

2009 Global Product Excellence - Customer Trust Award

Info Security Products Guide has named Masergy a winner of the 2009 Global Product Excellence Customer Trust Award for Integrated Security.

2009 Product Innovation Award

Network Products Guide has named Masergy’s Enterprise UTM++ a winner of the 2009 Product Innovation Award for the overall Security Solution (Hardware and Software) category. Masergy also receive the Product Innovation award in 2008 for its All-n-One Security Module for Enterprise UTM.

2009 ‘Tomorrow’s Technology Today’ Award

Info Security Products Guide has named Masergy’s Enterprise UTM++ a winner of the 2009 Tomorrow’s Technology Today Award for the Integrated Security Solution (Hardware and Software) category. Masergy has also received the Tomorrow’s Technology Today award in prior years (2006, 2007 & 2008) for Unified Security, Network Security and Security Risk Management Managed Security Services.

SC Magazine 2008 Industry Innovator

(3)

PCI Compliance

Protect

Monitor

Alert

Report

Users Servers Firewalls Syslogs Switches Routers Policies Threats

Uniﬁed Administration, Monitoring, Reporting

Internet

Trusted Computing

Base

A fully integrated, highly scalable, passive network security suite with

patented behavioral analysis & correlation shared by all applications

A holistic, non-intrusive, layered approach to PCI compliance

Enterprise UTM

Network Behavioral Analysis & Correlation

(4)

PCI Compliance

COMPREHENSIVE PCI COMPLIANCE REPORTING

Using the most advanced algorithms in the industry, Masergy automatically analyzes your threat status and continually compiles

comprehensive sets of reports on suspicious activity. Specific to PCI compliance, we offer the following reporting services:

• Current Risk Report • Current Risk Summary • Ignored Vulnerabilities Report • Vulnerability Escalation Report • Vulnerability History Report • Report by Vulnerability

• Detailed description • Consequences

• Detailed remediation steps • Risk factor

• Links to CVEs, patches, etc.

• Prioritized Vendor Threats • Prioritized Network Threats • Prioritized Global Threats • Prioritized Vulnerabilities • Prioritized Threat List (all) • Links Threats with:

• Threat sources, ports, protocols • Targeted assets

• Required remediation steps & patches • Rolling 30-day Threat Remediation Report • Network Access Policy Violation Report • Geographic Origin of Attackers

• Identifies/documents external usage of enterprise services and resources

• Identifies/documents internal usage of external services and resources

♦ Web Usage

♦ Encrypted Web Usage ♦ SMTP Mail Usage

♦ Encrypted SMTP Mail Usage (SSL) ♦ POP3 Mail Usage

♦ Encrypted POP (SSL) Usage ♦ IMAP Mail Usage

♦ Encrypted IMAP Mail Usage ♦ FTP Usage ♦ Telnet Usage ♦ SSH Usage ♦ LDAP Usage ♦ Socks Usage ♦ News Usage

♦ Encrypted News Usage (SSL) ♦ Windows Share Usage (netbios-ssn) ♦ Napster Usage

♦ IM Usage

♦ Proprietary (other)

VULNERABILITY SCAN REPORTS

VULNERABILITY MANAGEMENT REPORTS

(5)

PCI Compliance

Masergy’s 12 Steps to PCI Compliance.

A. Build and Maintain a Secure Network

1. We can guide your organization in establishing, optimizing, and maintaining industry best practice firewall

configuration standards, as well as install and maintain a firewall configuration to protect cardholder data. This

optimizes the protection of all systems from unauthorized Internet access. We’ll also share/develop with you

industry best practice configuration standards for the rest of your major system components.

2. Monthly configuration scans are performed to ensure your organization is not using vendor-supplied defaults for

system passwords or other security parameters. Not only are defaults well known in hacker communities, but

they can easily be found in public information—making your organization an easy target.

B. Protect Cardholder Data

3. Monthly testing and assessments of your cardholder data processing, storage and encryption methodology are

performed to ensure the cardholder data is properly protected.

