pci requirements mapping white paperthe watchguard extensible content security (xcs) family of...

WatchGuard Technologies www.watchguard.com

PCI Requirements Mapping

WatchGuard XCS Secure Content & Threat Management

July 2010

Executive Summary

In a business environment where daily media reports of consumer data loss are on the rise and PCI compliance audits are placing increasing pressure on organizations to implement tools and strategies for data loss prevention, businesses can no longer afford to ignore data security. According to The Ponemon Institute, the cost of a single consumer data loss incident has risen in the past year, averaging roughly $6.6 million in regulatory fines and incremental expenses such as mitigation and remediation, not to mention possible negative publicity that can put a company’s brand and reputation at risk.

Any organization that accepts payment by credit card for goods or services rendered or transmits confidential consumer data or financial records needs to focus on developing strategies for comprehensive data loss prevention and compliance to:

Pass PCI audits and ensure ongoing compliance

Protect against brand erosion and keep customer confidence at its peak

Avoid costly fines for non-compliance in the case of a data loss event With the proliferation of business communications and transactions conducted via common channels such as email and web, as well as the popularity and business uses of social networks, wikis, blogs, portals, web-based mail and other content exchanges and postings, confidential consumer and company data loss is a key issue. Many organizations are susceptible to the potential for sophisticated spyware methods penetrating their networks or employees to intentionally or accidentally leak content over the Internet that may cause financial and HR liabilities, confidentiality breaches, non-compliance, privacy issues, and other risks. In fact, according to Insight Express (September 2008), seven of ten IT professionals said employee access of unauthorized applications and websites resulted in 50% of companies’ data loss incidents.

www.watchguard.com page 2

Whether data loss is accidental or malicious, organizations need to gain insight into the magnitude of their data loss problem, identify security gaps, and develop a proactive approach to stop data loss before it happens, to protect the privacy of their confidential consumer and company data.

What is PCI?

In June, 2001, Visa USA instituted the Cardholder Information Security Program (CISP). CISP is intended to protect Visa cardholder data wherever it is stored, processed, or transmitted, ensuring that all entities in the cardholder processing chain maintain the highest level of information security standards to protect cardholder data. In 2004, the CISP requirements were incorporated into an industry standard known as Payment Card Industry Data Security Standard (PCI DSS 1.0), which now includes the collaboration between Visa, MasterCard, American Express, Discover Financial Services, and JCB International to create common industry security requirements. Entities that store, process, or transmit cardholder data must be in compliance with PCI DSS. PCI DSS affects any organization in the credit card payment chain, including the payment card brands, acquiring banks, retail organizations, and service providers.

PCI DSS is an evolving standard. In September, 2006 the PCI Security Standards Council revised the PCI Data Security Standard, issuing version 1.1. Version 1.2 of the standard was introduced on October 1, 2008, and version 1.2.1 was released in July 2009.

Core PCI Principles & Requirements

The core of PCI DSS is a group of principles and accompanying requirements around which the specific elements of the DSS are organized.


Goals PCI DSS Requirements

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software or programs

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for employees and contractors

This mapping white paper reflects the new provisions in version 1.2.1 of the PCI standard that were introduced in July 2009.

The Costs of Non-Compliance

PCI mandates that companies provide a secure transmission medium for sensitive cardholder information and maintain a vulnerability management program. PCI DSS compliance is enforced by the individual payment card brands. Each card brand has its own program to promote and require compliance. In the case of Visa for example, their PCI Compliance Acceleration Program, announced in December, 2006, provides incentives for acquiring financial institutions that can demonstrate compliance, and levy significant fines for non-compliance. Acquiring banks may be subject to fines of $5,000 to $25,000 per month for each of their Level 1 and 2 merchants who are not in compliance.

Calculating the costs of PCI DSS non-compliance goes well beyond the dollar amount associated with fines directly, which can reach up to $500,000 per incident. There can be operational constraints that result from non-compliance, such as loss of card processing privileges or procedural restrictions imposed by the credit card company. A security breach could also open up your business to a federal investigation and may result in significant brand damage and hefty financial settlements. And, most importantly, the biggest cost of non-compliance in the event of a security breach is lost business that accompanies lack of faith among consumers that their data is secure. Additionally, those service providers providing IT services to the retail industry may lose their retail customers, because PCI DSS requires that merchants only do business with service providers that adhere to PCI DSS. Therefore, merchants could be forced to switch service providers in the event of a compromise. In extreme circumstances, non-compliance with PCI could result in the loss of ability to process cardholder data altogether.

