The rapid rise in cyber-attacks and breaches to confidential data demands that critical importance is given to protecting payment transactions. The world’s leading payment card companies – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., have jointly defined a set of security standards, the Payment Card Industry Data Security Standard (PCI DSS) to enhance the protection of transactions. All organizations that store, process and transmit any payment card holders’ data, whether it be a debit, credit or cash card, are required to be compliant with PCI DSS.
Although, the PCI DSS is not mandated by United States law, compliance benefits businesses for the following reasons:
- By providing a secure payment environment, organizations enhance a cardholders’ trust for sharing highly sensitive data
- Meeting requirements helps building the reputation for acquirers and payment card issuers
- Keeping payments environment and processes compliant helps preventing data breaches and cards frauds
Merchants and financial institutions operate in a highly competitive space, and therefore have to maintain the highest level of payments protection, while still trying to reduce services cost, Virtualization allows to save costs on capital, hardware and operational expenses due to high density, flexibility and scalability of the infrastructure. But this new dynamic environment, also brings new previously unknown threats. Virtual machines must be isolated, virtual networks have to be controlled on every level, including private, internal and external ones. The resource load has to be minimal and optimized for virtualization. The only way to achieve the required level of protection, while keeping performance high is to leverage a solution that was specifically designed and built for operating in a virtual environment. This is a key to an optimized and secure infrastructure, with fast return on investment.
5nine Cloud Security is the solution to help merchants meet a majority of the PCI DSS requirements. Its centralized management console simplifies the administration of security tasks and provides auditing capabilities for compliance. 5nine Cloud Security is a unified security and compliance solution designed to specifically address every Hyper-V security vulnerability using patent-pending technologies, eliminating the need to install additional expensive and resource-consuming security software.
To become PCI DSS compliant, organizations have to meet requirements across 12 sections. Let’s take a look at how 5nine Cloud Security can help you to achieve PCI DSS compliance:
|Control Objectives||PCI DSS Requirements||5nine Cloud Security Support|
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect cardholder data||5nine Cloud Security provides network protection with an integrated multitenant virtual firewall, that is integrated into Hyper-V virtual switch. This allows 5nine Cloud Security to monitor any type of virtual network traffic (internal, external, and private), isolate individual VMs and security groups. Firewall rules can be tied to a specific schedule to reduce potential attack surface.|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters||5nine Cloud Security supports Windows Server Active Directory (AD) to manage users and passwords for multi-tenant environments. It does not use default passwords to reduce the chances of administrators keeping them unchanged.|
|Protect cardholder data||3. Protect stored cardholder data||This requirement is a question of physical access restrictions and cannot be covered by 5nine Cloud Security.|
|4. Encrypt transmission of cardholder data across open and public networks||5nine Cloud Security does not encrypt traffic by itself, however it will support the transmission of encrypted traffic through its networks.|
|Maintain a vulnerability management program||5. Use and regularly update anti-virus software on all systems commonly affected by malware||5nine Cloud Security includes the only available agentless antivirus solution for Microsoft Hyper-V, that was created specifically for virtual infrastructures. It provides antivirus scanning without the need to install an agent inside a virtual machine that allows to achieve up to 70 times faster full system antivirus scans compared to legacy AV solutions installed inside virtual machines. The agentless nature makes it invisible to end users, and doesn’t allow them to disable security. 5nine Cloud Security can be used with Bitdefender, Kaspersky or ThreatTrack engines with frequently updated antivirus signatures.|
|6. Develop and maintain secure systems and applications||5nine Cloud Security includes security components integrity checks. It allows to isolate testing, development and production environments by leveraging the security groups, while web applications can be protected with an extra 5nine Web Application Firewall product. Continual operations logging allows security administrator to monitor and detect unauthorized security configuration access attempts. Integrated intrusion detection system, allows to detect application level attacks directly on a Hyper-V virtual switch level, by leveraging Snort engine and signatures.|
|Implement strong access control measures||7. Restrict access to cardholder data by business need-to-know||This requirement is covered by standard authentication methods of Windows Server and Active Directory.|
|8. Identify and authenticate access to system components||This requirement is covered by standard authentication methods of Windows Server and Active Directory.|
|9. Restrict physical access to cardholder data||This requirement is a question of physical access restrictions and cannot be covered by 5nine Cloud Security.|
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data||This requirement is covered by standard access rights of Windows Server and security events logging of 5nine Cloud Security. An integrated network anomaly detection system detects malicious and suspicious network activities. All operations and events are logged in an unchangeable format for future analysis. Integration with centralized logging systems allows to achieve a required log retention period.|
|11. Regularly test security systems and processes||5nine Cloud Security is constantly collecting and controlling network statistics, such as overall traffic, number of packets and packets’ size. Then, by leveraging heuristics algorithm, it creates a base level of normal traffic behavior for each virtual machine, and constantly monitors deviations from that. If a deviation exceeds the sensitivity level, 5nine Cloud Security immediately notifies about a potential attack or malicious network activities. Integrated intrusion detection system based on Snort signatures along with heuristics algorithm allows to successfully pass penetration tests.|
|Maintain an information security policy||12. Maintain a policy that addresses information security||This requirement is a question of corporate information policy and cannot be covered by 5nine Cloud Security.|
To summarize, 8 out of 12 PCI DSS requirements for virtual and cloud infrastructure protection can be covered by 5nine Cloud Security and standard Microsoft Windows Server methods. The remaining ones can be met through physical restrictions and corporate policies. 5nine Cloud Security will help merchants and financial institutions to cover majority of PCI DSS requirements, improve transaction protection and achieve better competitiveness.
Are you interested in learning more about PCI DSS compliance? Leave your comments or questions and we will be happy to provide more insight!