White Papers for Federal Financial Institutions Examination Council (FFIEC)

Achieving PCI Compliance

e-DMZ Security

Though PCI compliance is not a government driven requirement such as Sarbanes Oxley and HIPAA, noncompliance under PCI can have a devastating impact on any enterprise that relies on credit card transactions.Your contract with credit card companies requires that as an organization you comply with PCI. Non-compliance with PCI can result in specific contractual penalties and/or revocation of your rights as an enterprise to process credit card transactions.
Like all compliance and regulatory requirements, there is no single product or policy/procedure that will assure your compliance. THERE IS NO SILVER BULLET for PCI COMPLIANCE. PCI compliance requires that your enterprise deploy many security technologies, and have specific policies and procedures in place. This white paper focuses on the unique issues and solutions associated with both privileged password management and remote vendor access in meeting PCI compliance requirements. Many of the requirements highlighted cannot be resolved or adequately addressed by existing enterprise security technologies such as firewalls, VPN and IDS solutions. Existing legacy policies and procedures are also unable to meet many of the requirements standards presented under PCI.
Management, control and audit of both shared/privileged account passwords and critical remote third party
and administrative level connections is mandatory in meeting PCI requirements and other growing regulatory,
compliance and best practice security needs. The chart below (see Appendix A, pg.4) is based on a review of
the “Payment Card Industry Security Audit Procedures-Version 1.1 September 2006.” The chart illustrates the
particular PCI issues that are mitigated through the deployment of our eGuardPost or Password Auto
Repository (PAR) solutions.
COMPLIANCE-DRIVEN PASSWORD MANAGEMENT
The Password Auto Repository (PAR) was uniquely designed to solve enterprise security and compliance issues associated
with the management and control of shared privileged passwords such as root and administrator. The issue of privileged
password management and the unique features of PAR contribute directly and/or indirectly to many specific PCI requirements
as outlined in attachment A. Fundamentally, the compliance audit concerns in the area of shared privileged password
management center on ACCOUNTABILITY and AUDIT. Given the level of access and shared nature of accounts like root
and administrator, internal and external PCI audits are taking a close look at existing enterprise controls. In most cases,
the existing manual based policy/procedure solutions (e.g. Safe – envelope) or internally developed technical solutions are
not standing up to PCI compliance audits. Under audit scrutiny existing in-house solutions are failing to deliver assured
accountability and adequate audit.

View the White Paper

Share or bookmarklet this web page at: