Validating the compliance of corporate firewalls and routers with PCI-DSS requirements is not an easy task. This whitepaper explains how to quickly and automatically assess firewalls and routers against the PCI-DSS v3.2 standard using AlgoSec.
PCI-DSS is a multi-faceted security standard created by the Payment Card Industry Data Security Standard (PCI-DSS) Council and designed to help organizations proactively protect customer account data. The PCI Data Security requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data. The requirements also apply to all system components which are defined as any network component, server, or application included in, or connected to, the cardholder data environment. The payment brands may, at their discretion, fine an acquiring bank $5,000 to $500,000 per month for PCI compliance violations.
PCI-DSS directly impacts an organization’s network security architecture and policies for firewalls, routers, and related security infrastructure, but validating the compliance of corporate firewalls and routers with PCI-DSS requirements is not an easy task. An audit typically involves a manual process of checking each element against the relevant PCI-DSS requirement and determining if it complies. For items that do not comply with the requirements, the auditor would then suggest a remedy, follow up on the correction process and validate that the fix was implemented according to the requirement. This process requires lengthy manual operations that consume considerable time, costs and resources, and are prone to human error.
AlgoSec provides security teams and auditors with an out-of-the-box PCI-DSS compliance report on firewalls and routers that substantially reduces the time to conduct an audit of the network security policy – by as much as 80%. AlgoSec’s PCI-DSS Compliance Report pulls directly from the Payment Card Industry (PCI) Data Security Standard and contains the seven requirements that are relevant to policy management of firewalls and routers. Reports can be automatically generated per device or a specified group of devices in a single report.
AlgoSec provides immediate visibility into the organization’s compliance status, highlights gaps and risks and provides recommendations for remediation, which can be automatically implemented directly through the AlgoSec security management solution. Some key benefits include:
PCI-DSS Requirement 1 covers many aspects of security policy management. AlgoSec supports this requirement by:
AlgoSec’s PCI-DSS report addresses requirement 2 through risk analysis and baseline compliance checks which provide critical device checks. Specific information contained in the AlgoSec report for this requirement includes:
PCI DSS Requirement 4 addresses the need to encrypt sensitive information during transmission over networks that are easily accessed by malicious individuals. AlgoSec supports this requirement by performing risk analysis that indicates whether insecure protocols are being used and also through VPN analysis to make sure all remote connections are being managed correctly. The following table details how AlgoSec assists the organization in meeting this requirement.
PCI-DSS Requirement 6.1 requires a process to identify and rank security vulnerabilities. AlgoSec uniquely maps and correlates security vulnerability data to their respective applications and processes within the scope of the PCI DSS audit. This gives users the information they need in order to focus and proactively prioritize any necessary remediation efforts based on business priorities and audit requirements. This data is presented in AlgoSec’s out-of-the-box PCI DSS report, making it easy for organizations to support requirement 6.1 of the PCI DSS v3.2 regulatory standard.
To comply with PCI-DSS Requirement 6.2, merchants and service providers need to ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. AlgoSec helps organizations comply with this requirement by checking that firewalls and routers are running software versions that are still actively supported and maintained by the vendors.
Requirement 10: Regularly test security systems and processes
AlgoSec provides an immediate view of compliance with PCI-DSS Requirement 10 by incorporating the audit logs from the organization’s firewalls inside the AlgoSec reports, and by providing an additional annotated log of the changes to the firewalls. The following table details how AlgoSec assists the organization in meeting this requirement.
To comply with PCI-DSS requirement 11.2, merchants and service providers must have their web sites or IT infrastructures with Internet-facing IP addresses scanned at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). PCI Security Scans are scans conducted over the Internet by an Approved Scanning Vendor (ASV) and AlgoSec provides an offline security scan that supports and complements the ASV’s online scan in two ways:
To be considered PCI-DSS compliant, the PCI-DSS Requirements and Security Assessment Procedures require that a scan must not contain any vulnerability that has been assigned a Common Vulnerability Scoring System (CVSS) base score equal to or higher than 4.0.
Below are the risks that AlgoSec flags, coordinated with PCI-DSS vulnerability levels:
PCI DSS Requirement 12 addresses the need to have a strong security policy that sets the security tone for the whole entity and informs personnel what is expected of them. AlgoSec supports this requirement by providing detailed Risk Analysis that can help create an effective and strong security policy. The following table lists the items of PCI DSS Requirement 12 that AlgoSec supports:
The leading provider of business-driven security management solutions, AlgoSec helps the world’s largest organizations align security with their business processes. With AlgoSec, users can discover, map and migrate business application connectivity, proactively analyze risk from the business perspective, tie cyber-attacks to business processes and intelligently automate network security changes with zero touch – across their cloud, SDN and on-premise networks. Over 1,800 enterprises, including 20 Fortune 50 companies, have utilized AlgoSec’s solutions to make their organizations more agile, more secure and more compliant – all the time. AlgoSec is ISO 27001 certified, and since its inception, AlgoSec has provided the industry’s only money-back guarantee.