Contenu connexe
Similaire à Vss pcicomus-en (20)
Vss pcicomus-en
- 2. Contents
Contents
Contents ................................................................................................................................................ 1
Executive Summary ............................................................................................................................. 2
Introduction........................................................................................................................................... 3
The Details Behind PCI DSS ................................................................................................................ 4
Background....................................................................................................................................... 4
Compliance vs. Validation................................................................................................................. 5
Recent Incentives and Penalties Announced by Visa ....................................................................... 6
PCI DSS Requirements ........................................................................................................................ 7
Compliance Benefits ......................................................................................................................... 8
Achieving PCI DSS Compliance.......................................................................................................... 9
Automated Tools - Continuous Monitoring and Real-Time Alerts ..................................................... 9
Continuous Monitoring and Real-time Alerts................................................................................................... 9
Tango/04 Solutions for PCI DSS Compliance .................................................................................. 11
Full Operating System Level Coverage .......................................................................................... 12
Databases, Web 2.0 Enablers and other Middleware ..................................................................... 12
Record-level and Field-level Database Auditing ............................................................................. 13
Third Party Security Products, Network Appliances and Device Integration ................................... 13
Business Application Monitoring ..................................................................................................... 13
VISUAL Security Suite Output ........................................................................................................ 14
Business and Enterprise Views..................................................................................................................... 14
Real-time Alerts ............................................................................................................................................. 16
Automated Actions ........................................................................................................................................ 16
Compliance Reports...................................................................................................................................... 17
Ease of Use .................................................................................................................................... 20
Tango/04 Solutions and the PCI DSS Requirements...................................................................... 20
Valid for Cross Compliance ............................................................................................................ 20
Extendability ................................................................................................................................... 20
Maximize Your Return on Investment ........................................................................................................... 21
Summary ............................................................................................................................................. 22
Multiplatform Cross Compliance ..................................................................................................... 22
Field Proven in Different Industries ................................................................................................. 22
Unique Extensibility......................................................................................................................... 22
Appendix A – Tango/04 Security Solutions...................................................................................... 23
VISUAL Security Suite: List of Controls .......................................................................................... 23
Tango/04 Solutions Offer Extensive Coverage for the System i ..................................................... 24
Technology Alliances outside of IBM ............................................................................................................ 24
Professional Services ..................................................................................................................... 24
Appendix B – PCI DSS Requirements .............................................................................................. 25
Mapping of Tango/04 Solutions to PCI DSS Detailed Requirements.............................................. 26
© 2007 Tango/04 Computing Group Page 1
- 3. Executive Summary
Executive Summary
The Payment Card Industry Data Security Standard pertains to any company that stores, processes or
transmits credit card information. If this applies to your company, you are required to be compliant with this
private industry standard today. Depending on the volume of credit card transactions you process, the task
of demonstrating compliance may include an annual on-site audit conducted by an external auditor. In any
case, you don’t want to operate your business in a non-compliant state because the associated penalties
can be severe. For instance, if a data breach occurs while you are noncompliant, you can be fined up to
$500,000 per incident and suffer revocation of your right to accept or process credit card transactions. This
could certainly be fatal to your business.
So let’s agree that noncompliance is not an option. In that case, how do you begin to put together a
strategy that will help you meet the robust requirements of PCI DSS year after year? It’s clear that a
sustainable compliance plan must include the use of automated software technology. As a result, this
paper includes a description of VISUAL Security Suite, the Tango/04 multiplatform, real-time security
solution for achieving compliance with various regulations and
"Tango/04 software certainly simplifies
industry standards. We explain how the product can successfully be
our auditing process.
used in your efforts to meet PCI requirements to protect your credit Tango/04 pre-sale activities, post-sale
card data assets while actually reducing overall compliance costs. implementation and support services
exceeded our expectations. The
Tango/04 employees are intelligent,
For a number of years, the Tango/04 security solution has been used helpful, funny, patient and honest. The
by many companies world-wide to facilitate sustainable compliance training they provided was outstanding"
with various regulations. Our technology is field proven and has been David Dresdow, Team Leader
adopted by 7 of the 18 largest banks in the world to facilitate their
JD Edwards System Administration
security strategies.
Stora Enso
In fact, Stora Enso Inc. – a multi-billion dollar integrated paper,
packaging and forest products company with multiple locations in the US and across the globe – is just one
of our customers using Tango/04 software to ease their auditing procedures. Other well known companies
using Tango/04 products include BankBoston, CocaCola, Pfizer, Shell, Office Depot and Nike.
Please visit our website at www.tango04.com to view testimonials from satisfied customers and to learn
more about our Security and integrated Business Service Management solutions.
© 2007 Tango/04 Computing Group Page 2
- 4. Introduction
Introduction
If your organization stores, processes or transmits credit card information, you are required to comply with
the Payment Card Industry Data Security Standard (PCI DSS). Depending on the number of
transactions you process, you may also be required to demonstrate compliance through an annual on site
audit and validation process. The good news about the PCI DSS requirements is that they are explicit and
well defined, unlike some regulations such as Sarbanes-Oxley (SOX) and the associated COBIT control
objectives. Simply understanding the control objectives of SOX can be difficult because they are vague in
many areas and wide open to interpretation.
Despite the direct nature of PCI DSS however, the associated requirements are very rigorous and can be
quite challenging for many organizations. Some of the specific challenges to PCI compliance include the
tracking and monitoring of access to all networks and systems containing cardholder information,
encryption of cardholder data, authentication of users who access systems with credit card data and the
installation and maintenance of firewalls.
Disregarding the challenges, however, there are many benefits to compliance. Among them is the
protection of consumer credit card information according to industry best practices, a significant reduction
in the risk of a potential data breach, the avoidance of costs associated with a breach and the
enhancement of your company’s image. Conversely, the consequences of noncompliance can be
financially damaging as a function of monetary penalties in addition to higher interchange rates on credit
card transactions. If an actual data breach occurs due to noncompliance, the cost can be enormous as a
result of imposed fines, time spent responding to and containing the breach as well as various law suits.
The negative press associated with a breach can also lead to the loss of existing customers as well as new
customer opportunities – none of which is good for your business.
In this white paper we discuss the evolution of PCI DSS primarily as a result of collaborative efforts
between Visa and MasterCard, describe the requirements at hand and explain recent incentives and
deadlines put forth by Visa to comply by certain dates. We also examine how the Tango/04 multiplatform,
real-time security solution can be used to help you comply with PCI DSS while simultaneously increasing
the efficiency of your business processes and generating a positive return on investment (ROI).
© 2007 Tango/04 Computing Group Page 3
- 5. The Details Behind PCI DSS
The Details Behind PCI DSS
First and foremost, PCI DSS is a multifaceted standard applicable to organizations that store, process or
transmit credit card information that includes the customer’s Primary Account Number (PAN). The intent of
the standard is to protect consumers by offering a single approach to safeguarding sensitive data for all
credit card brands.
Before we get into the specifics of PCI DSS, let’s step back for a moment and discuss the independent
efforts of individual credit card companies that led to the evolution of this widely accepted standard.
Background
When customers provide their credit card information at a store, over the web, on the phone, or through the
mail, they want to know that their account data is safe. In order to address this need for customer
assurance, Visa created the Cardholder Information Security Program (CISP). Mandated since June
2001, CISP is intended to protect Visa cardholder data – wherever it resides – ensuring that members,
merchants, and service providers maintain the highest information security standard.
To protect their own customer information, MasterCard implemented a similar version of data security
requirements called the Site Data Protection (SDP) program in 2002. Both Visa and MasterCard
categorized their merchant base into 4 levels focused primarily on the annual volume of transactions
1
processed as shown below .
• Level 1 – any merchant with more than 6,000,000 overall transactions per year as well as any
merchant who has already experienced an account compromise (Visa and MasterCard);
• Level 2 – any merchant processing 1,000,000 to 6,000,000 overall transactions per year (Visa);
all merchants processing 150,000 to 6,000,000 e-commerce transactions per year (MasterCard);
• Level 3 - any merchant processing 20,000 to 1,000,000 e-commerce transactions per year (Visa);
any merchant processing 20,000 and 150,000 e-commerce transactions per year (MasterCard);
• Level 4 - any merchant processing less than 20,000 e-commerce transactions per year and all
other merchants, regardless of acceptance channel processing less than 1,000,000 transactions
per year (Visa); all other merchants (MasterCard).
