RSA Solution Brief

Compliance and Security Information Management for PCI DSS Requirement 10 and Beyond

The Payment Card Industry (PCI) Data Security Standard (DSS) imposes a broad range of reporting requirements, which become of paramount importance during the annual PCI DSS audit. In addition, through Requirement 10, PCI DSS specifically requires that merchants, banks and payment processors track and monitor all access to network resources and cardholder data. As businesses step back and recognize the reporting and monitoring implications of the PCI DSS, the following question arises: While compliance is critical, how can my organization become more proactive than reactive, and how can we ensure that time and resource investments will extend beyond our PCI DSS initiative?

Customer Benefits: Compliance and Security Information Management Solution With RSA enVision technology, you will have the opportunity to: Rest assured knowing that if a policy or security violation does occur, you will know and be able to respond. Refocus on growing your businessrather than responding to auditsbecause your organization has a tool to help quickly prove youve met key PCI DSS requirements. Move beyond compliance by leveraging PCI DSS-based investments to improve your companys overall security posture.

Moving Beyond Compliance with RSA enVision Technology

Violations of policy and security happen without warning. Regardless of whether these are innocent mistakes or illegal attempts at accessing private information, you need immediate visibility into such behaviors in order to respond. Such visibility and responsiveness is critical to achieving PCI DSS compliance, and from a broader perspective, it is necessary to ensure all of your organizations private business, customer and partner information is secure. RSA enVision transforms raw, seemingly unrelated security and network events into meaningful business intelligence. By first establishing baseline levels of activity for the entire network environment, RSA enVision is able to help determine abnormal behaviors and issue alerts when such activities occur. By capturing all the datafrom security, network and enterprise applications to mainframe, desktop and storage devicesRSA enVision ensures that you have complete, unfiltered visibility.

Beyond PCI compliance, RSA enVision does away with the business data silos that are created in many organizations. It collects, analyzes and manages all the data, and provides a platform that helps inform virtually anyone in your organization. Not only will compliance auditors have a complete set of data to meet compliance issues, but risk management and security operations can see security alerts in real time. And everyone from desktop operations, to the help desk, to applications management and network management personnel can access the reports they need at any time. RSA enVision leverages the LogSmart Internet Protocol Database (IPDB) for collecting and analyzing your companys compliance and security information. The LogSmart IPDB maintains a digital chain of custody for all data that assures that once data is committed to the database, it can never be alteredunlike most data schemas used in relational database management system (RDBMS)-based solutions.

RSA PCI Solution Components

RSAAccess Manager RSAs solution for secure enterprise access enable merchants, banks and payment processors to ensure that only users with the business need-to-know can access cardholder data within Webbased PCI systems. RSA Enterprise Data Protection solutions. RSAs secure enterprise data solutions enable businesses impacted by the PCI Standard to protect cardholder data across all encryption endpoints and centrally manage encryption keys on an enterprise-wide basis RSA Database Security Manager RSA File Security Manager RSA Key Manager CipherOptics IP Security Gateway Decru DataFort storage security appliances NeoScale CryptoStor appliances

RSA enVision RSAs solution for compliance and security information management enables organizations impacted by the PCI DSS to ease the audit process by establishing a centralized point for tracking and monitoring access to cardholder data throughout a PCI environment. RSA SecurID RSAs solutions for securing access to enterprise data help customers ensure that users accessing cardholder data systems and the broader IT network are who they claim to be. RSA Professional Services RSA Professional Services offers a range of capabilities, such as helping customers prepare for a PCI DSS audit, supporting the broad-based discovery of cardholder data across the enterprise, and implementing technologies for remediation. EMC Celerra and EMC Centera Out-of-the-box integration of EMC Celerra and EMC Centera with RSA enVision technology enables customers to cost-effectively store critical PCI audit log data.

In addition, while other solutions reduce or pre-filter the data coming from source devices because the RDBMS simply cannot keep up, RSA enVision captures the complete data set within the LogSmart IPDB. Your organization will benefit from real-time analysis and parallel authentication and compression of source data, which means alerts are highly accurate and timely. The benefits of agent-free collection are clearno filtering of data at the source, no ongoing management of agents spread throughout the network, no risk or impact on your network infrastructure and reduced total cost of ownership due to ease of configuration and deployment. In the end, RSA enVision technology positions your business to quickly respond to policy and security breaches, which helps improve the organizations IT security posture and eases the compliance process.

