Companies processing, storing, or transmitting credit card numbers must comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. The penalties and sanctions for non-compliance are severe, including losing the ability to process credit card payments. Based on its integrated and scalable automated risk and compliance management software platform, Skybox provides out-of-the-box solutions for the PCI requirements 1, 6, 11, and 12, producing custom reports that can be utilized by management, technical staff, and auditors.
The cost of time and resources invested to maintain PCI DSS compliance on an annual basis is already high, but once compliance is obtained the environment continues to change. Ensuring that compliance is retained year round and that card holder data remains safe becomes a daunting task. Manual processes increase the complexity.
To deal with these challenges, organizations are headed into a "perfect storm" composed of increasing compliance and security pressures – magnified by IT complexity and limited resources.
Skybox Security’s risk and security centric software platform provide a risk-based approach that reduces resource requirements while ensuring compliance with four PCI requirements.
Solution
With Skybox solutions, enterprises no longer have to take a manual approach to assessing their PCI compliance or risk exposure status. Through automation, analytics, modeling, and what-if prediction, enterprises can be compliant with the PCI DSS requirements on a daily basis while providing the ability to reallocate expensive resources to other critical tasks. Skybox solutions for obtaining PCI DSS compliance enable the enterprise to:
· Minimize the scope and time of PCI audits by assuring that systems processing cardholder data are well segmented from the rest of the IT infrastructure, and therefore PCI compliance requirements impacts only small portion of the overall corporate network
· Automate complex and tedious firewall and network configuration compliance requirements as stated in Requirement 1 of PCI DSS.
· Significantly reduce the amount of expensive and disruptive patches by verifying that compensating controls are mitigating the potential exposure of critical vulnerabilities, as stated in Requirement 6 of PCI DSS.
Detailed mapping of PCI DSS requirements and Skybox solutions:
|
Requirement |
Challenge |
Solution |
| Assessment Scope Definition |
Difficult to prove that minimal scope for compliance is sufficient
Costly compliance burden due to unnecessarily large, and sometime enterprise-wide, audit scope |
Network Compliance Auditor
Reduce the scope and time of PCI audits by assuring network is properly configured |
| Requirement 1: Install and maintain a firewall to protect cardholder data |
Costly, non-scalable, and error-prone firewall audits
Impossible to maintain current network diagrams due to rapid change
Need to demonstrate on-going firewall change assurance
Need to demonstrate network access policy consistent with PCI guidelines |
Firewall Compliance Auditor
Network Compliance Auditor
Demonstrate on-going firewall change assurane - by individual firewall analysis or by modeling the entire firewall population
Automate process of continuously assessing network access policy compliance
Provide automatically updated network maps |
| Requirement 6: Develop and maintain secure systems and applications |
Costly and sometimes unsafe patch deployment process
Need to provide proof that compensating contorls achieve acceptable risk mitigation, in order to avoid the implementionation of infinite number of patches
Non-scalable threat and vulnerability alert management process
Non-scalable change management requirements for impact analysis and documentation |
Risk Exposure Analyzer
Firewall Compliance Auditor
Network Compliance Auditor
Automate threat assessment and vulnerability prioritization process. Normalize all data feeds. Guide safe and effective remediation. Issue tickets for provisioning tools. Track completion of remediation tasks.
Generate risk trends and business impact metrics - enable continuous, quick, and accurate prioritization of vulnerabilities
Verify that compensating controls are mitigating the potential exposure of critical vulnerabilities
Automate a change assurance workflow from the receipt of change request to change impact analysis to post-deployment validation - greatly reduce rework and configuration errors |
| Requirement 11: Regularly test security systems and processes |
Costly, non-scalable teesting of network security contorls for effective attack mitigation
Costly and limited penetration testing process
Need for a governance dashboard for vulnerability management program. Need to prove that vulnerability assessments cover all layers of the IT stack per requirements (quarterly and after every major change) |
Risk Exposure Analyzer
Security Profile Advisor
Virtual penetration testing - simulate all attacks taking into account threat type, vulnerabilities, network topology, network configurations and business logic
Measure vulnerability program effectiveness. Provide KPI and trends for each part of the organization |
| Requirement 12: Maintain a policy that addresses information security |
Formal risk assessment is required annually
Formal policy is required for monitoring effectiveness of network security configurations and vulnerability andn threat management programs |
Risk Exposure Analyzer
Security Profile Advisor
Reduce window of exposure by enhancing annual risk assessment with daily risk assessment
Capture the vulnerability level and remediation latency policy of the organization
Provide KPI and trends for vulnerability remedation prgrams withing the organization
Document all current and historical vulnerabilities and remediation |
Download: PCI Compliance Using Skybox Solutions White Paper
Skybox Webinar on PCI DSS - Compliance Best Practices
|
.png)
