Simplifying PCI Compliance with Privileged Access Management and Vulnerability Management
March 29th, 2017
If your organization collects, processes or stores cardholder data in any form, then you must adhere to the Payment Card Industry Data Security Standard (PCI DSS). As you have likely come to understand (and probably painfully I’m guessing) you will have challenges in meeting your PCI requirements; among them the direct and indirect costs and operational distractions associated with maintaining compliance. Let’s take a quick look at some of these challenges, and then I will explain how BeyondTrust helps you achieve compliance with certain provisions in PCI faster.
Ready to get started? Download our technical brief and learn how BeyondTrust solutions map to PCI guidelines.
Fines and Penalties: Compliance is Mandatory
There are three levels of PCI compliance that an organization may be subject to, depending on the number of transactions that the organization processes, or if they are subject to the “merchant” or the “service provider” compliance definitions. If an organization is at the highest level of compliance (Tier 1), assessments are conducted annually by a Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC). Any other levels of compliance (Tiers 2-3), may self-assess against the controls and may not directly involve a QSA. If an organization has been breached and was not in compliance with PCI, the card issuers can impose significant financial penalties on the merchant.
Complexity, Time and Resource Constraints: PCI Distracts from Core Operations
Merchants and service providers subject to PCI DSS should work to continually improve processes to ensure ongoing compliance and security, rather than treating compliance as a point-in-time project. Naturally, this can create a tremendous resource drain on IT teams.
How Privileged Access Management and Vulnerability Management can Help
Since they can be used as fundamental technologies to achieving compliance with PCI, we’ve written a new technical brief that explains how to map BeyondTrust privileged access management and vulnerability management solutions to PCI requirements to more easily demonstrate and maintain compliance. This guide is primarily intended to be used for those who must comply with merchant processing specifications, but applies to most service providers as well, and is meant to help you get more from your PAM and VM investment.
Mapping BeyondTrust PowerBroker and Retina solutions to PCI requirements
For a quick view of how BeyondTrust solutions map into these requirements, see the table below.
|Control Objectives||PCI DSS Requirements||
Retina Vulnerability Management
PowerBroker for Unix & Linux
PowerBroker for Windows & Mac
PowerBroker Identity Services
PowerBroker Password Safe
PowerBroker Auditing & Security Suite
|Build and Maintain a Secure Network and Systems||Requirement 1: Install and maintain a firewall configuration to protect cardholder data|
|Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||Requirement 3: Protect stored cardholder data|
|Requirement 4: Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program||Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs|
|Requirement 6: Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||Requirement 7: Restrict access to cardholder data by business need to know|
|Requirement 8: Identify and authenticate access to system components|
|Requirement 9: Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||Requirement 10: Track and monitor all access to network resources and cardholder data|
|Requirement 11: Regularly test security systems and processes|
|Maintain an Information Security Policy||Requirement 12: Maintain a policy that addresses the information security for all personnel|
What to do Next
Download the full PCI guide for a detailed requirement-by-requirement mapping of BeyondTrust PAM and VM solutions into PCI requirements. Remember: There is no magic bullet to achieving PCI compliance and no one vendor that can make you compliant with PCI. Look for solutions that help you simplify it; BeyondTrust can help. Contact us today for a strategy session on your current PCI compliance efforts.