RSA enVision helps position customers to focus financial and human resources on business-growth initiatives, rather than on reacting to an ongoing cycle of PCI DSS audits. For more information on RSAs Solutions to help customers address PCI DSS compliance, visit www.rsa.com/pci

PCI DSS Requirement 10 and RSA enVision

PCI DSS requirement 10 states that companies must track and monitor all access to network resources and cardholder data. RSA enVision enables customers to ease the audit process by establishing a centralized point for tracking and monitoring access to cardholder data throughout a PCI environment. Specific capabilities RSA enVision delivers that address the PCI DSS standard include:

RSA Solution Brief

PCI DSS Requirement 10 and RSA enVision

PCI DSS REQUIREMENT
Requirement 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. Requirement 10.2 Implement automated audit trails for all system components to reconstruct the following events Requirement 10.2.1 All individual user accesses to cardholder data

RSA

ENVISION

C A PA B I L I TY

RSA enVision enables customers to track administrative user activity and provides oversight to help verify a user is acting in accordance with established policy. Additionally, the system may send an alert to a users supervisor if behaviors violate policy. RSA enVision offers out-of-the-box reporting that displays all successful administrative privilege escalations on monitored UNIX and Linux systems. Report: PCIAdministrative Privilege EscalationUNIX/Linux

RSA enVision appliance helps companies to implement automated audit trails that detail user access to cardholder data, actions taken by users with root/administrative privileges, access to audit trails, invalid logical access attempts, use of identification/authentication mechanisms, audit log initialization and creation/deletion of system-level objects.

RSA enVision delivers built-in reporting capabilities that display all successful file access attempts to file objects in the Cardholder Data device group; this device group is a subset of the PCI device group, and should contain only the servers used in the storing of cardholder data. Report: PCI: Individual User Accesses to Cardholder DataWindows

Requirement 10.2.2 All actions taken by any individual with root or administrative privileges

RSA enVision enables customers to report on all actions taken by users logged in as root. In addition, organizations may customize this report to include any additional usernames that have been granted full user monitoring administrative privileges in your environment. Report: PCIAll Actions by Individuals with Root or Administrative PrivilegesUNIX/Linux RSA enVision reporting enables customers to monitor all actions taken by users logged in as Administrator. Customers may further bolster security by including any additional usernames that have been granted full administrative privileges in your environment. Report: PCIAll Actions by Individuals with Root or Administrative PrivilegesWindows

Requirement 10.2.3 Access to all audit trails

RSA enVision offers built-in reports that enable customers to easily monitor all successful logins to RSA enVision. Report: PCIAccess to All Audit Trails

Requirement 10.2.4 Invalid logical access attempts Requirement 10.2.5 Use of identification and authentication mechanisms

RSA enVision enables customers to easily report all access attempts that have been denied due to access control list restrictions. Report: PCIInvalid Logical Access AttemptsACL Denied Summary RSA enVision may enable organizations to easily view a report detailing all users accessing the PCI device group that authenticate using RSA Authentication Manager servers. Report: PCIUse of Identification and Authentication SystemsRSA RSA enVision delivers out-of-the-box reports which provide a view into the initialization of audit logs in Windows, UNIX, Linux, AIX and HPUX operating systems. Report: PCIInitialization of Audit Logs RSA enVision reporting capabilities enable customers to view the deletion of all system-level objects in monitored Windows systems, run against the PCI device group. Report: PCIDeletion of System-level ObjectsWindows

Requirement 10.2.6 Initialization of the audit logs Requirement 10.2.7 Creation and deletion of system-level objects

RSA Solution Brief

PCI DSS Requirement 10 and RSA enVision continued

PCI DSS REQUIREMENT
Requirement 10.3 Record at least the following audit trail entries for all system components for each event Requirement 10.3.1 User identification Requirement 10.3.2 Type of event

RSA

ENVISION

C A PA B I L I TY

RSA enVision will record the events as reported by associated devices. In addition, RSA enVision saves event metadata, which may be analyzed and revised to determine type of event.

RSA enVision enables organizations to record user identification information for each event associated with the PCI device group. RSA enVision enables organizations to identify event-type information for each event associated with the PCI device group. If the device does not report event type, RSA enVision still supports reporting by saving metadata that may be analyzed and revised to determine type of event. RSA enVision enables organizations to record date and time information for each event associated with the PCI device group. RSA enVision enables organizations to record success/failure indication information for each event associated with the PCI device group.

