Introduction
Numerous high-profile security breaches in the retail and payment card processing industries drove the development of the Payment Card Industry Data Security Standard (PCI DSS), a mandatory standard that is having a significant impact upon all retailers and credit card processors. This paper describes the role played by Bradford Networks’ adaptive security platform, and Network Sentry product family, in helping to meet the requirements of PCI DSS, and to secure networks more effectively.
What is the Payment Card Industry Data Security Standard?
Requirements that were formerly part of the VISA CISP and Mastercard CDP programs in 2004 were incorporated into a new industry standard known as the Payment Card Industry Data Security Standard (PCI DSS ). All major credit card issuers support this standard, which creates a set of common industry security requirements. Entities that store, process or transmit cardholder data must comply with the PCI DSS and it affects every organization in the credit card payment chain. These include not only the the payment card brands but acquiring banks, retail organizations, and service providers as well. Even healthcare organizations, colleges and universities must comply with PCI DSS if they accept credit cards for any product or service.
The impact of non-compliance with PCI DSS has been most glaringly apparent in the retail industry where high-profile security breaches have occurred at several well-known retail companies. Retailers and other organizations that process credit card transactions are wise to consider not only what is required to comply with PCI DSS today, but other best practices and controls to prevent new security threats from breaching their networks in the future. The PCI Security Standards Council responds quickly by updating the PCI standard when security threats emerge and controls change –but vulnerabilities and threats are moving faster.
The Costs of Non-Compliance
PCI DSS compliance is enforced by the individual payment card brands. Each card-brand promotion program requires compliance to protect the brand’s image and reputation. For example, VISA’s PCI Compliance Acceleration Program provides incentives for financial institutions that demonstrate compliance, and levies significant fines for non-compliance. Acquiring banks may be subject to fines of $5,000-$25,000 per month for each of their Level 1 and Level 2 merchants who are not in compliance. VISA has levied millions of dollars in fines under this program.
Fines from the payment card brands may be the least of the problems faced by organizations with security breaches. Non-compliance can damage the company’s own brand or image, and cause significant financial liabilities. Public awareness of security breaches from embarrassing publicity often has a negative impact on business and decreases goodwill.
Companies from service providers to retailers also risk losing customers if they are not compliant. PCI DSS requires merchants to do business only with service providers that adhere to the standard and these merchants could be forced to switch service providers if their database is compromised. In extreme circumstances, merchants that do not comply with PCI could lose the ability to process cardholder data altogether.
How Bradford’s Network Sentry Helps Organizations Achieve Compliance with PCI DSS
The PCI DSS requires organizations in the payment processing chain to secure both their networks and the systems on which cardholder data is processed or stored. Bradford’s Network Sentry secures internal networks by ensuring the health and identity of devices connected to them, and provides network-wide visibility and tracking of every user, every endpoint device, and every network connection. Bradford solutions address network access and control issues that cannot be addressed by legacy firewalls and host-based identity and access management solutions.
Bradford’s Network Sentry enables PCI DSS compliance by automating enforcement of strict access control policies to ensure that users and devices attaching to networks are authorized to do so, and that they meet specific security policy requirements. Network Sentry provides detailed logging and reporting functionality — including PCI-specific reporting templates — for full visibility of network activity. Logs and reports can be used in the process of PCI audits to demonstrate compliance. In all, Network Sentry helps to address 9 of the 12 PCI requirements.
Network Sentry is an out-of-band security platform that leverages an organization’s existing network infrastructure to enforce security policies. Leading analysts characterize out-of-band implementations as the most secure, most scalable, most flexible, and most cost-effective solutions for automating network access control.