Identity Finder Helps You Comply with PCI-DSS 2.0
Identity Finder helps companies and organizations simply and affordably comply with the Payment Card Industry
Data Security Standard (PCI-DSS), version 2.0. PCI-DSS 2.0 is designed to protect credit card numbers, or
"Primary Account Numbers" (PAN) while they are being processed, transmitted, and stored. Any device which stores
even a single PAN is a part of the Cardholder Data Environment, must comply with PCI-DSS's strict security standards,
and is subject to a Payment Application (PA)-DSS audit.
Identity Finder decreases PCI-DSS audit and compliance costs by shrinking your company's Cardholder Data Environment
Identity Finder decreases PCI-DSS audit and compliance costs by shrinking your company's Cardholder Data Environment
Even though PCI-DSS is not legislation and there is no federal law that mandates PCI-DSS Compliance, the Data Security
Standard does have the full force and effect of law in many circumstances.
- States like Nevada and Minnesota require PCI-DSS compliance and Massachusetts law borrows heavily from PCI-DSS concepts.
- Failure to comply with PCI-DSS can be evidence of negligence or breach of contract in court.
- Many states have additional security laws such as Data Breach Notification and Data Destruction laws.
- Failure to comply with PCI-DSS can have a negative effect on FTC actions or sanctions.
- PCI-DSS 2.0 does not supersede local or regional laws, government regulations, or other legal requirements.
- Failure to comply with PCI-DSS increases legal and financial liability
Here are some important updates from PCI-DSS 1.2.1:
- Cardholder Data Environment: Identifying "all locations" that contain cardholder data is “the first step of a PCI DSS review."
- New Cryptography requirements.
- No credit card numbers may be sent using IM and email.
- WEP is no longer permitted as a method of securing wireless networks.
- Anti-virus programs should generate logs automatically.
- Companies must diagnose, identify, rank, and patch vulnerabilities in internal systems.
- Companies must go out of their way to find wireless access points on at least a quarterly basis.
- Companies must designate incident response personnel; available 24/7.
Identity Finder helps companies comply with at least the following PCI-DSS Requirements:
| Ref. | Requirement | How Identity Finder Helps |
|---|---|---|
| Summary of Changes, p. 3 | "The first step of a PCI DSS review is to accurately determine the scope of the assessment, by identifying all locations and flows of cardholder data and ensuring that all such locations are included in the assessment." | Identity Finder is an essential tool to accurately identify all locations of cardholder data, inside and outside the existing Cardholder Data Environment. More importantly, Identity Finder will allow you to proactively decrease the size of your Cardholder Data Environment by identifying the broken or risky business processes that allowed data to leak outside the secure environment. |
| p. 9 | "Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment..." | We'll be the first to tell you that installing Identity Finder does not make your company PCI-DSS compliant, but Identity Finder is the premier diagnostic and remediation tool to aid security professionals establish a PCI-DSS compliant environment. |
| p. 10 | "The cardholder data environment is [the]… people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. [Including]…. firewalls, switches, routers, wireless access points, … web, application [servers], database [servers], authentication, mail, proxy, … and domain name server[s] (DNS)." | Identity Finder will identify all network devices with a hard drive within your cardholder data environment, and the people who interact with those devices to help you fix broken or risky business process which inadvertently increase the size of your cardholder data environment. |
| p. 11 | "Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment." | Identity Finder will scan only within accesible networks, which will help you identify improperly segmented networks. |
| Sections 2.0, 6.4.3 | Never use real credit card numbers for testing purposes: "Production data (live PANs) are not used for testing or development." | Identity Finder will search test environments and development servers for live PANs. Identity Finder uses context-aware search and validation algorithms such as the Luhn algorithm to minimize false positive results. |
| p. 7 | Determining the Scope of the PA-DSS Audit: "The primary account number is the defining factor in the applicability of PCI DSS requirements. PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply." | When you run Identity Finder prior to a PA-DSS audit, Identity Finder will identify and remediate PANs on any network device. This will allow you to drastically shrink the size of your cardholder data environment and fix business processes prior to your audit. |
| Sections 8.5.5, 8.5.6 | "Remove/disable inactive user accounts at least every 90 days… [and] Enable accounts used by vendors for remote access only during the time period needed. Monitor vendor remote access accounts when in use." | Although Identity Finder does not change access controls, running Identity Finder on network shares inevitably turns up orphaned data from former employees. Orphaned data can contain sensitive information, and may be accessible to former or current employees. |
| Section 2.2.1 | "Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)" | Identity Finder will search servers and help you discover PANs in unexpected places, such as your web server. If you discover PANs on unauthorized servers, you will be able to track down and fix the processes that allowed the leak to occur. |