There are also similar levels defined for service providers or organizations that process, store or transmit
cardholder data for members, merchants or other service providers. The reason for the level categories is
1
It should be noted that the level definitions also include other criteria in some cases – for specifics regarding Visa
levels, visit http://visa.com/cisp. For specific MasterCard levels, visit
http://www.mastercard.com/us/sdp/merchants/merchant_levels.html
© 2007 Tango/04 Computing Group Page 4
- 6. The Details Behind PCI DSS
to identify high volume processors who are subject to stricter validation requirements. The basic concept is
that the risk of a data compromise increases proportionately with the volume of transactions
processed.
Over time, Visa International and MasterCard Worldwide worked together to align their individual data
security programs and formed a single, industry wide standard for data security in December 2004 known
as the Payment Card Industry Data Security Standard.
In short order, PCI DSS proceeded to be endorsed by American Express, Discover Financial Services,
and JCB (a construction and agricultural equipment manufacturing company), even though some of these
companies also had their own forms of data security standards. Finally, in September 2006 the five major
credit card payment networks announced the formation of an independent body called the PCI Security
2
Standards Council. Its purpose is to own, maintain and distribute information about PCI DSS to affected
organizations. Advisors to the Council include representatives from well know companies such as Bank of
America, Wal-Mart, Microsoft and PayPal.
Compliance vs. Validation
All merchants that accept credit cards as a form of payment, and all service providers involved in the
processing of credit card transactions are required to be compliant with PCI DSS right now! The
fundamental difference between Level 1 and lower level merchants and service providers is the amount of
third-party validation that must be done to meet the certification process. Specifically,
• Level 1 merchants and Levels 1 and 2 service providers must undergo an on site PCI security
audit on an annual basis.
• Levels 2, 3 and 4 merchants and Level 3 service providers must submit an annual Self-
Assessment Questionnaire and do not require an on site audit.
• Network scans are required to be completed quarterly by all level merchants and service
providers. The only exception here is for Level 4 merchants, where a quarterly Network scan is
recommended but not required.
So where do we stand in terms of industry compliance? According to Visa USA President and CEO John
Coghlan, at year end 2006, only about 20 percent of the top 200 merchants were in compliance with the
PCI standards. However, statistics from Gartner predict that by end of 2007, 75 percent of Level 1
merchants and 30 percent of Level 2 merchants will be compliant.3 The anticipated increase in compliance
may in part be fueled by the deadlines associated with incentives and fines publicized by Visa at the end of
last year.
2
To learn more about the PCI SSC, please visit their website at https://www.pcisecuritystandards.org/
3
http://www.itcinstitute.com/display.aspx?id=4020
© 2007 Tango/04 Computing Group Page 5
- 7. The Details Behind PCI DSS
Recent Incentives and Penalties Announced by Visa
In December 2006, Visa announced the PCI Compliance Acceleration Program (PCI CAP), offering $20
million in financial incentives as well as new sanctions in an effort to further PCI DSS compliance.4 In
essence, PCI CAP sets a Sept. 30, 2007 deadline for compliance aimed at Level 1 merchants and a
5
December 31, 2007 deadline for Level 2 merchants. Noncompliant merchants will face monthly fines up to
$25,000 and be charged higher interchange rates which are the commissions they pay on transactions.
(Prior to these new penalties, merchants and service providers were only assessed monetary fines if an
actual data breach occurred).
Those who can validate compliance by September 30, 2008, however, may qualify for a refund of up to
three months of the higher commissions, but will have to attest that they made strenuous efforts to comply
by the earlier date.
Visa has also stated that it will reward acquiring banks whose members are fully compliant by September
30, 2007 and has set aside $20 million as an incentive. As of mid- August 2007, Visa had already paid out
about $7 million to compliant companies.
4
http://usa.visa.com/about_visa/press_resources/news/press_releases/nr367.html
5
“PCI Compliance Deadlines Have Retailers Scrambling”, SearchCIO.com, 09/13/2007.