A few of the most extreme examples of penalties for non-compliance involved TJX, CardSystems, Hannaford Brothers grocery store chain, and Heartland Payment Systems.


TJX and CardSystems

In 2005, TJX and CardSystems suffered a breach of 40 million credit cards. As a result, Visa USA and American Express terminated their access to their respective networks for failure to comply with their data-security standard, and the resulting database breach. CardSystems was also hit with a class action lawsuit for failing to alert victims of the breach in a timely manner. TJX experienced a security breach in January, 2006 involving millions of cardholder records. At the time of the security breach, TJX was not in compliance with PCI DSS. TJX has offered $40.9 million to Visa Card issuers who were affected by the massive data loss.

Hannaford Brothers Grocery Store Chain

In March 2008, the Maine-based Hannaford Brothers grocery store chain announced that 4.2 million customer card transactions had been compromised by hackers. More than 1,800 credit card numbers were immediately used for fraudulent transactions. The affected banks and credit unions were forced to reissue the credit and debit cards. Within two days of the breach announcement, two class action suits had been filed on behalf of customers against the retailer. The case remains open and forensic results of the investigation are still underway.

Heartland Payment Systems

The Heartland Payment Systems data breach was the first major information security incident of 2009. On January 20th, Heartland, the sixth-largest payments processor in the USA, revealed that its processing systems were breached in 2008, exposing upwards of 130 million consumers to potential fraud. With more than 650 financial institutions impacted, the highly publicized breach has already cost the company $12.5 million in legal fees and fines imposed by MasterCard. The $12.5 million Heartland has spent so far as a result of the network breach may be the beginning of costs incurred by the payments processor. A number of class action law suits by consumers and financial institutions impacted by the breach have yet to be settled in court.

How WatchGuard Helps Organizations Achieve PCI DSS Compliance

The Payment Card Industry security standards require organizations in the payment processing chain to undertake security measures that will secure networks from the outside-in, and that will prevent data loss of cardholder information, which often occurs via unsecured email. WatchGuard solutions help organizations to comply with the PCI DSS in numerous ways.

The WatchGuard extensible content security (XCS) family of appliances is a consolidated messaging security solution for email and web. It automates the process of securing sensitive traffic leaving the organization. It supports email and web communications and takes the responsibility for securing communications out of the hands of end users.

Comprehensive email and web security are critical for PCI compliance. Any loss of cardholder data, or any compromised system containing cardholder data, may render an organization non-PCI compliant with potentially significant consequences. In addition, blended threats today pose a serious challenge to the integrity of data security. These threats, which combine multiple threat vectors such as email and web, require sophisticated defenses. WatchGuard XCS solutions effectively address these areas of concern.

PCI Compliance Made Easy with WatchGuard XCS

WatchGuard XCS Overview

WatchGuard XCS is a consolidated secure content and threat management platform. On it, WatchGuard had built its powerful family of appliances with components that have the ability to:

Secure inbound email traffic

Secure and encrypt outbound email traffic

Block spam


Prevent data leakage

Secure inbound and outbound web traffic

Customers can choose the solution that best fits their needs, selecting components that match the organization’s specific business requirements and number of users.

Blocking Spam and Dangerous Email

Email messages are processed and inspected before they enter or leave an organization to ensure compliance with corporate policy and regulatory requirements. WatchGuard XCS provides numerous features aimed at detecting unwanted email messages. These include a blocked senders list and the WatchGuard ReputationAuthority, which is a global monitoring and protection system. It aggregates sender reputation information from more than 8,000 WatchGuard customer systems in 65 countries that collaborate and proactively gather detailed data about attacks. This is supplemented by industry standard data to provide highly accurate identification of senders of spam and other malware from over half a billion sources.

