PCI DSS 3.0 Compliance

Using TierPoint’s Cloud & Managed Security Services

By Steve Sims, Sales Engineer, TierPoint Spokane

Vietual CardIn a recent poll conducted by American Consumer Credit Counseling (ACCC), 64% of consumers do not trust retailers with their credit card information. From 2012 to 2013, data breaches have gone up by 30% and the number continues to grow. In 2014 alone, we have seen 644 breaches and 78 million records exposed. This is another increase of 26% across multiple industries. To help combat this, the Payment Card Industry Data Security Standards (PCI DSS) 3.0 were released this year, with a compliance deadline of January 1st, 2015.

These requirements comprise “a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations.” But, doing only the status quo to meet these minimum requirements may not be enough to avoid a breach of your networks and your customer’s data. The chart below shows the 3.0 requirements and how you can enhance your security posture today by utilizing TierPoint’s compliance, expertise and services.

So how can TierPoint help with your PCI DSS 3.0 compliance?

The following items are the 12 core compliance requirements set forth by the PCI DSS. In promoting these practices within your organization, you can ensure a more secure environment. TierPoint can help by providing comprehensive, customizable solutions to achieve and maintain compliance on your networks.

INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER DATA
Fortinet’s world-class Next Generation Firewalls (NGFW) provide you with the ability to combat Advanced Persistent Threats (APT) using network antivirus, IDS/IPS, botnet protection, DOS protection, and more …

DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER SECURITY PARAMETERS    
Our CleanIP Managed Security service puts the responsibility for this in the hands of our certified, experienced security analysts.  With the help of both Fortinet and Alert Logic Threat Manager, we can help ensure the health and compliance of your infrastructure.

PROTECT STORED CARDHOLDER DATA    
Data Leak Protection helps ensures that you can track and block the exfiltration of private information and, with our CleanIP Advanced MSS, can be controlled based on SSN, Credit Card Numbers and other customizable information. We can even monitor and block secure channel communications such as SSL and SSH.

ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN, PUBLIC NETWORKS
IPSec and SSL VPN can handle remote connectivity and transmission of your cardholder information.  Within the TierPoint cloud, CloudLink provides storage or VM encryption for storing your customer information.  Even better, you hold the encryption key … meaning even TierPoint can’t access this data.

PROTECT ALL SYSTEMS AGAINST MALWARE AND REGULARLY UPDATE ANTI-VIRUS SOFTWARE OR PROGRAMS    
Network antivirus and IDS/IPS provided by Fortinet FortiGate NGFW protects your perimeter while Alert Logic’s Web Security Manager and Threat Manager with Active Watch provides 24×7 network threat detection.

DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS  
TierPoint relies on the expertise of multiple vendor partners to provide Web Application Firewalling to enable your web applications to remain secure and protected.  With the managed security offering by Alert Logic, your WAF can be tuned and managed by GIAC certified security experts in the field.

RESTRICT ACCESS TO CARDHOLDER  DATA BY BUSINESS NEED TO KNOW  
Dedicated firewalls and VLAN’s provide network isolation for your environment allowing you to define access to the cardholder environment.

IDENTIFY AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS    
Two-factor authentication is provided with Fortinet’s FortiAuthenticator and FortiTokens to verify that all access is secure and authorized.  Our security experts will engineer a solution to best fit your needs and maintain the integrity of your environment.

RESTRICT PHYSICAL ACCESS TO CARDHOLDER DATA    
TierPoint data centers are SSAE 16 SOC I and SOC II Type 1 and 2 audited facilities and provide state-of-the-art physical security with 24×7 monitoring, badge and biometric access. TierPoint facilities meet the more stringent requirements of the Federal Governments FISMA standard for Physical and Environmental controls including dedicated security staff on premises.

TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA    
Multiple monitoring and tracking options are available including Alert Logic Log Manager to provide remote security log analysis to assist in validation of network activities.

REGULARLY TEST SECURITY SYSTEMS AND PROCESSES    
AlertLogic Threat Manager with Active Watch provides 24×7 management of internal and external network threats. Integrated intrusion detection and certified PCI ASV vulnerability scanning capabilities provide essential elements to address the requirements of PCI DSS.

MAINTAIN A POLICY THAT ADDRESSES INFORMATION SECURITY FOR ALL PERSONNEL    
The responsibility of ensuring your security policy is in your hands, but with the peace of mind that you’re protected by TierPoint’s wide range of managed security services, your policy is easier to develop and maintain than ever!

TierPoint can help meet your PCI DSS 3.0 compliance requirements using our comprehensive managed security services and our Public, Private, or Hybrid cloud offerings. Working with top industry partners such as Fortinet, Alert Logic, VMware, and CloudLink, we can work together to improve your security posture both on premise and in the cloud.

For more information, see our Compliance page at tierpoint.com.