© 2007 Tango/04 Computing Group Page 6
- 8. PCI DSS Requirements
PCI DSS Requirements
Now that we understand the evolution of PCI DSS and the importance of compliance, let’s take a closer
look at the requirements themselves. Specifically, version 1.1 of the PCI Data Security Standard is
comprised of 12 high level requirements further broken down into just over 200 sub-requirements. These
12 high level requirements fall under 6 different principles as shown below. (Note that PCI DSS version 1.1
and all supporting documentation can be found at www.pcisecuritystandards.org).
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
These 12 security requirements apply to all “system components” which are defined as any network
component, server or application that is included or connected to the card holder data environment.
© 2007 Tango/04 Computing Group Page 7
- 9. PCI DSS Requirements
Compliance Benefits
PCI DSS is of great benefit to the consumer in terms of protecting their personal information from
unauthorized use or disclosure. Compliance with the standard is also good for companies because a data
breach can be very costly and wreak havoc on a company’s image. Beyond that, implementation of PCI
DSS can actually reduce compliance costs over the long run. That’s because once it’s been implemented,
the vigorous standard instills security best practices across the entire enterprise, which makes it easier and
less expensive to meet new requirements that may be imposed in the future. The concept applies both to
completely new sets of regulations and standards as well as potential revisions to PCI DSS.
That being said, achieving and maintaining compliance with this comprehensive standard is not trivial and
is bound to be difficult for many companies.
© 2007 Tango/04 Computing Group Page 8
- 10. Achieving PCI DSS Compliance
Achieving PCI DSS Compliance
Similar to complying with other regulations such as Sarbanes-Oxley or HIPAA, compliance efforts are most
successful when they are coordinated with business users and overall corporate objectives. Involving
executive management from the very beginning facilitates corporate support, which is an essential
component of a successful and ongoing compliance strategy.
Implementing the controls necessary to comply with PCI DSS also creates opportunities to improve the
efficiency of business processes which in turn yield increased productivity and cost savings. Another cost
benefit of compliance is that it decreases the likelihood of a data breach, which can be extremely
expensive.
Case in point is the realization in January 2007 of a security breach that impacted the TJX Companies
based in Framingham, Massachusetts and resulted in the exposure of more than 45 million credit and debit
card holders over an 18 month period. As of August 2007, the breach had cost TJX more than $250 million.
A large portion of the cost has been related to containing the intrusion, bolstering data security procedures
and systems, notifying customers and responding to an increasing list of lawsuits.6 Had TJX been
compliant with PCI DSS early on, it’s likely that the breach would not have occurred, or if it did, the
exposure of consumer information would have been minimized.
An important aspect of complying with PCI DSS is the implementation of continuous monitoring. You need
to know, on a 24/7 basis, of any unauthorized attempts to access your critical files. That leads us to the
concept of automated software technology.
Automated Tools - Continuous Monitoring and Real-Time Alerts
PCI DSS Requirement 10, Regularly Monitor and Test Networks, consists of seven first level sub-
requirements. In particular, sub-requirement 10.2 calls for the implementation of automated audit trails for
all system components in order to reconstruct specific events. It couldn’t be more clear – to satisfy this
condition, companies need to utilize automated software technology.
Although technology solutions in the form of automated software tools do require an up-front investment,
they generally render a positive ROI. Beyond that, automated tools also provide consistent, accurate and
reliable monitoring and reporting – something you’ll need to demonstrate compliance to an outside auditor.
Continuous Monitoring and Real-time Alerts
A major advantage of automated software tools is their ability to run 24/7, constantly keeping watch over
your implemented PCI DSS security plan and critical data assets. Continuous monitoring is a vital
component of a sustainable compliance plan.
6
Cost of Data Breach at TJX Soars to $256m”, Ross Kerber, The Boston Globe , August 15, 2007.
© 2007 Tango/04 Computing Group Page 9
- 11. Achieving PCI DSS Compliance
We recommend that you only consider automated tools that have the capacity to send alerts to you in real-
time when a suspicious security event takes place. Real-time warnings are invaluable to your business
because they allow you to minimize risk exposure and attend to security incidents as they occur. Once
again, consider the TJX data breach that spanned an 18 month period. Had continuous monitoring and
real-time alerts been in place, the company would have known the instant the first unauthorized data
access event occurred and been able to immediately respond with defensive actions.