Data Loss Prevention and Remediation

It is well-documented how compliance violations, unauthorized data losses, and privacy leaks cost organizations time and money. With WatchGuard XCS, your organization can protect data-in-motion losses and leaks that account for nearly 83% of the risk. Data loss prevention is integrated into WatchGuard XCS appliances for inspection, discovery, and remediation of outbound content and messaging. The result is an automatic, instant-on solution that can block, quarantine, allow, encrypt, or reroute content.

WatchGuard XCS eliminates human error in determining when messages must be protected. It ensures adoption through automation, with a zero-footprint, clientless approach. It is positioned on the corporate network in front of the corporate email server(s). Messages are forwarded from the email system to the WatchGuard platform for inspection and processing before leaving the organizational boundary. When specified data patterns or filtering rules are triggered, identified messages can be automatically encrypted, blocked, or quarantined, without user intervention.

WatchGuard XCS includes several compliance dictionaries to assist with adherence to industry regulation mandates such as PCI, including commonly encountered cardholder data patterns. Filters can be customized and configured to trigger actions based on message attributes such as recipient, sender, or subject. The policies are highly flexible, allowing the organization to weight certain words, and to create specific policies with thresholds that, when exceeded, will trigger a variety of actions. In addition, policies can be tied to groups of users. For example, a policy can be created that dictates that no Excel attachments can be sent out of the organization, except for Finance users. When a Finance users sends an Excel file it will automatically be encrypted if it contains sensitive information such as social security numbers or cardholder information.


Email Encryption

WatchGuard Email Encryption is tightly integrated into the WatchGuard XCS appliance to enable instant-on security for confidential, PCI-regulated, and business-prudent data. Email encryption provides an easy-to-use, secured Envelope for enterprises that do not want the burden and costs associated with traditional encryption deployments and administration, but require message security for privacy and compliance with business-class features including secure replying and forwarding to ensure confidentiality of the message and its content for ongoing secure communication of the encrypted message, as well as the ability to fully customize the branding of every element of the email encryption experience to promote your corporate brand, and reinforce trust and goodwill with recipients. The encrypted Envelope does not use clients or certificates so it does not require a pre-exchange of credentials. It is agnostic to the email and OS environment to allow the secured message to be sent to any email recipient at any time. It can be securely delivered to mobile devices like the BlackBerry, and it encrypts the entire payload including attachments. Email encryption is a valuable tool for PCI, credit card numbers, account numbers, pass codes, and other regulated data.

At a high level, the process flow for the WatchGuard XCS encryption function is as follows.

Comprehensive Protection of Email & Web to Eliminate Security Gaps

When considering the various mediums for the data-in-motion leakage, it is vital to consider that today’s employees have instant access to the Web which opens up an additional medium through which confidential consumer data can escape. These browser-based applications include pop mail systems such as Hotmail, wikis, blogs, and messages and files sent via email to unlimited, unknown, and mostly unrestricted recipients. This fact highlights the risks of consumer data loss prevention as a silo, versus a consolidated platform. The security and administration risks are gaps that place policies into various places in the network versus a single location. Further broadening the gap are disparate scanning of email and web mediums, and reporting data loss prevention activities and violations across multiple protocols and technical silos.


Beyond providing email security for inbound and outbound communications, WatchGuard XCS provides capabilities to inspect inbound and outbound web traffic, and to perform the same sort of content analysis using lexicons as is used on email. This allows the network administrator to detect sensitive information, including cardholder data that is being communicated using HTTP and instant messaging protocols.

In addition, attachment control allows the organization to block specific file types, and to scan the contents of attachments in real-time and reject or log connections based upon triggers. WatchGuard XCS also blocks spyware and keylogger, back-channel communications from reaching host servers by monitoring and blocking traffic at the packet level, thereby adding an additional layer of protection for threats to sensitive cardholder information.

Combining threat protection for email and web communications is critical today, as many of the new attacks are blended threats leveraging multiple threat vectors. It is very common for incoming email messages to contain links to websites that attempt to install malicious code on the user’s system. Only a consolidated email and web security solution with protection for multiple threat vectors like the WatchGuard XCS is capable of detecting and preventing these attacks. In addition, by providing security and content scanning across email and web communications, WatchGuard XCS ensures that cardholder data that is being sent outside of the corporate network is either blocked or encrypted, using a single administrative access point for creating, managing, and enforcing policies for protecting your organization from consumer data loss in a transparent process.

