Hospitality

PCI DSS and Proofpoint

Defined by the Payment Card Industry Security Standards Council, PCI DSS (PCI Data Security Standard) was created to increase security controls of cardholder data in an effort to reduce credit card fraud due to exposure. Credit card merchants and processors must comply via annual audits performed by an external Qualified Security Assessor (QSA).

PCI DSS 2.0 (Payment Card Industry – Data Security Standard v2.0)

 

Control Objectives PCI DSS Requirements
Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program Use and regularly update anti-virus software on all systems commonly affected by malware
Develop and maintain secure systems and applications
Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy Maintain a policy that addresses information security

How does Proofpoint help organizations address PCI requirements?

PCI Requirement Proofpoint Solution Suites
Proofpoint Enterprise Privacy Proofpoint Enterprise Protection Proofpoint Solution Platform
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters      
Req. 2.1 Always change vendor supplied defaults before installing a system on the network.    
Req 2.3 Encrypt all non-console administrative access such as browser/Web-based management tools.    
Req 2.4 Shared hosting providers must protect each entity’s hosted environment and cardholder data.    
Requirement 3: Protect stored cardholder data      
Req 3.1 Limit cardholder data storage and retention time to that required for business, legal and/or regulatory purposes, as documented in your data retention policy.    
Req 3.2 Do not store sensitive authentication data after authorization.    
Req 3.4 Render PAN, at minimum, unreadable anywhere it is stored.    
Req 3.5 Protect cryptographic keys used for encryption of cardholder data from disclosure and misuse.    
Req 3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data.    
Requirement 4: Encrypt transmission of cardholder data across open, public networks      
Req 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks  
Req 4.2 Never send unencrypted PANs by end user messaging technologies.    
Requirement 5: Use and regularly update anti-virus software or programs commonly affected by malware      
Req 5.1 Deploy anti-virus software on all systems affected by malicious software (particularly personal computers and servers).    
Req 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.  
Requirement 6: Develop and maintain secure systems and applications      
Req 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed.
Req 6.2 Establish a process to identify newly discovered security vulnerabilities, such as by subscribing to alert services, or using a vulnerability scanning service or software.    
Requirement 7: Restrict access to cardholder data by business need-to-know      
Req 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.  
Requirement 8: Assign a unique ID to each person with computer access      
Req 8.4 Render all passwords unreadable for all system components both in storage and during transmission using strong cryptography based on approved standards.    
Req 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components.  
Requirement 10: Track and monitor all access to network resources and cardholder data      
Req 10.1 Establish a process for linking all access to system components to each individual user – especially access done with administrative privileges.    

 

Proofpoint Enterprise Privacy Key Capabilities for PCI DSS Security Standards:

  • Accurate Detection of PANs: Accurate identification of Primary Account Numbers (PANs) is done utilizing a Smart Identifier for credit card numbers. Proofpoint Enterprise Privacy performs the Luhn algorithm check (also known as "Mod 10") to validate the presence of valid credit card numbers. Additionally, once a PAN has been identified, Proofpoint Enterprise Privacy can also search for common credit card terms and labels within close proximity, such as "Visa" or "AmEx" (fully configurable by the administrator) to further increase the confidence level of the detection.

  • Compliance Dashboard: Compliance officers have a dashboard view of their organization. Incidents that require review are highlighted, with one-click drill-down access to each specific incident that may require intervention or remediation. Reports summarize the frequency and type of content that triggered the specific policies, whether the outcome was automatic encryption or blocking.

  • Full Support for Cloud-based Email Systems (e.g., MS Office 365): Proofpoint Enterprise Privacy is available as a cloud based compliance solution and provides all the same rich functionality available as an on-premise solution. This also seamlessly integrates to any cloud-based email solution, such as Microsoft's Office 365, ensuring your ability to comply with PCI DSS while leveraging the cost benefits of the cloud.

Proofpoint Enterprise Protection Key Capabilities for PCI DSS Security Standards:

  • Comprehensive Protection from Email Borne Threats: Powered by the patented MLX Threat Classification Engine, phish, virus, and other email borne malware is identified and managed accordingly, protecting systems from being infected.

Compare & Contrast Competitors (Why Switch):

  • Detection Accuracy of PANs: Proofpoint Enterprise Privacy provides the most comprehensive and accurate detection PANs from the various credit card issuers. This ensures that only messages containing actual PANs are flagged for encryption or blocked, but just importantly, does not flag messages that do not require protection.

  • Easy-to-Use, Fully Integrated, Policy-Based Encryption: An easy-to-use, policy-based encryption solution, accurately identifying messages with PANs for encryption ensures your organization is maintaining compliance to PCI-DSS.
©2014 Proofpoint, Inc.