Retail: PCI DSS Compliance
Because credit cards are an attractive target, organizations with significant retail components are frequent targets of cyber crime. To reduce their credit card liability, the financial industry created the Payment Card Industry Data Security Standard (PCI DSS), for retailers. This requires, among other things, that you protect segments of your network from the outside with PCI controls. You need to set up a segmented network, including a card holder data zone, and prove it for compliance.
RedSeal automates significant parts of that proof of PCI DSS compliance. We know that all your budgets, including your security budget, are carefully scrutinized. Our automation has helped retail customers be more efficient as they evaluate their retail network security for exposures, go through an audit, demonstrate PCI compliance, and avoid credit card loss. They’ve been able to re-deploy scarce staff to other tasks.
Meet PCI DSS compliance with efficiency.
The Payment Card Industry Data Security Standard (PCI DSS) includes a number of controls that pertain to network architecture, configuration, and operations. Your retail network security starts with retail network mapping. RedSeal’s unique ability to map your network, calculate potential access, and prioritize risk is well-suited to meeting many PCI DSS requirements, especially those related to firewalling, network segmentation, and penetration testing.
RedSeal also helps organizations meet the “Business as Usual” best practices in PCI DSS 3.2. The BAU guidelines were added to emphasize the need to implement network security controls as ongoing processes, rather than focusing on “just in time” compliance when the annual audit rolls around. RedSeal analyzes network infrastructure and risk on a nightly basis. This allows an organization to implement continuous monitoring of their segmentation and firewall configuration and effectiveness, with minimal operational overhead.
RedSeal helps you meet PCI DSS requirements. RedSeal supports 38 PCI controls in the following DSS 3.2 requirement sections:
PCI DSS Compliance Requirement 1—Firewall Configuration
Current network diagram; firewall and DMZ architecture validation.
PCI DSS Compliance Requirement 2—Configuration Hardening
Configuration best practices and default removal for network and firewall infrastructure.
PCI DSS Compliance Requirement 6—Secure Systems
Determine risk ranking for vulnerabilities based on severity, frequency and exposure.
PCI DSS Compliance Requirement 11.3—Penetration Testing
Re-testing of segmentation following changes; prioritization and remediation of exploitable vulnerabilities.
Validation of segmentation boundary; includes support for “Category 1/2/3” best practice segmentation strategy rapidly gaining traction with QSAs (Qualified Security Assessors). For more detail on RedSeal mapping to PCI 3.2 controls.
PCI DSS Compliance Requirement 11.3.4—Penetration testing and CDE Segmentation
A great example of how PCI DSS 3.X significantly changes control activity implementation is the new requirement for penetration testing of the CDE segmentation boundary (11.3.4).
This requirement states that penetration testing must be done “…after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.” In practice this could be interpreted to mean that pen testing needs to be done after any firewall rule or ACL change on any device that segments the CDE – a massive undertaking. However RedSeal can continually test the segmentation boundary and identify those portions of the boundary that actually changed, allowing pen testing to be focused on just those elements. This drastically reduces the cost and effort required to meet this stringent new requirement. For more information, download our white paper:
RedSeal PCI Controls:
- Provides comprehensive PCI controls to test segmentation, firewalling and DMZ architecture with extremely low operational overhead.
- Lowers the cost of PCI penetration testing by reducing the need for manual tests.