Content and Contextual Analysis

With WatchGuard XCS, deep content inspection is performed for email and web traffic using a content and contextual methodology. The system scans all email and web traffic, including files and attachments, in an effort to discover violations, but it goes further by also inspecting the context of the traffic. Inspection of context enables WatchGuard to inspect who is sending the content and where or to whom the content is being sent, which is vital in determining if the content is a violation to corporate policies or PCI regulations, as well as the proper remediation tactic to employ. For example, if the CFO is emailing an attachment that contains sensitive financial data to the company’s auditors, that context is vital because the proper policy and remediation would be to log it for reporting and then encrypt the email, including the attachment, for delivery to the auditor.

Without context, a typical data loss prevention system would easily block or quarantine an important communication, thus impeding business processes. The opposite scenario can also be true if, by policy, an employee in customer service is sending the same document to an unknown or unauthorized recipient, the communication should be blocked or quarantined to prevent the leaking of consumer or other confidential information.


WatchGuard XCS and PCI DSS Requirement Compliance Details

This section maps specific PCI requirements and describes how WatchGuard XCS satisfies these specifications. In some cases, PCI requirements cannot be addressed by technology or by a security product. Requirements not addressed by the WatchGuard XCS product are excluded from the mapping below.

PCI DSS Requirement 1:

All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees’ Internet-based access through desktop browsers, or employees’ email access.

While many of the provisions of requirement 1 are more appropriately addressed by an organization’s network security firewall solution, the general requirement above specifically refers to email. Email and web traffic are all threat vectors through which agents external to the organization can potentially gain access to internal systems, through viruses, worms, and phishing attacks. WatchGuard XCS provides comprehensive protection for these traffic types, for both inbound and outbound communications. With a full suite of security capabilities including reputation services, anti-virus, anti-spam, anti-malware, and policy-based encryption for email, WatchGuard XCS delivers numerous mechanisms to secure an organization’s email.

All WatchGuard solutions are delivered with all ports and services disabled by default. This reduces risk associated with vendor-supplied configurations and defaults. Some services, when enabled, have editable default values. An editable community string is provided for Simple Network Management Protocol (SNMP). A default administrator account exists with the WatchGuard XCS appliance, but the name of the account can be changed. The default administrative password must be changed upon system initialization to ensure that the default password is never used.

PCI DSS Requirement 2.3:

Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.

For security purposes, there is no console-based access to the system. Services, such as Telnet and SSH have been disabled to prevent remote access from unauthorized sources. All administrative console access is performed through a web-browser interface, which supports HTTP and HTTPS access. For optimal security, the platform can be set up to force the use of HTTPS for all administrative access.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security

parameters



Keep cardholder information storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy.

Messages containing sensitive data are encrypted before leaving the perimeter of the organization. Unencrypted content is not stored on the server. Rendered PAN (Primary Account Number), at a minimum, is unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:

Strong one-way hash functions (hashed indexes) Truncation Index tokens and pads (pads must be securely stored) Strong cryptography with associated key management processes and procedures


The MINIMUM account information that must be rendered unreadable is the PAN.

The WatchGuard XCS encryption engine can automatically encrypt messages based on predefined rules and data patterns. It comes with a customizable PCI lexicon that specifies known credit card data patterns. WatchGuard XCS can also encrypt all communications to a given destination using TLS. While WatchGuard solutions do not directly address encryption of data at rest, the ability of the XCS to automatically encrypt messages containing cardholder data (including PANs) delivers significant assurance that cardholder data is protected, even after it leaves the confines of the corporate network.


Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse.

The security of the operating system underlying the WatchGuard XCS appliance is based on S-Core™, an EAL 4+ certified, hardened operating system, and includes only software and services essential to performing its core functions. It was assessed and certified by the Common Criteria Group and awarded an Evaluation Assurance Level 4+1 (EAL4+) rating, and sustained an EAL5 vulnerability assessment. Only services necessary for the product functionality are permitted to run. It is in this environment that encryption keys are managed. The underlying key protection scheme is designed to split the key storage from the mail flow to increase the difficulty of using technical means to break the system. Even with the key, one would need to find the matching mail message – and a new key is generated for each message.


Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

Strong cryptographic techniques are used, including support for 256bit keys for both ARC4 and AES. Link encryption functionality is delivered using TLS, to automatically encrypt all communications between business partners.

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks



Never send unencrypted PANs (Primary Account Numbers) by end user messaging technologies.

This is one of the primary functions of the WatchGuard XCS. Supporting information about how this PCI requirement is supported is contained primarily under PCI Requirement 3, above. In addition, for certain applications such as site-to-site mail server communications, WatchGuard XCS can be configured to force the use of TLS security between specific mail servers.


Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers).

Both Kaspersky and McAfee anti-virus products are supported by the WatchGuard XCS appliances. The platform runs both Kaspersky and McAfee AV engines simultaneously to provide defense in depth, providing malicious content protection. Inbound and outbound messages are scanned for viruses. In addition to onboard anti-virus, the XCS provides early virus protection through its Threat Outbreak Response service. WatchGuard Threat Outbreak Response closes the window of vulnerability that occurs between when an attack first emerges and when the scanning filters are updated. By integrating within the WatchGuard XCS platform and the WatchGuard ReputationAuthority to continuously update the system against spam and malware attacks, this service can detect and take action against early virus outbreaks to contain the virus threat before it can compromise a network. Suspicious files that have yet to be identified by a virus pattern can be quarantined before they reach and infect an internal system.


Ensure that all anti-virus mechanisms are current, and actively running, and capable of generating audit logs.

Anti-virus signatures are checked every 15 minutes for updates, and are automatically updated when new signatures are detected. Both Kaspersky and McAfee anti-virus products of the WatchGuard XCS are capable of generating audit logs. WatchGuard XCS provides the fastest spyware, crimeware, and virus response time on the market, featuring zero-hour protection that is 1 ½ times faster than the next closest technology. The ability to respond quickly and accurately with tested emergency updates is critical to minimize the window of vulnerability, as fast-spreading malware can infect all users in three hours or less.

.

Requirement 5: Use and regularly update anti-virus software or programs



Develop software applications in accordance with PCI DSS and based on industry best practices, and incorporate information security throughout the software development life cycle.

The WatchGuard XCS was created using security best practices, and certified to provide Common Criteria Evaluation Assurance Level 4+ (EAL4+) security functionality. To achieve EAL4+ certification, a product must undergo a detailed evaluation and audit of its development processes. WatchGuard XCS’s EAL4+ certification gives confidence to customers that the platform’s security functionality is properly implemented, and will be effective in meeting an organization’s security objectives.


Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project guidelines.

WatchGuard XCS provides multiple layers of protection against denial of service attacks. No command-line interface is provided with the WatchGuard XCS, thereby reducing the risk of errors caused by system-level access misconfigurations. All services run under separate accounts to prevent failures on the part of one service from affecting another. Protections against common attacks and vulnerabilities are built into the solution, including (but not limited to) buffer overflows, improper error handling, secure configuration management, and improper storage of sensitive data. Robust controls are provided to detect and prevent malicious inbound email, and source addresses can be blocked permanently or temporarily.

WatchGuard XCS also utilizes WatchGuard ReputationAuthority, an advanced behavioral profiling service, which identifies malicious sites and potentially dangerous systems on the Internet. WatchGuard ReputationAuthority investigates content and volume and tracks threat information for known mail services on the Internet to identify known spammers, virus senders, directory harvesters, and Denial of Service attackers. XCS uses information from WatchGuard ReputationAuthority when deciding whether to accept a connection from an unknown mail source.

Requirement 6: Develop and maintain secure systems and applications



Limit access to system components and cardholder data to only those individuals whose job requires such access.

Content filters are provided that further restrict access to messages based on the specified message recipient. For example, even if a message is sent to a user, it is possible to prevent a specified user from accessing that message. Additionally, because a passphrase is required to access an encrypted message, the contents of that message are protected in the event that a user’s PC or email account has been compromised.

