Problem to Solve – My company has several APM/NPM solutions in our environment. How can we use them to be PCI Compliant?
Contributing Author – Robert Wright, Network Engineer with 15+ years experience
Is that credit card data in your payload, or are you just happy to steal my identity?
Our Journey into the PCI DSS 3.0 Wild Fire
If you have been watching the news in the past several months you are likely aware of several wildfires, some organic others electronic and financial. One blackens the earth in the western United States, while the other incinerates consumer trust for several prominent retailers across the globe. Are you able to utilize and understand your APM/NPM tool set and how it can complement your existing PCI DSS 3.0 strategy? Did you know that your NPM/APM solutions can assist with keeping you PCI compliant?
As a result of the numerous retailers being hit by complex cyber-attacks, many of us have asked ourselves, “will this happen to my company?” Some of you will seek shelter under a proverbial fire shelter of ignorance, while others will seek out tools and tiger teams to fight this fire head-on. Luckily for this engagement, we have a standard for which to combat this threat. It is the Payment Card Industry Data Security Standard (PCI DSS).
I proudly announce a series dedicated to combating the digital variant of this fire storm by utilizing PCI. As this blog is focused on solving problems with an Enterprise APM/NPM solutions mindset, we will be attacking the problem in that very manner. Due to the scale and scope of PCI, we will be breaking the series up into several posts. As we are all on various different planes of knowledge as it pertains to PCI, I will use each article to build the readers knowledge of this complex standard.
The Agenda for the PCI Series
- Forest “I must comply with PCI. Can I run APM/NPM tools inside my business??”
- Tree – Solving Problems in your CDE (Cardholder Data Environment)
- Direct Link to Article – https://problemsolverblog.czekaj.org/troubleshooting/npm-apm-pci-dss-world/
- Forest “Build and Maintain a Secure Network and Systems — If a PCI Tree Falls in the Forest, Are you Non-Compliant?”
- Tree – Install and maintain a firewall configuration to protect cardholder data
- Tree – Do not use vendor-supplied defaults for system passwords and other security parameters
- Direct Link to Article – https://problemsolverblog.czekaj.org/troubleshooting/article-2-pci-dss/
- Forest “Only You … Can Protect Cardholder Data !!”
- Tree – Protect stored cardholder data
- Tree – Encrypt transmission of cardholder data across open, public networks
- Direct Link to Article – https://problemsolverblog.czekaj.org/application-triage/pci-3/
- Forest “ Monitor the PCI Monitor —– Maintain a Vulnerability Management Program ”
- Tree – Protect all systems against malware and regularly update anti-virus software or programs
- Tree – Develop and maintain secure systems and applications
- Direct Link to Article –https://problemsolverblog.czekaj.org/application-triage/pci-4/
- Forest “Restrict access to cardholder data by business need to know”
- Tree – Identify and authenticate access to system components
- Tree – Restrict physical access to cardholder data
- Direct Link to Article — https://problemsolverblog.czekaj.org/troubleshooting/fire-almost-pci-5/
- Forest “Regularly Monitor and Test Networks”
- Tree – “Track and monitor all access to network resources and cardholder data”
- Tree – “Regularly test security systems and processes”
- Direct Link to Article — https://problemsolverblog.czekaj.org/aggregation-switch/pci-test/
As we visit each forest I will point out key locations where we can utilize our enterprise toolsets to promote PCI compliance. Each article is meant to arm you with another tool set to prepare a fire line between you and the recent rash of outbreaks. If you find a particular article which strikes home, PLEASE add your comments in below, as each of these blog entries takes a considerable amount of personal time. I enjoy writing them, but I also would love the feedback on how this topic relates to your PCI environment.
Ultimate Disclaimer
At this time my inner armchair lawyer, forces me to point out that this article is of my own opinion, and liability is limited to the price for which you paid to read it. So with that, let’s start the show!
Concerning PCI compliance, all boxes that touch the network that carries card holder data are subject to vulnerablity scanning on a regular basis by an authorized PCI scanning vendor. The frequency is determined by the transaction volume and the highest level requires quarterly scans. The cost can be one hundred dollars per IP address. For this reason, it is prudent to segregate and limit the network scope that handles PCI data. Each vulnerability found by the scan vendor must be documented and then remediated by the customer within a pre-determined period of time (thirty to ninety days). Again it is best practice to limit the PCI network scope as the remdiation tasks can become very labor intensive and expensive.