Establishment of IT Controls for PCI Compliance
In recent years, cardholder security breaches have seriously harmed company reputations and damaged consumer trust and confidence. To address these issues, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International have established the Payment Card Industry (PCI) Security Standards Council to develop and administer the PCI Data Security Standard (DSS) and its supporting programs. The overriding goal of the PCI DSS is to ensure the security and integrity of cardholder data and uphold consumer confidence in card payments. The PCI Security Standards Council released version 1.1 of the PCI DSS in September, 2006. This version of the TIBCO LogLogic® Compliance Suite - PCI Edition supports version 2.0 of the PCI DSS.
The intent of the standard is to provide compliance requirements that dictate how cardholder data should be protected in environments that store, process, or transmit this data. Merchants and service providers that do not comply with the standard face the prospect of substantial fines or of being permanently barred from the card acceptance programs, should a security breach occur which involves their systems or processes. PCI compliance applies to any organization that stores, processes or transmits cardholder data and consequently affects brick and mortar and online merchants as well as many banks, processors and service providers.
Note that these PCI DSS Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all “system components”, defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, VPNs, and other security Appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internally-used and external-facing applications.
Critical infrastructure data in the form of log files from corporate firewalls, VPN concentrators, web proxies, IDS systems, email servers, operating systems, enterprise applications and backup systems provide valuable insight into risks, IT performance, and the use of corporate assets. However, these logs are often not readily available or accessible when corporations need them most – during compliance audits, security incident response, or when responding to information requests from legal, human resources and other business units. Achieving compliance requires you to be able, in real-time, to access, search through and organize such data quickly and cost-effectively.
Today, tens of thousands of log data messages are produced by enterprise systems, applications and network devices every day. In many Fortune 1000 enterprises, these messages add up to multiple terabytes of data per month. At these rates, it is not humanly possible to extract necessary information from logs using homegrown scripts or manual processes. For example, to satisfy PCI compliance, you must not only ensure that appropriate IT controls are in place, you must also provide independent auditors with evidence of functioning controls and the documented results of testing procedures. This could take days using scripts and manual process - a luxury and expense that you cannot afford.