PCI
COMPLIANCE
Streamline PCI Compliance With Next-generation Security
How Palo Alto Networks Enterprise Security Platform Enables
Unparalleled Network Segmentation and Protection of
Table of Contents
I.
Executive Summary
3
II. Fundamental Challenges with PCI Compliance
3
III. Getting the Most Out of a Network Segmentation Solution
5
IV. The Palo Alto Networks Enterprise Security Platform
5
V. Delivering Robust Network Segmentation
6
VI. Meeting and Exceeding Multiple Requirements
7
VII. Providing Next-Generation Protection and Prevention
8
VIII. Conclusion
9
IX. Appendix 1: PCI Security Requirements Supported by the
10
I. EXECUTIVE SUMMARY
Establishing, maintaining, and demonstrating compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a necessity for “… all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD)1.” With approximately three hundred individual requirements to
address, organizations subject to the standard have their work cut out for them.
The Palo Alto Networks® enterprise security platform—with our market-leading next generation firewall (NGFW) at
its core—supports PCI compliance in three ways:
• By providing an incomparably robust set of capabilities for segmenting off one’s cardholder data environment (CDE) and effectively reducing the scope of all related compliance activities;
• By enabling security and compliance teams to simultaneously satisfy numerous individual requirements with a single, tightly integrated solution; and,
• By going above and beyond the minimum requirements to not only provide more effective protection against today’s threats, but also deliver a future-proof solution capable of meeting PCI DSS requirements even as they continue to evolve.
Organizations that leverage the Palo Alto Networks enterprise security platform to reduce their total cost of PCI compliance also benefit from being able to: maintain complete visibility and tight control over the use of applications, especially those critical to running their business; confidently pursue new technology initiatives; and thoroughly protect the organization from the most basic to sophisticated cyber attacks.
II. FUNDAMENTAL CHALLENGES WITH PCI COMPLIANCE With global losses from payment card fraud
exceeding $16.31 billion in 2014, the need for the PCI DSS has never been more apparent2.
According to a poll in the Wall Street Journal, 45% of Americans say they or a household member have been notified by a card issuer, financial institution, or retailer that their credit card information had possibly been stolen as part of a data breach.3
Offsetting the value of the PCI security standards, however, are a handful of related challenges. These include the substantial amount of effort and investment required to achieve compliance in the first place, along with the unfortunate reality that being compliant does not necessarily translate into an organization being adequately defended from advanced cyber attacks.
Substantial Effort Required
For all system components included in or connected to the CDE, organizations must comply with more than three hundred requirements. It is in every organization’s best interest, therefore, to take advantage of network segmentation provisions stated in the PCI DSS to effectively isolate their CDE and thereby shrink the amount of infrastructure that is considered in scope. Doing so not only decreases the cost and complexity of PCI compliance in several predictable ways, but also has the potential to deliver additional operational and security benefits. For example, when armed with an appropriate solution, organizations can use network segmentation to:
• Reduce both the number of system components that must be brought into compliance in the first place and any derivative impact doing so might have (such as the need to re-architect portions of the network or re-design certain applications and systems)
• Reduce the number of system components that must be maintained in compliance, both on a regular basis and whenever the PCI requirements are updated
• Reduce the number of system components and processes that must be periodically audited to demonstrate compliance
• Reduce and simplify management of the policies, access control, and threat prevention rules that apply to the CDE
PCI Compliance Is a Baseline
“Our viewpoint has always been that the PCI DSS is a baseline, an industry-wide minimum acceptable standard, not the pinnacle of payment card security. [...] A PCI DSS assessment can uncover important security gaps that should be fixed, but it is no guarantee that your customer’s data and your reputation are safe. Of all the data breaches that our forensics team has investigated over the last 10 years, not a single company has been found to be compliant at the time of the breach — this underscores the importance of PCI DSS compliance.”
- Verizon 2015 PCI Compliance Report
1 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
2 http://www.verizonenterprise.com/resources/report/rp_pci-report-2015_en_xg.pdf
• Reduce troubleshooting and forensic analysis effort by narrowing the scope of related investigations • Greatly improve the organization’s ability to contain and limit the spread of threats
Segmentation-based Scope Reduction Only Goes So Far Leveraging the best practice of network
segmentation to reduce the amount of infrastructure subject to DSS requirements will only get an organization so far. For the CDE that remains, it is still necessary to address more than three hundred requirements. The challenge of successfully navigating this process is sharply revealed by the Verizon finding that only 11.1 percent of organizations were determined to be fully compliant at the time of their baseline assessments4.