| Section 6.1 | "Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release." | Identity Finder publishes a regular update schedule and communicates ahead of time so that you can test and roll out updates in your development environment. |
| Section 9.10.2 | "Render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed." | Identity Finder will encrypt or shred cardholder data on electronic media using the Department of Defense’s 5220-22.M deletion standard to ensure that data cannot be recovered using software-based forensic tools. |
| Section 3.1.1 | "Implement a data retention and disposal policy that includes: Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements." | Identity Finder will execute data retention and disposal policies on a regular basis, based on legal, regulatory and business requirements. [QUESTION: Can we limit search to files that are older than 1 year, or something similar?] |
| Section 3.2 | Never store authentication data, even if it's encrypted. | Identity Finder will help you find and permanently shred authentication data, preventing security vulnerabilities before they occur. |
| Section 3.3, 3.4 | "Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN); Truncation (hashing cannot be used to replace the truncated segment of PAN); ... Strong cryptography with associated key-management processes and procedures." | Identity Finder encrypts files on hard drives, portable media, backup media and logs using native application encryption for common filetypes, its own proprietary 256-bit AES whole-file encryption option for all file formats, or will encrypt using an installed encryption solution. Identity Finder will also reach into files and Truncate PANs. All encryption keys and passwords are stored securely in the Identity Finder Password Vault. |
| p. 11 | "An important prerequisite to reduce the scope of the cardholder data environment is a clear understanding of business needs and processes related to the storage, processing or transmission of cardholder data. Restricting cardholder data to as few locations as possible by elimination of unnecessary data, and consolidation of necessary data, may require reengineering of long-standing business practices." | Identity Finder DLP's Console gives you detailed and high-level reports that will help technologists and decision-makers identify broken or risky business practices. Identity Finder also identifies employees in the greatest need of support and training. Identity Finder is an essential source of business intelligence to help you reengineer business practices to comply with PCI-DSS. |
| Section 7.1.1 | "Restrict access rights to privileged user IDs to least privileges necessary to perform job responsibilities" | One of the most severe risks to data security is "Data Blindness," or lack of knowledge of where your data resides. Solving data blindess is an initial step to restricting access rights in accordance with PCI-DSS 2.0. |
How You Will Comply with PCI-DSS-2.0
PCI-DSS 2.0 requires companies to implement data retention and disposal policies that limits storage amount and retention time
as far as possible (PCI-DSS 2.0, 3.1.1); never store authentication data on any device, even if encrypted (PCI-DSS 2.0, 3.2); and
eliminate unnecessary PCI data, consolidate necessary data, and reengineer business practices as necessary (PCI-DSS 2.0, p. 11); mask
and truncate PANs in many instances (PCI-DSS 2.0, 3.3). Identity Finder enforces compliance with each of these PCI-DSS 2.0
requirements. Identity Finder enforces compliance with PCI-DSS 2.0 and decreases audit and compliance costs in at least 15 ways:
- Identity Finder finds PCI and authentication data in any file type, on any network device, over the any file type, on entire enterprise network, and gives you the tools to eliminate unnecessary PCI data or consolidate necessary data;
- Identity Finder shrinks the size of your Cardholder Data Environment by removing PCI data from systems, devices and employees who do not need it;
- Identity Finder enables security and compliance officers to conduct security and compliance assessments showing a gap analysis between what is in and out of compliance;
- Identity Finder's gap analysis drives business process changes that prevent future PCI data leakage;
- Identity Finder enables employees or security and compliance officers to shred/destroy, redact, encrypt, or quarantine errant PCI data;
- Identity Finder enables security and compliance officers to identify specific devices and employees who store PCI data, and enforce enterprise PCI data policies from a centralized console;
- Identity Finder analyzes logs for key words and text when configured to do so;
- Identity Finder implements and enforces data retention and disposal policies;
- Identity Finder implements masking and truncation policies when configured to so;
- Identity Finder produces regular enterprise-wide reports that will decrease PA-DSS audit and compliance costs;
- Identity Finder encourages employees to engage in PCI best practices by empowering them to manage errant PCI;
- Identity Finder creates a comprehensive PCI data inventory over the entire enterprise network;
- Identity Finder's PCI inventory enables a targeted, surgical response, should a breach ever occur;
- Identity Finder has an extremely low false-positive rate, enabling security and compliance officers to save on wasted time and costs looking through irrelevant data;
- Identity Finder provides a dashboard and reporting interface for both technical and executive level employees that displays your compliance status at any point in time.