Vidder PCI Compliance Guide FINAL · 1 2017 SecurityMetrics Guide to PCI DSS Compliance . Document...

PCI Compliance Guide

Vidder PrecisionAccess

`

WHITEPAPER

Table of Contents Executive Overview ............................................................................................... 3

How Vidder Helps with PCI Compliance ............................................................... 5

Why Vidder Is Able to Help Customers Meet PCI Requirements .......................... 8

Vidder Mapped to PCI DSS 3.2 Requirements ................................................... 10

Document Classification: CONFIDENTIAL

VIDDER HELPING WITH PCI COMPLIANCE 3

Executive Overview Vidder’s unique approach to audit and compliance requirements addresses difficult technical requirements and ensures quick deployment and manageability, instantly increasing Return on Investment.

This document is designed to guide organizations looking for solutions that will help them pass the Payment Card Industry Data Security Standard (PCI DSS) 3.2 audit and outlines the requirements that Vidder PrecisionAccess™ can address.

A company processing credit card transactions is required to pass the PCI DSS audit to avoid penalties and ensure it is following best practices in protecting credit card data during everyday operations. According to Verizon’s 2017 Data Breach Investigations Report, four out of five companies still fail at interim assessment. Many organizations struggle to remain compliant due to changing business conditions and protecting against ever-evolving cyber-attacks which are successfully breaching companies.1 Average breached merchant at the time of data compromise was not compliant with at least 47% of the PCI DSS requirement.

Network segmentation has become a proven strategy for protecting apps and servers from cyber-attacks. The need to segment networks into sub-segments for security, management, and address administration is not a new revelation. The approach thus far has been to use techniques such as virtual local area networks, switch/router Access Control Lists (ACLs), and firewalls. The strategy usually implies the network components required must be enabled with specific authentication protocols from the network infrastructure provider. The strategy is complicated further when the business adds requirements like bring your own device or provides Amazon Web Services support to the existing network. These challenges make passing and maintaining PCI DSS compliance very difficult.

1 2017 SecurityMetrics Guide to PCI DSS Compliance



Figure 1: Typical network architecture for a company that must pass PCI DSS compliance.

What is required is a practical and staged approach to achieving full end-to-end micro-segmentation in corporate networks. The implementation for customers has to be non-disruptive, continuously add security value, made relevant both for internal and cloud located resources, and continue to be a foundational principle of security protection as the network evolves to meet business agility.



How Vidder Helps with PCI Compliance Vidder helps companies respond to their next audit by focusing on the problem by ensuring the right people have access to the right application, irrespective of where the application resides or how the user is connecting to the network. Our goal is to help companies segment their network with reduced management and deployment complexity, greatly reducing the cost to implement, enforce and maintain.

Vidder guarantees customer network access is 100% secure and restricted, directly impacting auditors time and effort, because audits only need to focus upon the network where PCI data is accessed (not on other parts of the client's network). Moreover, the reduced scope of the audit saves the customer IT staff time, effort and cost spent supporting the audit.

Figure 2: Vidder’s solution reduces scope of an audit.

Vidder PrecisionAccess is designed to deliver access to applications processing credit card data via a mutual transport layer security (TLS) tunnel between the user and their device. A key feature of Vidder PrecisionAccess is enforcing two-factor authentication which is seamless to the user and is ‘always on'. A key change in the 3.2 version of PCI DSS is the expansion of requirement 8.3 to include use of multi-factor authentication (MFA) for administrators accessing the cardholder data environment.

Vidder provides a unique approach to handling all compliance and audit requirements that focuses on three key benefits for business who require any level audit / compliance process to be met.



Reduce scope of any audits • Vidder limits access to the applications that need protection for required

compliance or audit e.g. PCI and penetration testing scope

Quick Enablement • Vidder can quickly be enabled for customers that have an upcoming deadline to

because Vidder can be deployed as an overlay • Vidder requires less time to setup access when adding or removing applications

from the audit scope

Isolate obtainable applications • Vidder easily and quickly isolates any applications that are difficult to patch or

manage e.g. SAP servers, or applications out of support etc.