Attempting to comply with all three hundred requirements by tackling them one at a time is impractical and will result in unnecessary costs and complexity. It is also unwise from a security perspective as this might result in a highly
fragmented security architecture where there is substantial potential for significant events to “slip through the cracks.”
Although no single vendor/solution can deliver complete compliance, organizations would be well served by solutions and processes that allow them to simultaneously address multiple requirements, ideally in a tightly integrated manner.
Compliance is Necessary, but Not Sufficient
By its own admission, the PCI DSS provides “a baseline of technical and operational requirements” for protecting cardholder data.” Not only do the specified countermeasures represent a minimum standard of due care, but also—as a result of the now 3-year period between revisions—they often lag behind significant changes to the technology and threat landscapes.
One self-acknowledged example of this situation is provided by the requirement (5.1) to “deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).” In this case, the DSS explicitly mentions the consideration of “additional anti-malware solutions … as a supplement to the anti-virus software”—presumably in recognition of the poor track record such as software has at stopping modern, polymorphic malware and zero-day exploits.
Need Better Firewalls
“One of the criticisms that we made of DSS 3.0 in our 2014 report is that it still refers to stateful-inspection firewalls, a technology that most security professionals consider outdated. Malware and hacker attacks that can bypass stateful-inspection access controls have been common for nearly a decade. While other security standards have moved on, PCI DSS has not. […] Their ability to monitor activity at the application level, deal with the explosive growth in the number of devices, and block increasingly sophisticated threats make next-generation firewalls a must-have.” -Verizon 2015 PCI Compliance Report
4 http://www.verizonenterprise.com/pcireport/2014
Figure 1: Comparison of flat vs segmented network.
Palo A lto Netwo rks Cardho
lder Servers FinUseancrse
Infrastr ucture Servers
Develo pment Servers
WAN and Internet
PCI Zone Cardho
lder Servers
Infrastr ucture Server s Develo pment Servers End Us
er Workst
ations
Non-segmented network using ACLs • All servers and associated traffic may
fall within the scrope of PCI audit
Segmented network with Palo Alto Networks isolates cardholder data
• Access to PCI Zone is limited to finance users based on User-ID (i.e. Active Directory security groups) and App-ID (i.e. limit internal and Internet applications). • Scope of PCI audit is reduced to cardholder segment
A second example comes from the requirement (1.3.6) to “implement stateful inspection” technology as part of the solution to “prohibit direct public access between the Internet and any system component in the cardholder data environment.” Verizon’s commentary on this requirement says it all: “The DSS still specifies stateful-inspection firewalls, first launched in 1994. As the threats to the CDE become more complex, these devices are less able to identify all unauthorized traffic and often get overloaded with thousands of out-of-date rules. To address this, vendors are now offering ‘next generation’ firewalls that can validate the traffic at layers 2 to 7, potentially allowing far greater levels of granularity in the rules.5”
Specific examples aside, the key point to realize here is that it’s typically necessary—if not imperative—for security and compliance teams to go above and beyond the DSS requirements in order to establish a security architecture that more effectively addresses modern/ emerging threats and more closely aligns with their organization’s tolerance for risk.
III. GETTING THE MOST OUT OF A NETWORK SEGMENTATION SOLUTION
A derivative challenge is that of selecting an ideal solution for network segmentation. Although the PCI DSS mentions the possibility of using “a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of the network,” not all options are created equal. In fact, many of these traditional alternatives fail to meet the qualifying statement that a proper segmentation solution should be able to keep compromised out-of-scope components from impacting the security of the CDE.
One major problem is the lack of granularity with which traditional solutions enforce access control. Because many modern applications can share the same network level attributes, relying solely on ports, protocols, and IP addresses for access control results in network segmentation that is too loose—that allows far too much unwanted and unauthorized traffic to pass through. A second issue is that many of these solutions provide no means to scan allowed traffic for embedded threats and, as a result, simply allow them to “come along for the ride” with authorized applications.