Requirement 10.3.3 Date and time Requirement 10.3.4 Success or failure indication Requirement 10.3.5 Origination of event Requirement 10.3.6 Identity or name of affected data, system component, or resource Requirement 10.5 Secure audit trails so they cannot be altered

RSA enVision enables organizations to record event origination information for each event associated with the PCI device group. RSA enVision enables organizations to record the name or other identity of affected systems, data, components or other PCI resource.

RSA enVision delivers mirrored, unfiltered data to its Internet Protocol Database, which provides the ability to retain data in its original format. Further, write once, read many capabilities help ensure that the mirrored copy remains intact, even if the original data is compromised. RSA enVision-captured event logs are stored on a hardened operating system in a compressed form and protected via lightweight encryption. RSA enVision enables organizations to assign privileges so only authorized users may access and view the audit trail.

Requirement 10.5.1 Limit viewing of audit trails to those with a job-related need Requirement 10.5.2 Protect audit trail files from unauthorized modifications Requirement 10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter

RSA enVision logs cannot be altered through the graphical user interface (GUI); changes may only occur via administrative access to the RSA enVision appliance itself. In addition, RSA enVision data access and archival APIs are read only, so logs may not be altered in the system. RSA enVision enables back-ups of the audit trail to be scheduled as often as needed to a centralized log server or other mediae.g., every 10 minutes or every hour, depending on the needs of the customer. RSA enVision offers an LS Maintenance API that allows users to schedule back-ups on a device or device group (e.g., PCI device group). Customer would have the ability, for example, to schedule PCI back-ups every 10 minutes, while devices outside the scope of PCI might be backed-up daily.

RSA Solution Brief

PCI DSS Requirement 10 and RSA enVision continued

PCI DSS REQUIREMENT
Requirement 10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) Requirement 10.7 Retain audit trail history for at least one year, with a minimum of three months online availability

RSA

ENVISION

C A PA B I L I TY

RSA enVision is capable of creating alerts which ensure supervisors and others are aware if any changes to the logs take place. In addition, the appliance-based RSA enVision technology is based on a hardened operating system which delivers higher degrees of security.

RSA enVision NAS3500 offers pre-configured, pre-tested and pre-racked EMC Celerra under the covers, enabling customers to support between 3.5 TB and 7 TB of storageparticularly relevant to the retention on log data online. In addition, because RSA enVision is engineered to have out-of-the-box integration with networked storage platforms such as EMC Centera and EMC Celerra, customers have the ability to store their critical information to meet compliance requirements. EMC Celerra Network Attached Storage systems provide industry-leading price/performance with no-compromise availability. No-compromise availability means applications continue running at the same performance and service levels even in the event of a failure. Celerra accomplishes this via an active-passive N+1 clustering architecture and by eliminating any single point of failure from the network to the disk drive. EMC Celerra Network Attached Storage systems implements a capability called File Level Retention that provides disk-based WORM protection for files. This Celerra capability protects files and directories from deletion, alteration, renaming or overwriting during a designated retention period. Celerra File Level Retention can provide organizations with the ability to protect the integrity of online audit logs for a specific retention period (e.g., 3 months).

RSA Solution Brief

PCI DSS Reporting & Auditing and RSA enVision

Beyond its core ability to help customers address PCI DSS Requirement 10, RSA enVision technology provides a robust platform for collecting, correlating and auditing access to a wide range of PCI systemsfrom firewalls to wireless networks to authentication mechanisms and more. The technology helps customers to address key PCI DSS requirements by: Delivering a robust set of firewall activity reports for quickly validating compliance with Requirement 1 (Install and maintain a firewall configuration to protect cardholder data).

Enabling customers to address key portions of Requirement 2 (Do not use vendor supplied defaults for system password and other security parameters) by easily reporting on configuration changes made to wireless environments. Helping ease the process of reporting on updates to enterprise anti-virus systems in support of Requirement 5 (Use and regularly update antivirus software). Supporting efforts to prove compliance with Requirement 6 (Develop and maintain secure systems and applications) by reporting on patch and service applications.

