Complying with the Payment Card Industry Data Security Standard WHITE PAPER
Retailers, financial institutions, service providers, and any other businesses that handle credit card holder data today must adhere to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS outlines policies for ensuring that cardholder data is secured at all times. While the mandate features rules on everything from changing employee passwords regularly to deploying firewalls, many rules focus on the security of data while it is stored within the enterprise. SafeNet can help address many of the critical challenges of adhering to PCI DSS relating to the security of payment data within the enterprise. Further, SafeNet solutions help organizations take a comprehensive, information-centric approach to security that not only helps address near-term compliance objectives, but ensures the security of sensitive assets in the long term. SafeNet offers solutions that are efficient, flexible, and adaptable, enabling businesses to address dynamic security threats and evolving business objectives. In the pages that follow, we provide some specific requirements from the PCI DSS, version 2.0, and illustrate how SafeNet can help address these specific mandates. Regulations
How SafeNet Addresses
Requirement: 2.2.1.b
Virtual instances, whether in cloud or other virtualized environments, can be susceptible to an array of threats, including data comingling, administrators exploiting super user privileges, and more. SafeNet ProtectV Instance enables organizations to encrypt entire virtual instances, and secure them against such threats.
If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device.
With ProtectV Instance, security teams can logically separate the virtual instances that hold sensitive data from other instances in the environment, and so guard against inadvertent data comingling—even in multi-tenant cloud environments. In addition, the solution enables organizations to implement granular access controls that mitigate the threat of potential hackers who might breach cloud hypervisors, and from the cloud super-users who administer the virtual environment.
Requirement 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
With DataSecure, the only way to access administrative controls is via a secure Web-management console, a command line interface over SSH, or a direct console connection. The platform can be configured so that individual administrators are only granted access to areas for which they are responsible. Administrative activities are logged and digitally signed in an audit log.
Complying with the Payment Card Industry Data Security Standard White Paper
1