In addition, attempts to fix these legacy products have largely failed. Bolting-on deep packet inspection technology doesn’t work because the resulting solution still depends on port/protocol attributes for the initial classification and disposition of all traffic. And deploying separate firewall “helper products,” many of which exhibit the same shortcoming, often yields only incremental gains in exchange for considerably greater infrastructure complexity, latency, cost of ownership, and effort required to establish proof of compliance and generate related reports.
For maximum effectiveness with minimum impact and cost, what organizations require instead is a network segmentation solution that simultaneously provides:
• true, least privileges access control;
• prevention for both known and unknown threats;
• full, in-depth traffic inspection without performance degradation;
• flexible deployment options that minimize the need for network architecture changes; and, • simple, straightforward proof of policy controls.
5 http://www.verizonenterprise.com/pcireport/2014
SQLIA
EMR, Dev Tools, Trading Apps
MR, De Trading
EM T
SQLIA
EMR, Dev Tools, Trading Apps
EMR, Dev Tools, Trading Apps
IV. THE PALO ALTO NETWORKS ENTERPRISE SECURITY PLATFORM
Unlike traditional solutions, the Palo Alto Networks enterprise security platform natively classifies all traffic, regardless of port, protocol, or encryption. This complete visibility into network activity allows customers to substantially reduce their attack surface, block all known threats with an integral threat prevention engine, and quickly discover and protect against unknown threats using the WildFire™ cloud-based sandbox analysis service. Next-generation endpoint security capable of stopping unknown threats and automated coordination among the natively integrated solution components complete the picture. The net result is a truly innovative platform that delivers maximum protection for an organization’s entire computing environment while greatly reducing the need for costly human intervention and remediation.
More importantly, at least with regard to PCI compliance, the Palo Alto Networks platform simultaneously delivers unparalleled network segmentation capabilities, coverage for multiple PCI requirements, and a level of protection for cardholder data that goes well beyond the baseline capabilities specified in the PCI DSS.
V. DELIVERING ROBUST NETWORK SEGMENTATION
The Palo Alto Networks platform uniquely ensures maximum isolation of an organization’s cardholder data environment with a robust set of natively integrated security capabilities, including:
• Control of all traffic at the application level: At the heart of our platform, innovative App-ID™ technology accurately identifies and classifies all traffic by its corresponding application, regardless of ports and protocols, evasive tactics such as port hopping, or encryption. In highly sensitive or specialized zones of the network like the CDE, this provides the best possible control by allowing security administrators to deny all traffic except the few applications that are explicitly legitimate.
• Definitive, least privileges access control. Along with App-ID, User-ID™ and Content-ID™ enable organizations to tightly control access to the CDE based on an extensive range of business-relevant attributes, including the specific application and individual functions being used, the actual identity of individual users and groups, and the specific elements of data being accessed (e.g., credit card or social security numbers). The result is a definitive implementation of least privileges access control where administrators can create straightforward security rules to allow only the absolute minimum, legitimate traffic in the zone while automatically denying everything else.
• Advanced threat protection. A combination of anti-virus/malware, intrusion prevention, and advanced threat prevention technologies (Content-ID and WildFire) filter all allowed traffic for both known and unknown threats.
• Flexible data filtering. Administrators can allow necessary applications yet still block unwanted file transfer functionality, block unwanted file types, and control the transfer of sensitive data— such as credit card numbers or custom data patterns in application content or attachments.
Figure 3: Palo Alto Networks enterprise security platform.
NEXT-GENERATION FIREWALL
NEXT-GENERATION THREAT INTELLIGENCE CLOUD
AUTOMATED
EXTENSIBLE NATIVELY
INTEGRATED
NEXT-GENERATION ENDPOINT CLOUD
N
ETW O
RK ENDPO INT
VI. MEETING AND EXCEEDING MULTIPLE REQUIREMENTS
Reducing the scope of compliance with effective network segmentation is only one way the Palo Alto Networks enterprise security platform supports organizations in their efforts to achieve PCI compliance. As detailed below and in Appendix 1, it also helps by addressing many of the individual requirements specified in the DSS.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
The Palo Alto Networks enterprise security platform directly satisfies several sub-requirements in this section, while helping with many others. Select sub-requirements and how they are addressed include:
• 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. Definitive, least privileges access control.
• 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. Robust network segmentation deployed in a DMZ configuration. Notably, this requirement is not specifying the need for proxy based gateways; only that connections to the Internet be intermediated by a DMZ.
