The PCI Council introduced the PCI version 1.2.1 specification earlier this year, and there has been a lot of clarification done so the specification makes more sense; however, there is still a lot of help needed in deciphering exact needs and next steps. Face it: it all comes down to what you have to do to be compliant. Well, a Managed Host can offload some of that confusion. At INetU, we can work with you and provide guidance to the 12 section PCI specification. Here is a nice little overview about how INetU can help you on your way to PCI compliance.
Requirement 1 – Requirement 1 deals with the network topology’s overall security, including items like Routers, switches, and firewalls. The overall security policy and implementation of those devices are key. INetU can work with you to build a strong rule set for your managed firewall, and we can secure network topology with segmentation to encompass your servers here. The rest of INetU’s network Infrastructure outside your environment is covered via INetU’s PCI Level 1 Service Provider compliance.
Requirement 2 – This requirement deals with securing the devices/systems. Items like removing default vendor supplied passwords, strong configuration standards, and encrypting administrative access are key here. INetU provides a strong configuration standard, based on NIST and SANS requirements, that includes changing default passwords. INetU can also provide VPN capable firewalls so that administrative access to your servers is encrypted.
Requirement 3 – PCI Requirement 3 deals with protection of the cardholder data that can be stored on your servers. INetU can help provides good guidelines on how to handle such information, as well as provide tools to check for this type of data on your servers, and whether it meets the correct requirements. A lot of these requirements are best practices in terms of secure data. INetU can not only work with you on best practices and options for key management, but help decipher some of the specifics in this requirement.
Requirement 4 – Requirement 4 then takes that cardholder data and explains how it needs to be passed over the network (eg: as SSL/TLS transport). INetU can provide firewalls with VPN capability on both the IPSec and SSL layer, depending on your particular needs. We can also help you obtain SSL certification for the website, and even recommend payment gateways if it makes more sense for you to offload all credit card processing. We have the expertise to help you determine your best option.
Requirement 5 – Anti-virus requirements are key in requirement 4. INetU will provide you with AV services on your servers. We utilize Microsoft Forefront on the Windows platforms, and Clam AV on the Red Hat Enterprise Linux platform.
Requirement 6 – Requirement 6 dives into the Application and system security. INetU helps address this by setting up automatic system patching for your servers that can work within your schedule. This way, you can be sure your systems are up to date. And, for the more in-depth application requirements, INetU can set you up with one of our Partners for the 3rd party code audits, or co-locate your web application firewall if you’d like.
Requirement 7 – Requirement 7 dives into the “need to know” basis in terms of your card holder data. For example: who can see what card holder data, with defaulting to deny everyone everything. INetU can provide you with not only best practice and industry leading recommendations for the “need to know” definition, but also 3rd party software that can audit and log system access.
Requirement 8 - Being able to uniquely identify each person with system access is the main goal in requirement 8. There is nothing worse than having multiple people all share an identity, and not be able to distinguish between them. Here, INetU administrations follow our PCI-friendly policies. Assessed yearly by an authorized QSA for our annual PCI Compliance audit, the policies include strong password requirements and unique user ID’s, just to name a few. INetU can also help you set up Dual Factor authentication schemes.
Requirement 9 – Requirement 9 deals with the physical facility in which the card holder data is kept. Here, INetU has you covered. With our PCI complaint and SAS70 Type II certified data centers (Now SSAE 16), you don’t have to worry about this for your servers here; we’re taking care of it!
Requirement 10 – Being able to track and monitor access to both the systems and the card holder data contained on them is the main theme in this PCI requirement. Here, INetU can help by setting you up with Trustwave and their SELM log monitoring service that provides log reports customized to fit your company’s needs. Also, we can help with File Integrity monitoring here, required on the logging server. This is required to verify that the information on the logging server can’t be altered.
Requirement 11 – Requirement 11 deals with regularly testing both your systems and your defined processes. Here, INetU can provide your company with a few services from Trustwave (a qualified QSA and ASV) that will help meet this requirement. These services include IPS/IDS services using Trustwave managed IPS device (which Trustwave will customize to match your applications with up-to-date signature updates), the TrustKeeper service (which will provide external vulnerability scanning and includes 12 scans per year) and Trustwave provides their ISV server for the internal scanning requirement.
Requirement 12 – Requirement 12 wraps it all up, and is all about security policies for you, employees, and anyone else that could have contact with your systems. Here, INetU can provide sample policies from SANS and NIST that are industry best practices. INetU policies are utilized for our Administrative staff, which are reviewed during both our SAS70 Type II audits, and our PCI assessments. INetU can also recommend our QSA’s, who can also provide you with sample policies.
As you can see, even though there is a lot to the PCI specification, INetU can help you along the way, so that your business can easily become PCI compliant!