PCI DSS 3.2: Automating Audits and Ensuring Continuous Compliance with AlgoSec

PCI DSS 3.2: Automating Audits and Ensuring Continuous Compliance with AlgoSec

Validating the compliance of corporate firewalls and routers with PCI-DSS requirements is not an easy task. This whitepaper explains how to quickly and automatically assess firewalls and routers against the PCI-DSS v3.2 standard using AlgoSec.

Simplifying PCI-DSS Audits and Ensuring Continuous Compliance with AlgoSec

PCI-DSS is a multi-faceted security standard created by the Payment Card Industry Data Security Standard (PCI-DSS) Council and designed to help organizations proactively protect customer account data. The PCI Data Security requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data. The requirements also apply to all system components which are defined as any network component, server, or application included in, or connected to, the cardholder data environment. The payment brands may, at their discretion, fine an acquiring bank

$5,000 to $500,000 per month for PCI compliance violations.

PCI-DSS directly impacts an organization’s network security architecture and policies for firewalls, routers, and related security infrastructure, and validating the compliance of corporate firewalls and routers with PCI-DSS requirements is not an easy task. An audit typically involves a manual process of checking each element against the relevant PCI-DSS requirement and determining if it complies. For items that do not comply with the requirements, the auditor would then suggest a remedy, follow up on the correction process and validate that the fix was implemented according to the requirement. This process requires lengthy manual operations that consume considerable time, costs and resources, and are prone to human error.

AlgoSec provides security teams and auditors with an out-of-the-box PCI-DSS compliance report on firewalls and routers that substantially reduces the time to conduct an audit of the network security policy – by as much as 80%. AlgoSec’s PCI-DSS Compliance Report pulls directly from the Payment Card Industry (PCI) Data Security Standard and contains the seven requirements that are relevant to policy management of firewalls and routers. Reports can be automatically generated per device or a specified group of devices in a single report.

AlgoSec provides immediate visibility into the organization’s compliance status, highlights gaps and risks and provides recommendations for remediation, which can be automatically implemented directly through the AlgoSec security management solution. Some key benefits include:

  • Reduce audit preparation time and costs by as much as 80%: Automatically generate PCI reports with the “push of a button”, even across a group of devices to further save time from having to collate reports per device.
  • Ensure accuracy of audits: PCI-DSS requirements are systematically compared to the network security infrastructure, providing an accurate picture of your compliance status.
  • Quickly address compliance gaps with actionable recommendations: Pinpoint areas of non-compliance with steps for remediation.
  • Ensure continuous compliance: Automatically run PCI-DSS risk and compliance checks on every change in the security change management workflow before changes are processed.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

PCI-DSS Requirement 1 covers many aspects of security policy management. AlgoSec supports this requirement by:

  • Identifying all PCI-DSS related risks
  • Tracking every security policy change with customizable alerts
  • Generating a current and interactive network topology map
  • Automatically analyzing firewall configurations at designated intervals
  • And much more

Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

AlgoSec’s PCI-DSS report addresses requirement 2 through risk analysis and baseline compliance checks which provide critical device checks. Specific information contained in the AlgoSec report for this requirement includes:

  • Color code of the severity of the risk
  • Risk code
  • Risk description with a link to the Risk Assessment page of the firewall report that provides a
  • detailed explanation of the risk, the rules that contribute to the risk, and the remedy
  • Status
  • Default password settings

Default Password Check

Requirement 4: Encrypt transmission of cardholder data across open, public networks

PCI DSS Requirement 4 addresses the need to encrypt sensitive information during transmission over networks that are easily accessed by malicious individuals. AlgoSec supports this requirement by performing risk analysis that indicates whether insecure protocols are being used and also through VPN analysis to make sure all remote connections are being managed correctly. The following table details how AlgoSec assists the organization in meeting this requirement.

Encrypt transmission of cardholder data across open, public networks

Requirement 6: Develop and maintain secure systems and applications

PCI-DSS Requirement 6.1 requires a process to identify and rank security vulnerabilities. AlgoSec uniquely maps and correlates security vulnerability data to their respective applications and processes within the scope of the PCI DSS audit. This gives users the information they need to focus and proactively prioritize any necessary remediation efforts based on business priorities and audit requirements. This data is presented in AlgoSec’s out-of-the-box PCI DSS report, making it easy for organizations to support requirement 6.1 of the PCI DSS v3.2 regulatory standard.

To comply with PCI-DSS Requirement 6.2 merchants and service providers need to ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. AlgoSec helps organizations comply with this requirement by checking that firewalls and routers are running software versions that are still actively supported and maintained by the vendors.

Develop and maintain

Requirement 10: Regularly test security systems and processes

AlgoSec provides an immediate view of compliance with PCI-DSS Requirement 10 by incorporating the audit logs from the organization’s firewalls inside the AlgoSec reports, and by providing an additional annotated log of the changes to the firewalls. The following table details how AlgoSec assists the organization in meeting this requirement.

Regularly test security systems and processes

Requirement 11: Regularly test security systems and processes

To comply with PCI-DSS requirement 11.2, merchants and service providers must have their web sites or IT infrastructures with Internet-facing IP addresses scanned at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). PCI Security Scans are scans conducted over the Internet by an Approved Scanning Vendor (ASV) and AlgoSec provides an offline security scan that supports and complements the ASV’s online scan in two ways:

  • The findings of the AlgoSec scan indicate inherent risks in the firewall configurations
  • The findings can be used by the ASV to focus the scan precisely on those networks and hosts that are inadequately protected by the firewall

To be considered PCI-DSS compliant, the PCI-DSS Requirements and Security Assessment Procedures require that a scan must not contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.

CVSS Score

Below are the risks that AlgoSec flags, coordinated with PCI-DSS vulnerability levels:

AlgoSec flags

Requirement 12: Maintain a policy that addresses information security for employees and contractors

PCI DSS Requirement 12 addresses the need to have a strong security policy that sets the security tone for the whole entity and informs personnel what is expected of them. AlgoSec supports this requirement by providing detailed Risk Analysis that can help create an effective and strong security policy. The following table lists the items of PCI DSS Requirement 12 that AlgoSec supports:

Maintain a policy that addresses information security for employees and contractors

About AlgoSec

The leading provider of business-driven security management solutions, AlgoSec helps the world’s largest organizations align security with their business processes. With AlgoSec, users can discover, map and migrate business application connectivity, proactively analyze risk from the business perspective, tie cyber-attacks to business processes and intelligently automate network security changes with zero touch – across their cloud, SDN and on-premise networks. Over 1,800 enterprises, including 20 of the Fortune 50, have utilized AlgoSec’s solutions to make their organizations more agile, more secure and more compliant – all the time. AlgoSec is ISO 27001 certified, and since its inception, AlgoSec has provided the industry’s only money-back guarantee.

Choose a better way to manage your network