• 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. Definitive, least privileges access control and flexible data filtering.
• 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. Our next generation firewall not only meets the requirement for stateful inspection by only allowing “established” connections into the network; it also exceeds the requirement by providing far more granular control than port-based inspection firewalls over which connections get established in the first place.
Requirement 2: Protect stored cardholder data
This requirement focuses on reducing the amount of cardholder data stored and ensuring that stored data is appropriately masked and encrypted. Despite rigorous encryption techniques, the cardholder data must often exist in an unencrypted state in memory, which has become a frequent point of attack. Furthermore, encryption keys must be properly protected, which poses challenges for many businesses. Not only do businesses need to store, protect, back up and track keys, they must also deal with interoperability issues, a lack of management standards, and multiple locations where encryption is employed, whether endpoint devices, databases, or storage systems. Given these management challenges, encryption alone may be sufficient to meet compliance requirements, but often does not provide adequate security for cardholder data.
Compromising the storage and distribution of encryption keys or making unauthorized key substitutions places the organization at risk. Furthermore, encryption alone does not protect against malware that scrapes the unencrypted cardholder data from memory. Traps prevents exploits and malware from launching malicious code that would try to compromise encryptions keys or cardholder data. By preventing exploits and malware, businesses are in a better position to protect stored cardholder data and the related encryption keys. If key management processes do break down, Traps provides an effective compensating control for PCI DSS Section 3.6. Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Palo Alto Networks® Traps Advanced Endpoint Protection is an innovative endpoint protection technology that
prevents exploits and malware, both known and unknown. Because PCI DSS was established before advanced endpoint protection technology existed, the standard still calls for outdated antivirus scanning techniques without any ability to prevent unknown exploits.
Despite this fact, companies focused on not only compliance, but also strong security posture are finding that Traps can be employed as a highly effective compensating control that not only meets, but also exceeds, the original PCI DSS requirement, resulting in a much stronger security and compliance posture. For example, prior to Traps technology, patching was the only way to ensure protection from known vulnerabilities and there was no reliable method to protect systems from unknown vulnerabilities or those with no available patch. The availability of Traps allows PCI system operators to significantly enhance security and exceed PCI DSS requirements by not only eliminating known vulnerabilities, but also protecting systems from exploitation of unknown vulnerabilities. Some Palo Alto Networks customers reported that their PCI QSA approved the use of Traps as a compensating control for unpatched / unpatchable systems.
Requirement 7: Restrict access to cardholder data by business need to know
Definitive, least privileges access control and support for an extensive collection of user authentication and authorization mechanisms enables the Palo Alto Networks platform to address the heart of this requirement, which is to “establish an access control system for systems components that restricts access based on a user’s need to know, and is set to ‘deny all’ unless specifically allowed.”
Requirement 10: Track and monitor all access to network resources and cardholder data
Here is another example where the Palo Alto Networks enterprise security platform directly satisfies several sub-requirements, while helping with many others. Select sub-requirements and how they are addressed include:
• 10.1 Implement audit trails to link all access to system components to each individual user. User-ID ties all network activities to specific user identities. Instead of meaningless IP addresses, actual identity information also populates the reports regularly consumed by auditors for establishing PCI compliance.
• 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. Native logging, reporting, and visualization capabilities support daily reviews, ad-hoc troubleshooting, and detailed forensic analyses.
Requirement 11: Regularly test security systems and processes
Sub-requirement 11.4 is met by the native inclusion in the Palo Alto Networks security platform of an intrusion prevention system (IPS) that organizations can employ to “detect and/or prevent intrusions into the network.” Those security teams interested in going above and beyond the baseline specification also have the option of taking advantage of WildFire to solidify their defenses against unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs).
VII. PROVIDING NEXT-GENERATION PROTECTION AND PREVENTION
Several examples have already been provided where the Palo Alto Networks platform goes above and beyond PCI DSS requirements to deliver the greater levels of protection today’s organizations actually need, including: • the core next generation firewall that enables definitive least privileges access control to actually block/deny
all users, applications, and content except that which is absolutely necessary within the CDE;
• advanced threat protection that extends coverage to account for elusive or unknown threats that attempt lateral moves to propagate within the network; and,
• next generation endpoint security that compensates for the proven deficiencies of legacy anti-virus software. Another way our solution delivers next-generation protection that exceeds the DSS’s baseline requirements is by providing extensive information sharing and coordination among elements of the platform. For example, new protections developed from WildFire’s real-time threat intelligence are automatically distributed to our customer’s systems within as little as 30 minutes. The net result of natively integrated threat prevention capabilities is a closed-loop architecture that delivers unparalleled threat response without the need for manual and time-consuming interventions by an already overwhelmed security team.