WatchGuard XCS provides a policy engine that allows the administrator to create policies for individual users, groups, and domains, in addition to default policies. These policies work with the objectionable-content filtering to create customized policies.


Assign all users a unique ID before allowing them to access system components of cardholder data.

WatchGuard XCS requires unique user identification for email access.


In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Password or passphrase Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys)

The following authentication mechanisms are supported: “On-box”: Based on the underlying WatchGuard XCS operating system LDAP: Integrates with standard authentication mechanisms Radius: Integrates with standard authentication mechanisms SecureID: Two-factor authentication Safeword: Two-factor authentication CryptoCard: Two-factor authentication


Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

Multiple methods of two-factor authentication are supported, as described above for requirement 8.2.

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access



Render all passwords unreadable during transmission and storage on all system components using strong cryptography.

System access to the WatchGuard XCS appliance and the encryption service are strictly controlled. Passwords and passphrases for both the appliance and encryption service are immediately hashed using SHA1. The password can only be reset with proper authentication. All administrative access to the WatchGuard XCS is performed using encrypted tunnels, via the HTTPS protocol.


Ensure proper user authentication and password management for non-consumer users and administrators, on all system components.

Groups can be used for different types of user authentication. For example, administrators can be required to use 2-factor authentication, while regular users may use LDAP. Tiered administration is supported to allow for granular administration of differing functions by separate groups. For instance, read-only access to log files can be granted to one group, user-management to another group. There are 13 pre-defined blocks of rights for the most commonly encountered administrative functions. This functionality enables organizations to structure administrative activities based on job function, and allows for segregation of duties for administrative functions.

A standard feature of WatchGuard XCS allows the use of access control lists for administrative access, such that admin access can only occur from specific IP addresses. While many of the PCI 1.2.1 8.5.x requirements relate to password management process issues, WatchGuard XCS provides specific functionality enabling compliance in the following areas:

PCI DSS Requirement 8.5.8:

Do not use group, shared, or generic accounts and passwords.

The WatchGuard XCS platform allows for multiple levels of administrator accounts, with highly granular levels of responsibility for administrators.

PCI DSS Requirement8.5.11:

Use passwords containing both numeric and alphabetic characters.

The WatchGuard XCS platform administrative security can be set to force strong passwords, consisting of a mix of alphabetic and non-alphabetic characters.


Limit repeated access attempts by locking out the user ID after not more than six attempts.

The WatchGuard XCS platform can lockout administrative access after five invalid administrative access attempts.


Set the lockout duration to a minimum of thirty minutes or until administrator enables the user ID.

The lockout duration after 5 invalid access attempts is 30 minutes.

Requirement 10: Install and maintain a firewall configuration to protect cardholder data. Track

and monitor all access to network resources and cardholder data. Logging mechanisms and the

ability to track user activities are critical. The presence of logs in all environments allows thorough

tracking and analysis if something does go wrong. Determining the cause of a compromise is very

difficult without system activity logs.



Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

The WatchGuard XCS platform provides robust logging capabilities, including logging of: Sender and recipient Source IP/DNS name Destination IP/DNS name Time message in/out Subject line Rules applied to the message All message processing, including but not limited to, anti-spam, anti-virus, and encryption


Implement automated audit trails for all system components to reconstruct the following events: Auditing is automated, and logs can be use to reconstruct events.


All actions taken by any individual with root or administrative privileges. All administrative access and action taken by administrators is logged.


Access to all audit trails. All administrative access and action taken by administrators is logged.


Invalid logical access attempts. Invalid access attempts are logged.

PCI DSS Requirement 10.2 5:

Use of identification and authentication mechanisms Audit logs document what authentication methods were used.


Initialization of the audit logs The audit logs show when new logs were opened or initialized.


Creation and deletion of system-level objects This information is captured in audit logs.


Record at least the following audit trail entries for all system components for each event PCI DSS Requirement 10.3.1: User identification PCI DSS Requirement 10.3.2: Type of event PCI DSS Requirement 10.3.3: Date and time PCI DSS Requirement 10.3.4: Success or failure indication PCI DSS Requirement 10.3.5: Origination of event PCI DSS Requirement 10.3.6: Identity or name of affected data, system component, or resource


Events that are initiated on behalf of a user, such as sending, receiving, or accessing a message, are logged and include user identification, event type, date and time, success or failure indication, origination, and identity.