PCI DSS Reporting & Auditing and RSA enVision

PCI DSS REQUIREMENT RSA
ENVISION

C A PA B I L I TY

Requirement 1.1 Establish firewall configuration standards that include the following: Requirement 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration Requirement 1.1.5 Documented list of services and ports necessary for business Requirement 1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN) Requirement 1.1.8 A quarterly review of firewall and router rule sets RSA enVision supports compliance by delivering out-of-the-box reports that display all configuration changes made to firewalls within the PCI device group. Report: PCIFirewall Configuration Changes

RSA enVision delivers built in reporting to summarize all firewall traffic by port into the PCI device group. Report: PCITraffic by PortPCI Device Group

RSA enVision provides ready-to-run report templates that detail all firewall traffic by port to the IP address specified as a run-time parameter where the port used is not directly justified by PCI. Report: PCITraffic to Nonstandard PortsDetail RSA enVision reporting summarizes all firewall traffic by port by destination computer, where the port used is not directly justified by PCI. Report: PCITraffic to Non-standard PortsSummary

RSA enVision reporting eases compliance by delivering out-of-the-box reports that display all configuration changes made to firewalls within the PCI device group. Report: PCIFirewall Configuration Changes RSA enVision templates enable customers to easily display all configuration changes made to routers within the PCI device group. Report: PCIRouter Configuration Changes

Requirement 1.1.9 Configuration standards for routers

RSA Solution Brief

PCI DSS Reporting & Auditing and RSA enVision continued

PCI DSS REQUIREMENT

RSA

ENVISION

C A PA B I L I TY

Requirement 1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following: Requirement 1.3.1 Restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) Requirement 1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ RSA enVision reporting capabilities enable customers to automatically list all inbound Internet traffic on non-standard ports within the PCI device group in detail and summary form. Report: PCIInbound Internet Traffic on Non-standard PortsDetail RSA enVision delivers built-in templates which enable customers to easily report on all inbound Internet traffic on non-standard ports within the PCI device group in detail and summary form. Report: PCIInbound Internet Traffic on Non-standard PortsDetail Requirement 1.3.6 Securing and synchronizing router configuration files. For example, running configuration files (for normal functioning of the routers), and start-up configuration files (when machines are re-booted) should have the same secure configuration Requirement 2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. Requirement 3.6 Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data. RSA enVision offers a built-in report that summarizes all outbound traffic by destination. Report: PCIOutbound Traffic Summary RSA enVision reports detail all outbound traffic for a specific internal IP address. Report: PCIOutbound Traffic Detail by Source Address

RSA enVision offers built-in reporting which details all configuration changes made to wireless routers, enabling customers to easily demonstrate to an auditor that vendor defaultsincluding WEP keys, default SSID, password, SNMP community strings and disabling of SSID broadcastswere changed before the wireless router was introduced to the payment-card environment. Report: PCIWireless Environment Configuration Changes

RSA enVision delivers pre-built reports which enable customers to detail all the generation and period changing of encryption keys used in the secure storage and transfer of payment-card data as well as summarizing access control details, such as successful and failed logins, policy enforcement and regular reporting.

Requirement 4.1 Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSec) to safeguard sensitive cardholder data during transmission over open, public networks. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE 802.11x), global system for mobile communications (GSM),and general packet radio service (GPRS).

RSA enVision reporting capabilities enables customers to access all cryptographic operations where the use of the cryptography failed or was disabled by the user. Report: PCIEncrypted Transmission Failures

RSA Solution Brief

PCI DSS Reporting & Auditing and RSA enVision continued

PCI DSS REQUIREMENT
Requirement 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs Requirement 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release

RSA

ENVISION

C A PA B I L I TY

RSA enVision offers reporting templates that make it simple for administrators and auditors to review update procedures for anti-virus systems. Report: PCIAnti-virus Update Procedures

RSA enVision delivers built-in reports that provide a view into all patch and service pack applications to Microsoft Windows-based systems. Report: PCIVendor-supplied Patch Application

RSA is your trusted partner

RSA, The Security Division of EMC, is the expert in information-centric security, enabling the protection of information throughout its lifecycle. RSA enables customers to cost-effectively secure critical information assets and online identities wherever they live and at every step of the way, and manage security information and events to ease the burden of compliance. RSA offers industry-leading solutions in identity assurance & access control, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.

2007 RSA Security Inc. All Rights Reserved. RSA, enVision, SecurID and the RSA logo are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and services mentioned are trademarks of their respective companies.

PCISIEM SB 0307