Palo Alto Networks has also established strategic partnerships that augment its ability to address PCI DSS requirements. For example, the Splunk App for Palo Alto Networks delivers customers cross-infrastructure event correlation, threat analysis, and compliance reporting, while also providing a powerful set of supplemental threat detection mechanisms. Relationships with AlgoSec, Tufin and other Network Configuration and Risk Management vendors similarly yield a solution that goes above and beyond the basics by ensuring that security teams are able to efficiently and effectively manage their firewall configurations and guarantee the integrity of the corresponding rule sets.
Compliance Capabilities
VIII. CONCLUSION
No single vendor or solution can provide complete compliance with the Payment Card Industry Data Security Standard. What organizations require instead is a thorough set of policies, processes, and practices—including network segmentation—supported by an essential set of technological countermeasures to enforce them. In this regard, the Palo Alto Networks enterprise security platform is an invaluable solution that delivers:
• definitive, least privileges access control and other essential security capabilities for effectively
segmenting off the cardholder data environment and thereby reducing the scope and cost of achieving PCI DSS compliance;
• support for a considerable cross-section of the PCI DSS requirements; and,
• capabilities that go above and beyond the standard’s baseline specifications to more thoroughly protect cardholder data—and the remainder of your organization’s computing environment—from the latest generations of unknown malware and advanced threats.
For more information regarding the Palo Alto Networks enterprise security platform and its component technologies, please visit: www.paloaltonetworks.com.
Figure 4: Enterprise Security Platform PCI DSS Compliance Capabilities
PCI DSS REQUIREMENT NEXT GEN
FW WILDFIRE TRAPS
Requirement 1:
Install and maintain a firewall configuration to protect cardholder data Requirement 2:
Do not use vendor- -supplied defaults for system passwords and other security parameters
Requirement 3:
Protect stored cardholder data Requirement 4:
Encrypt transmission of cardholder data across open, public networks Requirement 5:
Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6:
Develop and maintain secure systems and applications Requirement 7:
Restrict access to cardholder data by business need to know
Requirement 8:
Identify and authenticate access to system components Requirement 9:
Restrict physical access to cardholder data Requirement 10:
Track and monitor all access to network resources and cardholder data Requirement 11:
Regularly test security systems and processes Requirement 12:
Maintain a security policy that addresses information security for all personnel
TR
TR
TR
TR
TR WF
WF
WF
WF
WF
TR
TR WF
IX. APPENDIX 1: PCI SECURITY REQUIREMENTS SUPPORTED BY THE PALO ALTO NETWORKS ENTERPRISE SECURITY PLATFORM
The Palo Alto Networks platform supports many of the three hundred individual requirements specified in the PCI DSS, as itemized in the following table. All references made in this paper to specific requirements are based on PCI DSS 3.1.
PCI DSS REQUIREMENT SUPPORTED
SUB-REQUIREMENTS DESCRIPTION OF CAPABILITIES
Requirement 1:
Install and maintain a firewall configuration to protect cardholder data
1.2, 1.2.1, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8
The Palo Alto Networks portfolio of hardware and virtual next-generation firewalls enables definitive least privileges access control (i.e., deny all applications, users, and content except for that which is necessary) for all networks involving cardholder data. Palo Alto Networks supports all sub-requirements pertaining to DMZ implementations intended to prohibit direct public access between the Internet and any CDE system.
Requirement 2: Do not use vendor- supplied defaults for system passwords and other security parameters
2.3 The intent behind Requirement 2 is to implement sufficient preventive controls to reduce the attack surface. These controls include changing vendor passwords; enabling only necessary services, protocols, daemons; and removing unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and web servers. For a relatively complex card holder data environment, there are potentially thousands of instances in which unnecessary services, unnecessary functionality, and insecure services could operate.