Synchronize all critical system clocks and times.

The clock is set on the WatchGuard XCS using NTP (network time protocol) to ensure all device times are synchronized with one another.


Secure audit trails so they cannot be altered.

Logs are, by default, stored in text format on the WatchGuard XCS server. If desired, the body of messages can be archived based on configurable rules, or they can be archived in their entirety. There is an on-box limit for the size of logs, but can be unlimited if off-loaded to a centralized logging server. Logs can be sent to a syslog server or securely copied using SCP to alternative locations for further processing or review. This functionality can help facilitate regular log file review. Email notification that new log files have been copied can be sent to those responsible for log file review. While a product cannot force regular review of log files as required by many of the regulatory requirements including PCI, the flexibility provided by the WatchGuard XCSplatform makes logs available for review.

Summary

WatchGuard XCS provides solid security protection at key points in the network that enable organizations to prevent data loss and system compromise, thereby satisfying many portions of the PCI regulation that can be addressed with a technical solution.

WatchGuard XCS provides significant control over email traversing organizational boundaries, and takes end users out of the decision process for what data can leave the organization via unencrypted email. Additional product functionality addresses all areas of PCI that apply to an email management system, including secure administration, multiple strong authentication mechanisms, and robust logging, monitoring, and auditing capabilities. Beyond email, WatchGuard XCS provides content scanning for sensitive data that is being sent via web protocols, and provides administrators with a powerful tool to detect, log, and block this data based upon the organization’s policy.

WatchGuard is the only vendor that consolidates the functionality of conventional point products to offer an integrated secure content platform for application security. WatchGuard XCS is an integrated content security platform that delivers inbound security controls, outbound compliance controls, and management for commonly used messaging applications including email and browser-based applications (web and blogs).

With the WatchGuard XCS, a common set of security and policy controls can be applied to all messaging traffic in a single product with a single policy engine and a single set of logging and auditing tools. In addition, the WatchGuard solution provides central management capabilities for multiple distributed devices, allowing a central administrator to define policies that are securely pushed to all installed WatchGuard XCS devices in the network. This approach leaves less room for error, and ensures that security policy is applied consistently throughout the network. No other security vendor has as comprehensive a solution for providing centralized security policy enforcement for a broad range of communication protocols.


Appendix A

The Payment Card Industry Data Security Standard

In 2004, the Visa Cardholder Information Security Program (CISP) and MasterCard Site Data Protection (SDP) Program requirements were incorporated into an industry standard known as the Payment Card Industry (PCI) Data Security Standard (DSS). This standard resulted from collaboration between Visa and MasterCard to create common industry security requirements.

PCI DSS compliance is required of all merchants and service providers that store, process, or transmit cardholder data. The program applies to all payment channels, including retail, mail/telephone order, and e-commerce. It is important to note that the five major payment card brands (Visa, MasterCard, Diners Club, American Express, and JCB) all require PCI DSS compliance. The details regarding specifics of compliance, including dates and fines for non-compliance, are managed by the individual brands themselves.

Merchants

A merchant is any entity, such as a retail store, that processes credit card transactions. As of July 18, 2006, merchant level definitions for PCI DSS have changed. The merchant levels are:

In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.


Validation requirements for merchant levels are shown below. For all merchants, the due dates for compliance have passed and all merchants are now required to be in compliance.