4. Testing and assessment will ensure your organization is using the required strong cryptography and security

protocols to protect sensitive information during transmission across open public networks.

C. Maintain a Vulnerability Management Program

5. Periodic audits are conducted to assist with the necessary oversight to make sure your organization’s

anti-virus software or programs are updated.

6. Our Enterprise UTM compliance offering includes an integrated threat management solution to help your

organization ensure its network and device vulnerabilities are discovered, prioritized and resolved in an effective

manner.

D. Implement Strong Access Control Measures

7. Our professional services organization can guide your organization related to security process, policy,

and technology to ensure access to cardholder data is appropriate based upon business “need-to-know.” This

ensures critical data is untouchable by unauthorized personnel.

8. Our periodic audits and testing make sure a unique ID is assigned to each person with computer access.

9. We also help you confirm that the necessary restrictions are in place regarding physical access to cardholder

(6)

PCI Compliance

E. Regularly Monitor and Test Networks

10. The Enterprise UTM component of our PCI compliance offering tracks and monitors all

access to network resources and cardholder data so that the cause of any policy violation can be determined

through system alerts and activity logs.

11. As a PCI Approved Scanning Vendor, we will provide the required periodic vulnerability scans and penetration

testing of your systems, processes and custom software to ensure security is maintained

over time and throughout software changes.

F. Maintain an Information Security Policy

12. Based on your specific requirements, the Masergy professional services team can work

with your organization to establish and maintain policies that address information security, as well

as processes that confirm all employees, contractors, and vendor partners are aware of the sensitivity

of your data and their responsibility for protecting it.

PCI compliance is a significant undertaking for most organizations. The criticality for organizations that process, store, or transmit

cardholder data to achieve and maintain PCI compliance continues to increase. Masergy’s Premium PCI Managed Services and

Enterprise UTM Technology have the necessary flexibility to meet the specific compliance needs of your organization.

(7)

PCI Compliance

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into

more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions

that do not meet the specified security criteria.

All systems must be protected from unauthorized Internet access, whether entering the system as e-commerce, employees’

Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from

the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer

network.

PCI

Requirement

Product/Service Solution

Description

1.1.1 Formal Change

Approval

Process

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy has developed a formal process for approving and testing all external network connections and changes to the firewall configuration.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• The All-n-One Security Module (ASM) has a built-in firewall service.

• For ASM devices under Contractual Managed Services, Masergy will develop a formal process for approving and testing all external network connections and changes to the firewall configuration.

Professional Services

• Working with your organization, the Masergy

professional services team will develop a formal process for approving and testing all external network connections and changes to the firewall configuration.

1.1.2 Current

Network

Diagram

Professional Services

• Working as an extension of your organization, Masergy will develop a current network diagram with all connections to cardholder data, including any wireless networks.

1.1.3 Firewall

Requirements

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

(8)

PCI Compliance

Build and Maintain a Secure Network

Requirement 1

Install and maintain a firewall configuration to protect cardholder data.

Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into

more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions

that do not meet the specified security criteria.

All systems must be protected from unauthorized Internet access, whether entering the system as e-commerce, employees’

Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from

the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer

network.

PCI

Requirement

Product/Service Solution

Description

1.1.1 Formal Change

Approval

Process

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy has developed a formal process for approving and testing all external network connections and changes to the firewall configuration.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy will develop a formal process for approving and testing all external network connections and changes to the firewall configuration.

Professional Services

• Working with your organization, the Masergy professional services team will develop a formal process for approving and testing all external network connections and changes to the firewall configuration.

1.1.2 Current

Network

Diagram

Professional Services

• Working as an extension of your organization,

Masergy will develop a current network diagram with all connections to cardholder data, including any wireless networks.

1.1.3 Firewall

Requirements

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

(9)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.1.3 Firewall

Requirements

Continued

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.

Professional Services

• Based upon your IT infrastructure/business

requirements, the Masergy professional services team will define formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network.

1.1.4 Groups, Roles,

Responsibilities

Professional Services

• Working with your team, Masergy will develop a current description of groups, roles, and

responsibilities for logical management of network components.

