Free to Shop
09/07/2009
If only it was free to shop...what we mean by free to shop is that legislation is driving the protection of shoppers enabling them to be “free to shop” safely and securely. The retail sector is having to become increasingly competitive and to succeed in this environment and retain customer trust and loyalty, they need to ensure that customer data is safe and secure.
Among the many regulatory compliance mandates confronting IT, the Payment Card Industry (PCI) Data Security Standard (DSS) is one of the most technically prescriptive and sets a high bar for effective controls and countermeasures. Intended to protect cardholder data among businesses handling payment card transactions, the PCI DSS defines 12 areas of IT security and information risk management requirements in 6 logically related groups. (see chart on right)
As the breadth of the PCI standard suggests, compliance poses a double-edged challenge. Failure to comply means substantial penalties including ongoing fines or possible sanctions in the event of a data security breach. Yet for many, meeting such a broad and detailed set of requirements is no less daunting.
The largest businesses may be able to call on the deepest reserves to meet the challenge. These are the “Level 1” enterprises as defined by the payment card brands. Examples include merchants handling more than 6 million transactions a year, or the service provider members of VisaNET. At the other end of the spectrum are those at Level 3 and below, who may handle fewer than 1 million transactions per year or are not otherwise included in Levels 1 and 2. Some of the smallest merchants can work with their payment acquirers to help them meet PCI requirements, while the validation of compliance for Level 4 merchants may actually be at the discretion of the acquirer.
The challenges of securing sensitive information is one of the broadest
and potentially most difficult the enterprise faces. We hear from 3 of our vendor partners who have been developing technologies that can help drive compliance in the various levels of requirements.
RSA
RSA, The Security Division of EMC, has created a set of PCI Packages to help meet these substantial PCI compliance challenges. Specifically designed to give a readily deployed set of tools, the packages include maintenance for each product and design and implementation services for specific components.
Strong Authentication: RSA SecurID
The only product mentioned by name in the PCI standard, RSA® SecurID is a leader in the market of two-factor authentication, a technique specifically invoked under PCI Requirement 8.3 for securing remote access by employees, administrators and third parties.
Security Information and Event Management: RSA enVision
One of the most successful SIEM offerings, the RSA enVision™ platform is recognised for its ease of deployment and use relative to many competitors. RSA was among the first security vendors to deliver SIEM solution in a readily deployed appliance form factor, relieving many of the human and technical resource constraints faced by businesses in the adoption of PCI-required monitoring and reporting tools.
RSA’s PCI Packages include the enVision ES 2560, a SIEM appliance capable of handling 2500 sustained events per second (EPS). Design and implementation services for the enVision platform complement the package.
Data Discovery: RSA Data Loss Prevention RiskAdvisor Service
Built on RSA® Data Loss Prevention (DLP) Suite, the RiskAdvisor Service is an optional addition to the PCI Packages, designed to help Merchants determine where cardholder data resides across endpoints and within data centers and to understand how it got there.
Cisco IronPort
Although increasing use of the Web and email to do business enhances retailers’ productivity and profits, it also offers potential security risks from malware, data loss and system intrusions.
Like most organisations, retailers use email as a key means of communication, between employees as well as with outside suppliers, processors and vendors. However, high volumes of email traffic across an organisation’s network can make it difficult to maintain data security. This is especially important for organisations that process, store, or transmit any credit or debit card information.
Cisco IronPort® Systems offers leading Internet gateway technology to help merchants ensure that sensitive information is handled securely when transmitted via email. Cisco IronPort has fully integrated PCI DSS compliance for email in its AsyncOS™ operating system. To make compliance simple, IronPort e-mail appliances offer:
• Identification and secure encryption of credit card information included in any part of an email message
• Regular, automated Sophos and McAfee anti-virus updates, as well as IronPort Virus Outbreak Filters™ for immediate protection
• Centralised management, compliance monitoring and reporting capabilities
• Easy and hassle-free maintenance.
In addition, Cisco IronPort can help make corporate Web use significantly less likely to lead to infiltration by malware designed to obtain customer and credit card information. Cisco IronPort technologies to safeguard Internet use include:
• URL Filters™ Unique combination of a high-performance scanning engine with the industry’s broadest Web database to provide a fast and accurate content filtering solution
• Anti-Malware System Optimised for exceptional performance, integrated into a single appliance solution and built to be fast and accurate, it relies on a less computationally-intensive single scan to evaluate for multiple threats
• Web Reputation Tracking technology that helps protect against a broad range of URL-based threats by asking a simple but powerful question – “What is the reputation of the URL?” – and analysing hard-to-forge data that can determine a great deal about a URL’s trustworthiness
• Web Security Monitor™ A real-time threat monitoring and reporting system that is integrated into every IronPort Web security appliance, it tracks all network traffic to identify a broad range of Web security threats.
Web Security
Cisco IronPort Web security appliances combine sophisticated technology and Cisco IronPort’s Dynamic Vectoring and Streaming™ (DVS) engine to filter URLs, web reputations, and malware on a single appliance – without compromising performance or speed. Cisco IronPort Web security appliances also monitor outbound threats across all TCP ports.
E-mail Security
Merchants depend on e-mail to communicate between employees in different branches, as well as with suppliers and other fulfillment providers. However, significant risks are posed by transmitting customer information or credit card information via e-mail. Cisco IronPort email security appliances offer a highly sophisticated way to combat these risks.
Cisco IronPort’s e-mail security appliances offer retailers proactive protection for sensitive customer and credit card data transmitted via email. Integrated scanning and remediation mechanisms filter for this information, and automatically encrypt it to keep it secure.
Smart Identifiers Administrators can quickly configure Cisco IronPort’s appliances to scan for sensitive data strings being sent over e-mail. Sophisticated filters can be set up to scan for valid credit card numbers, social security numbers, ABA bank routing numbers, and CUSIPs. Advanced algorithms ensure high accuracy as well as a low number of false positives.
PCI DSS compliance functionality for e-mail is included in Cisco IronPort’s AsyncOS operating system, which powers all of Cisco IronPort’s gateway security appliances. New, purpose-built e-mail security appliances offer retailers a single, fully-integrated solution that combines traditional e-mail security such as spam and virus filtering with functions such as policy creation, content scanning, message encryption and quarantining.
The PCI DSS revolves around a group of six key principles and accompanying requirements:
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
Ensure the maintenance of vulnerability management programs
5. Use and regularly updateanti-virus software
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Ensure the maintenance of information security policies
12. Maintain a policy that addresses information security
McAfee
Leading security vendor McAfee has aligned its product set to the 12 key requirements of the PCI DSS. McAfee is uniquely poised to help organisations optimise their security posture while meeting PCI compliance through its breadth of solutions and services. The comprehensive suite of solutions and services helps you exceed PCI requirements, via a layered security model.
Visit: http://www.mcafee.com/us/enterprise/products/promos/easy_pci.html to use McAfee’s new interactive online tool to:
• Identify solutions that cover gaps in your PCI compliance
• Understand how you can leverage your existing McAfee solutions towards PCI compliance
• Explore additional McAfee solutions to meet specific requirements
• Print a custom report showing the McAfee soutions that suit your specific needs.
Develop a sustainable policy process
• Use centrally managed McAfee solutions with a single agent, single console
• With McAfee ePolicy Orchestrator® (ePO™), organisations work from a single management platform that provides data integration and reporting, reducing the frustrations associated with disparate products.