Merchant Level Validation Action Validated by

1 Annual On-Site PCI Data Security Assessment

Quarterly Network Scan

Reviewed by a QSA or Internal Audit if signed by officer of merchant company and pre-approved by acquirer

Qualified Approved Scanning Vendor (ASV)

2 Annual On-Site PCI Data Security Self-Assessment Questionnaire


Merchant




Merchant



Quarterly Network Scan – may be recommended or required, depending on acquirer compliance criteria

Merchant


Service Providers

Service providers are organizations that process, store, or transmit cardholder data on behalf of members, merchants, or other service providers. Hosting providers and others providing services to merchants would also fall into this category. Service provider levels are:

Visa Service Provider Levels Defined

Level Canada, CEMEA, Europe, USA Asia Pacific Latin American/Caribbean

1 All VisaNet processors (member and non-member) and all payment gateways

Large: Service Providers processing over 600,000 Visa transactions annually

All VisaNet processors (member and non-member), payment gateways, and Internet Payment Service Providers regardless of transaction volume

2 Service Providers (agents) not in Level 1 that store, process, or transmit > 1 million accounts /transactions annually

Medium: Service providers processing between 120,000 and 600,000 Visa transactions annually

N/A

3 Service Providers (agents) not in Level 1 that store, process, or transmit < 1 million accounts/transactions annually

Small-Service Providers processing less than 120,000 transactions annually

N/A


American Express, Discover, JCB, and MasterCard Service Provider Levels Defined

Level AMEX Discover JCB MasterCard

1 All Third Party Processors (TPP)

Discover does NOT categorize Service Providers into levels. Thus, ALL Third Party Processors (TPP) and Payment Service Providers (PSPs)

All Third Party Processors (TPP)

All Third Party Processors (TPP) and all DSE's that store, transmit, or process greater than 1,000,000 total combined MasterCard and Maestro transactions annually. Additionally, all "compromised TPPs and DSEs"

2 All DSE's that store, transmit or process less than 1,000,000 total combined MasterCard and Maestro transactions annually

In addition to adhering to the PCI Data Security Standard, compliance validation is required for all service providers. These validation requirements are defined below:

Visa Service Provider Validation Requirements Defined

Level Canada, Europe, USA

1 Annual onsite review by QSA

Quarterly network scan by ASV

Annual Self-Assessment Questionnaire (Canada: SAQ required and must be reviewed by QSA)



Annual Self-Assessment Questionnaire (Canada: Must be reviewed by QSA)



Annual Self-Assessment Questionnaire (Canada: Must be reviewed by QSA)

American Express, Discover, JCB, MasterCard Service Provider Validation Requirements

AMEX Discover JCB MasterCard

Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)


Quarterly network scans by ASV AND one of the following:

- Annual on-site review by QSA (or internal auditor if signed by officer of Service Provider)

- Annual self-assessment questionnaire

TPP validation requirements will be outlined in forthcoming JCB rules and regulations

Level 1 SP’s: Annual on-site review by QSA AND Quarterly network scan by ASV

Level 2 SP’s: Annual self-assessment questionnaire AND Quarterly network scan


About this document

This document provides general information about personal privacy and compliance initiatives in North America. It is intended to be used for resource and reference purposes only and does not constitute legal advice. Readers of this paper are encouraged to speak with their legal counsel to understand how the general issues discussed above apply to their particular circumstances. WatchGuard Technologies Inc. disclaims any and all liability for damages, costs, lost profits, fines, fees or financial penalties of any kind suffered by any party acting or relying on the general information contained herein.

ADDRESS: 505 Fifth Avenue South Suite 500 Seattle, WA 98104 WEB:

www.watchguard.com NORTH AMERICA SALES: +1.800.734.9905 INTERNATIONAL SALES: +1.206.613.0895

ABOUT WATCHGUARD Since 1996, WatchGuard Technologies has provided reliable, easy to manage security appliances to hundreds of thousands of businesses worldwide. WatchGuard’s award-winning extensible threat management (XTM) network security solutions combine firewall, VPN, and security services. The extensible content security (XCS) appliances offer content security across email and web, as well as data loss prevention. More than 15,000 partners represent WatchGuard in 120 countries. WatchGuard is headquartered in Seattle, Washington, with offices in North America, Latin America, Europe, and Asia Pacific. For more information, please visit www.watchguard.com.

No express or implied warranties are provided for herein. All specifications are subject to change and any expected future products, features, or functionality will be provided on an if and when available basis. ©2009 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard Logo, and WatchGuard ReputationAuthority are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks and tradenames are the property of their respective owners.

Part. No. WGCE66649_071910

http://www.watchguard.com/

pci requirements mapping white paperthe watchguard extensible content security (xcs) family of...

Documents