1.1.5 Services, Ports

Necessary for

Business

Behavioral Intrusion Detection /Prevention

Security Monitoring Service

Requires A-5000-G Behavioral Correlation

Module (BCM)

• Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business.

• Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request.

• A specific report can be requested at any time by simply contacting the SCC (Security Control Center).

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

Requires A-2500-G Behavioral Correlation

Module Software

• Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business.

• A specific report can be requested at any time by simply contacting the SCC.

(10)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.1.6 Justification for

Non-Standard

Protocols

Behavioral Intrusion Detection /Prevention

Security Monitoring Service

Requires A-5000-G Behavioral Correlation

Module (BCM)

• Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). This information is always up-to-date and readily available upon request.

• A specific report is available at any time by simply contacting the SCC.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

Requires A-2500-G Behavioral Correlation

Module Software

• Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).This information is always up-to-date and readily available upon request.

• A specific report is available at any time by simply contacting the SCC.

Professional Services

• Masergy will work with your organization to identify

non-standard protocols in use. We will be responsible for developing a formal justification for required non-standard protocols.

1.1.7 Justification for

Risky Protocols

(e.g., FTP)

Behavioral Intrusion Detection /Prevention

Security Monitoring Service

Requires A-5000-G Behavioral Correlation

Module (BCM)

• Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and

document services and ports necessary for business, including any risky protocols allowed such as file transfer protocol (FTP).

• There are also several reports that catalog the use of FTP and other risky protocols.

(11)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.1.7 Justification for

Risky Protocols

(e.g., FTP)

Continued

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

Requires A-2500-G Behavioral Correlation

Module Software

• Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for

business, including any risky protocols allowed such as file transfer protocol (FTP).

• There are also several reports that catalog the use of FTP and other risky protocols.

• A specific report can be requested at any time by simply contacting the SCC.

Professional Services

• Masergy will work with your organization to identify risky protocols in use. We will be responsible for developing a formal justification for required risky protocols.

1.1.8 Quarterly

Review of FW &

Router Rules

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue

a complete report.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue a complete report.

Professional Services

• The Masergy professional services team will perform

a quarterly review of the firewall and router rule sets.

1.1.9 Router

Configuration

Standards

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy offers industry best practice configuration standards for routers.

Professional Services

• The Masergy professional services team will

(12)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.2 FW Rules

to Deny

“Untrusted”

Networks

& Hosts

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy builds a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy builds a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment.

Network Access Monitoring

via Network Security Zones

Enterprise UTM++ Configurations, Requires

Z-1000-G Software

ASM Configurations, Requires Z-2500-G

Software

• Network Security Zones (NSZ) is the first network access monitoring (NAM) solution based solely on behavioral network analysis and correlation. Each Network Security Zone is a user-defined network access policy comprised of specific

network resource objects: users, systems, applications, date/time, etc. — with secure boundaries for specific systems, applications and users.

• Where systems are configured with N-2800-G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.

• NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response.

• NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert.

• Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service.

Professional Services

• The Masergy professional services team offers a

(13)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.3 FW Rules

to Restrict

Connections

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements 1.3.1 – 1.3.9.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements 1.3.1 – 1.3.9.

Professional Services

• The Masergy professional services team will build

a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements 1.3.1 – 1.3.9.

1.3.1 Ingress

Filters

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy restricts inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters).

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy will restrict inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters).

Professional Services

• Based upon your business environment, the

Masergy professional services team will deliver a recommended configuration design, restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters).

1.3.2 Inhibit Internal

Address from

Reaching

Internet via

DMZ

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

(14)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.3.2 Inhibit Internal

Address from

Reaching

Internet via

DMZ

Continued

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy will not allow internal addresses to pass from the Internet into the DMZ.

Professional Services

• Working with your particular infrastructure, the

Masergy professional services team will recommend a design and not allow internal addresses to pass from the Internet into the DMZ.

1.3.3 Implement

Stateful

Inspection

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are allowed into the network).

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are allowed into the network).