Reduced Operations cost • Vidder negates the need for VPN solutions to access protected applications,

reducing the cost of VPN licenses • Vidder requires no change to firewall rules when changes are required to modify

access to the protected application, greatly reducing the cost of managing the firewall rule sets across multiple firewalls

Vidder not only helps with compliance but also is the first step in a zero-trust network that reduces the attack surface. Its innovative approach, in which devices and applications cannot be seen by each other unless authorized, is a new way of segmenting and protecting the network.

Vidder does not depend on network infrastructure or protocols to be enabled, significantly reducing the deployment time and operational costs to pass and maintain compliance by limiting the number of firewall rules required to manage the segmented network.

Vidder PrecisionAccess addresses three basic access control challenges:

1. Servers need to be isolated from users and devices. There should be no initial connectivity.

2. Trust should be measured for all devices, software, users, and systems. Connection decisions should be based on deep knowledge.

3. Access should be allowed based on trust. Trusted connections should be created dynamically and transparently to users.



Customers that migrate to an application-centric access policy assume they lose visibility to application traffic because it will be hidden by Vidder’s point to point mutual TLS connection between the user and applications. Prior to Vidder, customers would have to find traffic related to the application that’s needed to be reviewed for various network traffic and security analysis. As Vidder is protecting business critical applications, customers now have a single source of insight regarding users connecting to their most trusted applications.



Why Vidder Is Able to Help Customers Meet PCI Requirements

P C I R E Q U IR E M E N T G O A L VIDDER’S VALUE WHY VIDDER IS DIFFERENT

Build and Maintain a Secure Network and Systems

Securing the network By using Vidder companies are able to ensure that PCI DSS processing applications are not visible to anyone or anything that should not have access to them, protecting the network from any network borne cyber threats

Simple and fast to implement

Customers can build and maintain secure access without having to worry about the cost of replacing or upgrading network infrastructure, making Vidder’s PrecisionAccess a simpler implementation.

Reduced operational costs

Vidder ensures operational costs are significantly reduced compared to other solutions that require network components like switches and routers to be on a specific version before access control is implemented.

Vidder’s solution is independent of network topology resulting in reduced firewall rules.

Protect Cardholder Data Visibility of user and device access to credit card data

Vidder provides detailed log data that can be used to validate who and what has access to data that falls into the scope of PCI DSS audit, helping customers to address compliance requirements.

Secure transport of communication

Mutual TLS communication is always on from the end device to the application the moment the user and device are authenticated. Vidder ensures data is transported in the most secure channel without any changes to the user experience



P C I R E Q U IR E M E N T G O A L VIDDER’S VALUE WHY VIDDER IS DIFFERENT

Maintain a Vulnerability Management Program

Secure application development

Vidder as a company is the pioneer of software defined perimeter (SDP) technology and was the first company to implement the protocols and technology for commercial use. Vidder adheres to all listed requirements for developing a secure solution for PCI-DSS compliance.

Implement Strong Access Control Measures

MFA support

Vidder’s solution enforces MFA as the first step providing access thus ensuring only valid users and their associated devices can access protected credit card data.

Extensible Vidder’s architecture allows companies to add applications that are located in the data center, IaaS locations or even SaaS-based applications with minimal IT operations costs and impact to end user experience.

Granular access Unlike traditional VPN and NAC-based solutions where access is provided based on subnets / IP address, Vidder provides users application level access without administrators requiring the IP’s of the user or applications to protect

Regularly Monitor and Test Networks

Real time granular visibility

PrecisionAccess records log in and log out times and locations, as well as the number of bytes transferred to/from each application during the period the user is logged in.

