PCI Compliance

Meet PCI compliance with efficiency.

The Payment Card Industry Data Security Standard (PCI DSS) includes a number of controls that pertain to network architecture, configuration, and operations. RedSeal’s unique ability to map your network, calculate potential access, and prioritize risk is well suited to meeting many network PCI DSS requirements, especially those related to firewalling, network segmentation, and penetration testing.

RedSeal also helps organizations meet the new “Business as Usual” best practices in PCI DSS 3.0. The BAU guidelines were added in 3.0 to emphasize the need to implement security controls as ongoing processes, rather than focusing on “just in time” compliance when the annual audit rolls around. RedSeal analyzes network infrastructure and risk on a nightly basis. This allows an organization to implement continuous monitoring of their segmentation and firewall configuration and effectiveness, with minimal operational overhead.

RedSeal helps your network meet PCI DSS compliance requirements.

  • PCI DSS Compliance Requirement 1—Firewall Configuration

    Current network diagram; firewall and DMZ architecture validation.

  • PCI DSS Compliance Requirement 2—Configuration Hardening

    Configuration best practices and default removal for network and firewall infrastructure.

  • PCI DSS Compliance Requirement 6—Secure Systems

    Determine risk ranking for vulnerabilities based on severity, frequency and exposure.

  • PCI DSS Compliance Requirement 11.3—Penetration Testing

    Re-testing of segmentation following changes; prioritization and remediation of exploitable vulnerabilities.

  • Segmentation

    Validation of segmentation boundary; includes support for “Category 1/2/3” best practice segmentation strategy rapidly gaining traction with QSAs (Qualified Security Assessors). For more detail on RedSeal mapping to PCI 3.1 controls:

  • PCI DSS Compliance Requirement 11.3.4—Penetration Testing and CDE Segmentation

    A great example of how PCI DSS 3.0 significantly changes control activity implementation is the new requirement for penetration testing of the CDE segmentation boundary (11.3.4).

This requirement states that penetration testing must be done “…after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.”  In practice, this could be interpreted to mean that pen testing needs to be done after any firewall rule or ACL change on any device that segments the CDE—a massive undertaking. However, RedSeal can continually test the segmentation boundary and identify those portions of the boundary that actually changed, allowing pen testing to be focused on just those elements. This drastically reduces the cost and effort required to meet this stringent new requirement. For more information, download our white paper: CDE Segmentation Validation.

Splunk .conf2017: Accelerate incident investigation with the RedSeal app and Splunk Adaptive Response actions -Learn More
+ +
X