Professional Services

• The Masergy professional services team will offer a design and periodically verify that stateful inspection, also known as dynamic packet filtering (that is, only “established” connections are allowed into the network), is properly implemented.

1.3.4 Segregate

DMZ and

Database(s)

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will ensure the firewall configuration logically places any database(s) in an internal network zone, segregated from the DMZ.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, Masergy will ensure the firewall

(15)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.3.4 Segregate

DMZ and

Database(s)

Continued

Network Security Zones

For UTM++ Configurations, Requires

Z-1000-G Network Security Zones Feature

For ASM Configurations, Requires Z-2500-G

Network Security Zones Feature

No Additional HW or SW Agents are

Required.

• As part of the NSZ capability and service, secure computing policies are established to logically place database(s) in an internal network zone, segregated from the DMZ.

Professional Services

• As part of the service, Masergy will recommend a

design and periodically verify that the database is in an internal network zone, segregated from the DMZ.

1.3.5 Restrict I/O

Traffic

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will logically configure network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

(16)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.3.5 Restrict I/O

Traffic

Continued

Network Security Zones

For UTM++ Configurations, Requires

Z-1000-G Network Security Zones Feature

For ASM Configurations, Requires Z-2500-G

Network Security Zones Feature

No Additional HW or SW Agents are

Required.

• As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.

• NSZ policy violations are reported as alerts to the monitoring console where trained security analysts perform incident response.

Professional Services

• As part of the service, Masergy will offer a design

and periodically confirm that network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment is properly implemented.

1.3.6 Secure &

Synch Router

Configuration

Files

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.

Professional Services

• As part of the service, Masergy will periodically

(17)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.3.7 Deny all Other

Nonessential

I/O Traffic

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will configure network access to deny all other inbound and outbound traffic not specifically allowed.

Network Security Zones

Requires Z-1000-G Network Security Zones

Feature

Requires N-2800-G Firewall Syslog Module

to Block/Deny NSZ Policy Violations

No Additional HW or SW Agents are

Required.

• As part of the NSZ capability and service, secure computing policies can be established to deny all other inbound and outbound traffic not specifically allowed.

Professional Services

• As part of the service, Masergy will

offer a design and periodically confirm that network access to deny all other inbound and outbound traffic not specifically allowed is properly implemented.

1.3.8 Install

Perimeter

FW Between

Wireless

Networks and

PCI Data

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes).

Professional Services

• As part of the service, Masergy will install perimeter

(18)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.3.9 Install PC FW

on any Mobile

and

Employee-Owned

Computers with

Direct Internet

Connections

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will monitor personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

• Requires software syslog agent be installed on each monitored laptop that will transmit to FSM, or syslog output from PC FW management/ administration console.

Professional Services

• As part of the service, Masergy will periodically

confirm the appropriate installation of personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

• Customer must supply the personal firewall software.

1.4 Prohibit Direct

Public Access

to any PCI Data

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files).

Network Security Zones

Requires Z-1000-G Network Security Zones

Feature

No Additional HW or SW Agents are

Required.

Requires N-2800-G Firewall Syslog Module

to Enable Blocking at Firewalls and/or

Switches and Routers.

• As part of the NSZ capability and service, secure computing policies will prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files).

(19)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.4 Prohibit Direct

Public Access

to any PCI Data

Continued

Professional Services

• As part of the service, Masergy will recommend

a design to logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files).

1.4.1 Prohibit Direct

Routes in

the DMZ

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic.

Professional Services

• As part of the service, Masergy will offer a detailed

design to implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic.

1.4.2 Restrict

Outbound

Traffic from PCI

Applications in

the DMZ

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will restrict outbound traffic from payment card applications to IP

addresses within the DMZ.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic.

Professional Services

• As part of the service, Masergy will offer a detailed

(20)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

1.5 Implement IP

Masquerading

Firewall Management & Monitoring Service

Requires N-2800-G Firewall Syslog Module

• As part of the service, Masergy will implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

• For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).