Maintain an Information Security Policy

Not Applicable



Vidder Mapped to PCI DSS 3.2 Requirements

PCI REQUIREMENT GOAL

PCI MAJOR REQUIREMENT

PCI MINOR REQUIREMENT

WHY VIDDER HELPS

Build and Maintain a Secure Network and Systems

Install and maintain a firewall configuration to protect cardholder data

1.2

1.2.1

1.2.2

1.3

1.3.1

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

ü PrecisionAccess gateways implement a stateful firewall function separating the trusted network from the untrusted network.

ü PrecisionAccess restricts inbound client-to-server traffic to only allow authorized users on authorized devices.

ü Gateways determine the route to protected servers, and the gateway configurations are dynamically loaded from the controller.

ü PrecisionAccess restricts inbound client-to-server traffic to only allow authorized users on authorized devices. Traffic restriction is independent of access media (i.e., independent of wired vs. wireless).

Do not use vendor-supplied defaults for system passwords and other security parameters

2.1

2.2

2.2.1

2.2.2

2.2.4

2.3

ü Default passwords for all components are automatically reset to large random values during installation.

ü PrecisionAccess creates an overlay cryptographic tunnel from clients-to-servers such that the cryptographic security of the underlying wireless network is irrelevant.

ü All PrecisionAccess components comply with NIST STIG hardening guidelines.






WHY VIDDER HELPS

Protect Cardholder Data

Protect stored cardholder data

3.4.1 ü When PrecisionAccess is used to provide privileged access to card holder data, it will also provide a full list of users who access the server containing the data.

Encrypt transmission of cardholder data across open, public networks

4.1

4.1.1

ü Communication from the PrecisionAccess Client on the user's device to the PrecisionAccess Gateway in the PCI Cardholder Data Environment (CDE) is done with the highest level of commercially available cryptography.

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software or programs

Not Applicable

Develop and maintain secure systems and applications

6.3

6.3.1

6.5.1

6.5.2

6.5.3

6.5.4

6.5.5

6.5.7

6.5.8

6.5.9

6.5.10

6.6

6.7

ü All PrecisionAccess components implement these requirements.

Implement Strong Access Control Measures

Restrict access to cardholder data by business need to know

7.1

7.1.1

7.1.2

7.1.3

ü PrecisionAccess is an automated access control system.

ü PrecisionAccess can provide privileged access






WHY VIDDER HELPS

7.2

7.2.2

7.2.3

7.3

for all components of the PCI implementation.

ü PrecisionAccess can provide very fine-grained authorization.

ü Gateways and Controllers have a default "deny-all" policy for all users, devices, and applications.

ü A user ID is a built-in component of PrecisionAccess.

Assign a unique ID to each person with computer access

8.1

8.1.1

8.1.2

8.1.3

8.2

8.2.1

8.2.2

8.3

8.3.1

8.3.2

8.5.5

ü MFA is a built-in component of PrecisionAccess.

ü PrecisionAccess encrypts the password across the network, but does not ensure that they are properly encrypted at rest.

Regularly Monitor and Test Networks

Restrict physical access to cardholder data

Not Applicable

Track and monitor all access to network resources and cardholder data

10.1

10.2

10.2.1

10.2.2

10.2.3

10.2.4

10.2.6

10.2.7

10.3

ü PrecisionAccess records log in and log out times and locations, as well as the number of bytes transferred to/from each application during the period the user is logged in.






WHY VIDDER HELPS

10.3.1

10.3.2

10.3.3

10.3.4

10.3.5

10.3.6

10.4.2

Regularly test security systems and processes

11.1 ü PrecisionAccess renders access to Wi-Fi useless as a vector of compromise.

Maintain an Information Security Policy

Maintain a policy that addresses information security for all personnel

Not Applicable

Vidder PCI Compliance Guide FINAL · 1 2017 SecurityMetrics Guide to PCI DSS Compliance . Document...

Documents

Transcript of Vidder PCI Compliance Guide FINAL · 1 2017 SecurityMetrics Guide to PCI DSS Compliance . Document...