Traps provides an automated preventive control capability to reduce risks associated with threat vectors or attack points. The unique approach employed by Traps ensures that even if unnecessary services are running, vulnerabilities in those services cannot be exploited. Traps will block the exploit technique and prevent any malicious activities from occurring. Insightful forensics evidence is collected to support incident response processes or further investigative activities. With Traps operating in the CDE, organizations can reduce their risk to a level more in line with the business’ risk tolerance position. Requirement 3:
Protect stored cardholder data
n/a This requirement focuses on reducing the amount of cardholder data stored and ensuring that stored data is appropriately masked and encrypted. Encryption alone does not protect against malware that scrapes the unencrypted cardholder data from memory. Traps prevents exploits and malware from launching malicious code that would try to compromise encryptions keys or cardholder data. If key management processes do break down, Traps provides an effective compensating control for PCI DSS Section 3.6.
Requirement 4:
Encrypt transmission of cardholder data across open, public networks
4.1, 4.2 Standards-based IPSec VPNs are supported for secure site-to-site connectivity, while GlobalProtect delivers secure remote access for individual users via either an TSL or IPSec protected connection. With its unique application, user, and content identification technologies, the Palo Alto Networks solution is also able to thoroughly and reliably control the
use of potentially risky end-user messaging technologies (e.g., email, instant messaging, and chat) down to the level of individual functions (e.g., allow messages but disallow attachments and file transfers). Requirement 5:
Protect all systems against malware and regularly update anti-virus software or programs
n/a The Palo Alto Networks enterprise security platform includes advanced endpoint protection that provides a much-needed complement to legacy anti-virus solutions that are largely incapable of providing protection against unknown malware, zero-day exploits, and advanced persistent threats (APTs).
PCI DSS REQUIREMENT SUPPORTED
SUB-REQUIREMENTS DESCRIPTION OF CAPABILITIES
Requirement 6:
Develop and maintain secure systems and applications
6.6 As a fully application aware solution, the Palo Alto Networks next-generation security platform is capable of preventing a wide range of application-layer attacks that have, for example, taken advantage of improperly coded or configured web apps.
Requirement 7:
Restrict access to cardholder data by business need to know
7.2, 7.2.1, 7.2.3 Granular, policy-based control over applications, users, and content regardless of the user’s device or location enables organizations to implement definitive least privileges access control that truly limits access to cardholder data based on business need to know, with “deny all” for everything else. Tight integration with Active Directory and other identity stores, plus support for role based access control, enables enforcement of privileges assigned to individuals based on job classification and function.
Requirement 8:
Identify and authenticate access to system components
8.1, 8.1.1, 8.1.3, 8.1.4, 8.1.6, 8.1.7, 8.1.8, 8.2, 8.2.1, 8.2.3, 8.2.4, 8.2.5, 8.3, 8.5, 8.6
Native capabilities and tight integration with Active Directory and other identity stores support a wide range of authentication policies, including: use of unique user IDs, immediate revocation for terminated users, culling of inactive accounts, lockout after a specified number of failed login attempts, lockout duration, idle session timeouts, and password reset and minimum strength requirements. Support is also provided for several forms of multi-factor authentication, including tokens and smartcards. Requirement 9:
Restrict physical access to cardholder data
n/a n/a
Requirement 10: Track and monitor all access to network resources and cardholder data
10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4, 10.6, 10.6.1, 10.6.2, 10.6.3,
The Palo Alto Networks enterprise security platform maintains extensive logs/audit trails for WildFire, configurations, system changes, alarms, traffic flows, threats, URL filtering, data filtering, and Host Information Profile (HIP) matches. The solution also supports both daily and periodic review of log data with both native, customizable reporting capabilities and the ability to write log data to a syslog server for archival and analysis by third-party solutions (including popular security event and information management systems, such as Splunk).
Requirement 11:
Regularly test security systems and processes
11.4 The Palo Alto Networks enterprise security platform fully inspects all allowed communication sessions for threat identification and prevention. A single unified threat engine delivers intrusion prevention (IPS), stream- based antivirus prevention, and block of unapproved file types and data. The cloud-based WildFire engine extends these capabilities further by identifying and working in conjunction with customer premise components to prevent unknown and targeted malware and exploits. The net result is
comprehensive protection from all types of threat in a single pass of traffic.
Requirement 12:
Maintain a security policy that addresses information security for all personnel
n/a n/a
4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks. com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. PCI-Compliance-Security-Platform-011916