Professional Services

• As part of the service, Masergy will offer a design

and periodically confirm that IP masquerading to prevent internal addresses from being

(21)

PCI Compliance

Build and Maintain a Secure Network

Requirement 2

Do not use vendor-supplied defaults for system passwords and other security parameters.

Hackers (both external and internal to a company) often use vendor default passwords and other vendor default settings to

compromise systems. These passwords and settings are well known in hacker communities and easily determined via public

information.

PCI

Requirement

Product/Service Solution

Description

2.1 Change

Vendor-Supplied

Defaults for

New Systems

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

• As part of the service, Masergy will audit any newly installed system for vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).

• Periodically scan and provide suggested system remediation for detected vulnerabilities.

2.1.1 Change

Wireless Vendor

Defaults for

New Systems

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

• As part of the service, Masergy will audit any newly installed system for vendor-supplied defaults for wireless environments, including but not limited to wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, SNMP community strings, as well as disable SSID broadcasts and enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.

2.2 Configuration

Standards for

all System

Components

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

• As part of the service, Masergy will offer recommended configuration standards for all system components, assure that these standards address all known security vulnerabilities, and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).

2.2.1 Implement Only

One Primary

Function per

PCI Server

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

• As part of the service, Masergy will periodically audit to ensure only one primary function per server (for example, Web servers, database servers, and DNS should be implemented on separate servers).

(22)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

2.2.2 Disable all

Unnecessary

and Insecure

Services for

all PCI System

Components

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

• As part of the service, Masergy will disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices’ specified function). • Periodically scan and provide suggested system remediation

for detected vulnerabilities.

2.2.3 Configure

System Security

Parameters

to Prevent

Misuse for all

PCI System

Components

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

• As part of the service, Masergy will audit and recommend the optimal system security parameters to prevent misuse. • Periodically scan and provide suggested system remediation

for detected vulnerabilities.

2.2.4 Remove all

Unnecessary

Functionality for

all PCI System

Components

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

• As part of the service, Masergy will identify unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers.

2.3 Encrypt all

Non-Console

Administrative

Access

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

• As part of the service, Masergy will identify and recommend appropriate encryption methods for all non-console administrative

access, and implement technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access.

2.4 Hosting

Providers

Requirements

Professional Services

• As part of the service, Masergy audits any hosting providers

(23)

PCI Compliance

Protect Cardholder Data

Requirement 3

Protect stored cardholder data.

Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and

gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other

effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods

for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full primary

account number (PAN) is not needed, and not sending PAN in unencrypted e-mails.

PCI

Requirement

Product/Service Solution

Description

3.1 Minimize

Cardholder

Data Storage

Professional Services

• As part of the service, Masergy will audit cardholder data

storage minimum requirements, and make recommendations for cardholder data storage reductions.

• Working with your organization, we will develop a data retention and disposal policy.

• Establish storage amount limitation(s) and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.

3.2 Sensitive

Authentication

Data Policy

Professional Services

• As part of the service, Masergy willaudit PCI server authentication implementation(s) to ensure sensitive

authentication data subsequent to authorization is not stored anywhere (even if encrypted).

• Working with your organization, we will develop a compliant authentication and disposal policy.

• Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 — 3.2.3.

3.2.1 Magnetic Stripe

Data Handling

Policy

Professional Services

• Working as an extension of your organization, Masergy will

develop and implement policies to ensure there is no storage of the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data.

(24)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

3.2.2 Card-Validation

Code Handling

Policy

Professional Services

• As part of the service, Masergy will

audit cardholder PIN usage and retention practices and identify corrective measures to ensure

PCI compliance.

• Working with your organization, we will develop PIN retention and disposal policy.

• Establish personal identification number (PIN) limitation(s) and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in the data retention policy.

3.3 PAN Masking

Policy

Professional Services

• As part of the service, Masergy

will audit cardholder PAN usage, retention, and practices, and identify corrective measures to

ensure PCI compliance.

• Develop primary account number (PAN) usage policy and practices to ensure masking the PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).

• Establish primary account number (PAN) limitation(s) and retention time to that which is required for business, legal, and/ or regulatory purposes, as documented in the data retention policy.

3.4 PAN Rendering

Policy

Professional Services

• As part of the service, Masergy will audit cardholder PAN

rendering usage, retention, and practices, and identify corrective measures to ensure PCI compliance.

• Develop primary account number (PAN) rendering policy and practices to ensure rendered PAN, at minimum, is unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the

following approaches:

♦ Strong one-way hash functions (hashed indexes)

♦ Truncation

♦ Index tokens and pads (pads must be securely stored)

(25)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

3.4.1 Disk Encryption

Policy

Professional Services

• As part of the service, Masergy will audit disk encryption

usage, practices, and identify corrective measures to ensure PCI compliance.

• Develop disk encryption usage policy and practices to ensure logical access is managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts), and that decryption keys are not tied to user accounts.

• Establish disk encryption application(s)/ implementation(s) required for business, legal, and/or regulatory purposes, as documented in the disk encryption usage policy.

3.5 Encryption

Key Protection

Policy

(3.5.1 — 3.5.2)

Professional Services

• As part of the service, Masergy will audit protection of

encryption keys used for encryption of cardholder data against both disclosure and misuse.

• Develop encryption key protection policy and practices to ensure against data compromise by both disclosure and misuse.

• Establish and document applications and practices required for business, legal, and/or regulatory purposes, utilizing encryption keys:

♦ Restrict access to keys to the fewest number of custodians necessary.

(26)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

3.6 Encryption Key

Management

Procedures

(3.6.1— 3.6.10)

Professional Services

• As part of the service, Masergy will audit all key management

processes and procedures for keys used for encryption of cardholder data, and identify corrective measures to ensure PCI compliance.

• Masergy will develop, fully document, and implement all key management processes and procedures for keys used for encryption of cardholder data, including:

♦ Generation of strong keys ♦ Secure key distribution ♦ Secure key storage

♦ Periodic changing of keys as deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically, or at least annually ♦ Destruction of old keys

♦ Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key)

♦ Prevention of unauthorized substitution of keys

♦ Replacement of known or suspected compromised keys ♦ Revocation of old or invalid keys

(27)

PCI Compliance

Protect Cardholder Data

Requirement 4

Encrypt transmission of cardholder data across open, public networks.

Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept,

modify, and divert data while in transit.

PCI

Requirement

Product/Service Solution

Description

4.1 Use Strong

Cryptography

and Security

Protocols

Professional Services

As part of the service, Masergy will audit use of cryptography and

security protocols intended to safeguard sensitive cardholder data during transmission over open public networks and identify corrective measures to ensure PCI compliance.

Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM), and general packet radio service (GPRS).

• Develop and document strong cryptography and security protocol policy and procedures required to safeguard sensitive cardholder data during transmission over open public networks.

• Establish and document all application(s)/ implementation(s)

transmitting sensitive cardholder data over open public networks that may be required for business, legal, and/or regulatory purposes, as documented in the cryptography and security protocol usage policy.

4.1.1 Wireless

Networks

Transmitting

Cardholder

Data

Professional Services

• As part of the service, Masergy will audit use of cryptography and security protocols intended to safeguard sensitive cardholder data during transmission over wireless networks and identify corrective measures to ensure PCI compliance.

• Develop and document strong cryptography and security protocol policy and procedures for wireless networks transmitting cardholder data, including methods to encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. • Establish and document all application(s)/ implementation(s)

transmitting sensitive cardholder data over wireless networks that may be required for business, legal, and/or regulatory purposes, as documented in the cryptography and security protocol usage policy.

4.2 PAN e-mail

Usage Policy

Professional Services

• As part of the service, Masergy will audit cardholder primary account

number (PAN) e-mail usage, retention, and practices, and identify corrective measures to ensure PCI compliance.

• Develop primary account number (PAN) e-mail transmission policy and practices to ensure unencrypted PANs are never sent by e-mail. • Establish and document all application(s) transmitting sensitive

(28)

PCI Compliance

Maintain Vulnerability Management Program

Requirement 5

Use and regularly update anti-virus software or programs

Many vulnerabilities and malicious viruses enter the network via employees’ e-mail activities. Anti-virus software must be used

on all systems commonly affected by viruses to protect systems from malicious software.

