Protecting Cardholder Data -- 5 Tools to Help You Meet PCI Compliance

When you make an electronic transaction — either swiping a card at a checkout counter or through a commercial Web site — your payment information is sent to a payment card server run by the bank or merchant that sponsors the particular card. The server processes the payment data, communicates the transaction to the vendor and authorizes the purchase.

Hackers are constantly looking for vulnerabilities that could allow them to take control of all or part of the server and potentially steal credit cards numbers and other information.

The Payment Card Industry (PCI) Data Security Standard (DSS), mandated by Visa, MasterCard and other card issuers, requires “all merchants with internal systems that store, process or transmit cardholder data” to comply with 12 key data protection measures and submit to security audits. Under the rules, companies must protect cardholder transaction data through logical and physical access controls, activity monitoring and logging, encryption and regular network scans. Companies could face penalties of up to $500,000 for breaching customer credit card information.

Vigilance Pays Off

In a new study on PCI DSS and Protecting Cardholder Data, the organizations earning top results were found to achieve and sustain compliance with PCI DSS at a 50 percent lower cost than all other respondents. The third annual study on protecting cardholder data by Aberdeen Group, showed that consistent network vulnerability scanning, application vulnerability scanning, and penetration testing are core capabilities for enhancing security and achieving and sustaining PCI compliance. The top-performing companies in the study are spending 61 percent less than all others in these areas, while achieving better results.

The study found consistently large gaps between the leading and lagging performers in current use of technologies such as encryption, enterprise key management, content monitoring and filtering, and access management. 

Milestone offers solutions to help organizations meet PCI DSS requirements. For example:

1. F5 Networks’ BIG-IP Application Security Manager (ASM) Firewall delivers comprehensive protection for Web applications. It can help your organization quickly pass a security audit without requiring changes to the application code. PCI compliance reports provide an executive summary of requirements and recommendations for bringing your application environment into compliance. F5’s ASM employs unique technology that detects if your domains are being Web scraped of valuable information and shields your sites from copy and reuse.

2. PCI DSS requires that organizations assign unique IDs to employees with computer access and track them. Milestone Systems helps companies deploy SecureAuth 4.9.5 for VPN Authentication from Multifactor, which specifically addresses PCI compliance requirements for remote access to controlled systems. In conjunction with major VPN platforms, SecureAuth is able to deliver a secure credential, mapped directly to the individual user, utilizing the organization’s existing data store.

3. For vulnerability scanning and penetration testing, Milestone recommends WhiteHat, a Web application testing software. “WhiteHat provides amazing visibility into your network.” explains Terry Shidla, CISSP at Milestone. A Web-based SaaS (Software-as-a-Service) Web site security solution, combining precision proprietary scanning technology with expert analysis, WhiteHat allows security professionals to easily find and fix Web site vulnerabilities before hackers can exploit them, and fulfill PCI testing requirements.

4. For best-of-breed encryption, Milestone recommends Cisco-IronPort’s Data Loss Prevention appliances to provide accurate and easy-to-use content-level filtering to detect sensitive data before it leaves the organization. If a sensitive message requires encryption, the message can be automatically encrypted using the Cisco IronPort Email Encryption feature – an agentless encryption mechanism that does not require PKI certificates, key management or any recipient training.

5. Milestone provides content monitoring via Check Point hard disk encryption. Check Point’s Monitoring Software Blade shows a complete picture of network and security performance, enabling fast responses to changes in traffic patterns or security events.

The threat landscape is constantly changing, and realistically companies can neither adopt a “set and forget” approach to security nor hope that either the compliance requirements or the threats will simply go away. Most attacks can be avoided by being vigilant — regardless of whether the organization has been certified as PCI compliant.  To learn how Milestone can help enhance your network security, call 866.646.9211 or e-mail info@milestonesystems.com.  ##