Simplifying PCI Compliance with Privileged Access Management and Vulnerability Management

Scott Lang, March 29th, 2017

Simplify PCI Compliance

If your organization collects, processes or stores cardholder data in any form, then you must adhere to the Payment Card Industry Data Security Standard (PCI DSS). As you have likely come to understand (and probably painfully I’m guessing) you will have challenges in meeting your PCI requirements; among them the direct and indirect costs and operational distractions associated with maintaining compliance. Let’s take a quick look at some of these challenges, and then I will explain how BeyondTrust helps you achieve compliance with certain provisions in PCI faster.

Ready to get started? Download our technical brief and learn how BeyondTrust solutions map to PCI guidelines.
Download now

Fines and Penalties: Compliance is Mandatory

There are three levels of PCI compliance that an organization may be subject to, depending on the number of transactions that the organization processes, or if they are subject to the “merchant” or the “service provider” compliance definitions. If an organization is at the highest level of compliance (Tier 1), assessments are conducted annually by a Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC). Any other levels of compliance (Tiers 2-3), may self-assess against the controls and may not directly involve a QSA. If an organization has been breached and was not in compliance with PCI, the card issuers can impose significant financial penalties on the merchant.

Complexity, Time and Resource Constraints: PCI Distracts from Core Operations

Merchants and service providers subject to PCI DSS should work to continually improve processes to ensure ongoing compliance and security, rather than treating compliance as a point-in-time project. Naturally, this can create a tremendous resource drain on IT teams.

How Privileged Access Management and Vulnerability Management can Help

Since they can be used as fundamental technologies to achieving compliance with PCI, we’ve written a new technical brief that explains how to map BeyondTrust privileged access management and vulnerability management solutions to PCI requirements to more easily demonstrate and maintain compliance. This guide is primarily intended to be used for those who must comply with merchant processing specifications, but applies to most service providers as well, and is meant to help you get more from your PAM and VM investment.

Mapping BeyondTrust PowerBroker and Retina solutions to PCI requirements

For a quick view of how BeyondTrust solutions map into these requirements, see the table below.

Control Objectives PCI DSS Requirements
BeyondTrust Platform
Retina Vulnerability Management
PowerBroker for Unix & Linux
PowerBroker for Windows & Mac
PowerBroker Identity Services
PowerBroker Password Safe
PowerBroker Auditing & Security Suite
Build and Maintain a Secure Network and Systems Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses the information security for all personnel

What to do Next

Download the full PCI guide for a detailed requirement-by-requirement mapping of BeyondTrust PAM and VM solutions into PCI requirements. Remember: There is no magic bullet to achieving PCI compliance and no one vendor that can make you compliant with PCI. Look for solutions that help you simplify it; BeyondTrust can help. Contact us today for a strategy session on your current PCI compliance efforts.

Download now