PCI

Requirement

Product/Service Solution

Description

5.1— 5.2

Anti-Virus

Software Policy

Professional Services

Requires V-3001-G

Vulnerability Scanner Module

• As part of the service, Masergy will audit anti-virus software usage and practices for all servers, desktops, laptops, and mobile devices, and identify corrective measures to ensure PCI compliance.

• Develop and document anti-virus software policy and practices to: ♦ Ensure that anti-virus programs are capable of detecting, removing,

and protecting against other forms of malicious software, including spyware and adware.

♦ Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.

• Identify and document all application(s)/systems using anti-malware that may be required for business, legal, and/or regulatory purposes, as documented in the anti-virus software policy.

5.1— 5.2

Anti-Virus

Software Policy

Continued

Firewall Management &

Monitoring Service

Requires N-2800-G Firewall

Syslog Module

• As part of the service, for wireless environments, change wireless vendor defaults, including but not limited to wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.

(29)

PCI Compliance

Maintain Vulnerability Management Program

Requirement 6

Develop and maintain secure systems and applications

Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed

by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect

against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that

have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For

in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and

secure coding techniques.

PCI

Requirement

Product/Service Solution

Description

6.1 – 6.2

Vulnerability

Management

Security Dashboard

Requires:

V-3001-G Vulnerability Scanner

Module

I-6000-G Security

Dashboard Module

As part of the managed service offering, Masergy will implement scheduled vulnerability scanning and security dashboard to: • Ensure that all system components and software have the latest

vendor-supplied security patches installed.

• Prioritize and monitor all detected vulnerabilities to ensure remediation occurs within one month of detection and/or patch availability.

• Automatically identify and prioritize newly discovered security vulnerabilities by correlating detected assets with posted vendors threats daily.

• Provision IT responders with detailed remediation instructions (including links to CVEs and available patches) allowing IT responders to install relevant security patches, etc.

All-n-One Security Module (ASM)

N-2500-S 10/100/1000Mb

N-2501-S 10Mb

N-2510-S 100Mb

N-2520-S 1000Mb

Required Upgrade to I-2500-G

Security Dashboard Feature

With upgrade to optional Security Dashboard feature to the base All-n-One Security Module, Masergy will implement scheduled vulnerability scanning and security dashboard to:

• Ensure that all system components and software have the latest vendor-supplied security patches installed.

• Prioritize and monitor all detected vulnerabilities to ensure remediation occurs within one month of detection and/or patch availability.

• Automatically identify and prioritize newly discovered security vulnerabilities by correlating detected assets with posted vendor threats daily.

(30)

PCI Compliance

PCI

Requirement

Product/Service Solution

Description

6.1 – 6.2

Vulnerability

Management

Continued

Professional Services

The Masergy professional services team will perform a vulnerability

assessment to:

• Ensure that all system components and software have the latest vendor-supplied security patches installed.

• Establish and document a comprehensive remediation process and procedure to install relevant security patches within one month of detection and/or patch availability.

• Establish and document a comprehensive process to identify newly discovered security, and update standards to address new vulnerability issues.

• Customer may require subscription to vendor alert services.

6.3 Software

Development

Security

Practices

Professional Services

Requires V-3001-G Vulnerability

Scanner Module

The Masergy professional services team will establish and document software development security best practices and incorporate information security throughout the software development life cycle, including:

• Testing of all security patches, and system and software configuration changes before deployment.

• Separate development, test, and production environments. • Separate duties between development, test, and production

environments.

• Ensure production data (live PANs) are not used for testing or development.

• Removal of test data and accounts before production systems become active.

• Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers.

• Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability.

6.4 Software

Development

Change Control

Procedures

Professional Services

The Masergy professional services team will

audit/establish and document software development change control procedures for all system and software configuration changes, including:

• Documentation of impact

• Management sign-off by appropriate parties • Testing of operational functionality