Continuous auditing is a major trend and since real-time alerting is technologically available today, there’s
no reason not to know about a potentially serious security issue before it’s too late.
In the next section we examine the Tango/04 toolset that is currently in use by many companies worldwide
in support of their compliance strategies.
© 2007 Tango/04 Computing Group Page 10
- 12. Tango/04 Solutions for PCI DSS Compliance
Tango/04 Solutions for PCI DSS Compliance
The Tango/04 Computing Group7 is a leading developer of Security and Infrastructure Monitoring,
Reporting and Business Service Management solutions. Its VISUAL Security Suite is a multiplatform
security solution that can easily become a part of your automated processes for achieving sustainable PCI
DSS compliance. As shown in Error! Reference source not found.1 below, VISUAL Security Suite
receives audit information from various sources within your enterprise.
Figure 1 – Overview of VISUAL Security Suite
Conducive with PCI DSS requirements, its monitoring engine offers agents for your different platforms,
network components, applications, logs and databases. In many cases, the monitors can run remotely
(agentless), reducing deployment time and avoiding interference with other applications.
In addition, each monitor retrieves only the information you are interested in, allowing you to filter out all
irrelevant data. This powerful filtering feature minimizes the monitoring process and keeps overhead down
resulting in little to no performance impact on your system.
3
For detailed information about Tango/04, its solutions and customer case studies, please go to www.tango04.com
© 2007 Tango/04 Computing Group Page 11
- 13. Tango/04 Solutions for PCI DSS Compliance
Full Operating System Level Coverage
The VISUAL Security Suite agents for the System i, Windows, Unix, Linux and AIX can keep track of:
• Changes and access to all files and objects, including financial databases, configuration files,
sensitive information, etc. Specifically, the tracking of:
− Deletes, copies, edits, renames, restores, and read-only access to specific
data
− Unauthorized access attempts
• Authority failures, such as:
− Persistent failed sign on attempts
− Object access denials
• System configuration changes, such as:
− Creation and modification of user profiles
− System value changes
• Command use, so you can:
− Watch suspicious users
− Monitor use of sensitive commands.
We have a library of standard controls you can leverage based on our experience with many different types
of industries and security projects. However, new, custom checks can easily be added. For instance,
system access times may be well defined at your company, and it is simple to define the time during the
day when a login attempt (even if it is allowed by the operating system) should be considered suspicious.
Other controls can be less direct, but equally important. For example, unusually increased storage
occupation or bandwidth consumption can be a symptom of a suspicious activity (such as a virus sending
out spam from a compromised workstation). Because VISUAL Security Suite allows you to monitor several
performance indicators in addition to traditional security events, you can define a comprehensive list of
controls.
Please refer to Appendix A for a list of common controls per platform.
Databases, Web 2.0 Enablers and other Middleware
VISUAL Security Suite can extract information and continuously audit several databases and middleware
such as Web Application Servers, including the IBM WebSphere Application Server. Platform-specific
controls can be set. Log files can be scrapped, formatted, and correlated in real time from several sources.
Different adapters (WMI, JMX, SNMP, syslogs, text files, message queues, etc.) are also available to
maximize the integration capabilities.
© 2007 Tango/04 Computing Group Page 12
- 14. Tango/04 Solutions for PCI DSS Compliance
Record-level and Field-level Database Auditing
The Data Monitor module captures all Changes, Inserts, Deletions and Reads to files you specify so you
know Who, What, When and How. This is exactly the level of detail you need to help you comply with PCI
DSS requirements 10.2 (Implement automated audit trails for all system components to reconstruct events)
and 10.3 (Record specified audit trail entries - such as user identification, type of event and date and time
of event – for all system components for each event). Specifically, Data Monitor provides you with record-
level audit data for each transaction including:
• Type of event such as update, insert, delete or read
• Before and after image of record changed, clearly indicating the changed fields
• User that made the change (including the real user in application transactions)
• Timestamp
• Context data and platform specific information (such as the name of the application for SQL
Server and library/program for DB2 on the System i).
With this level of visibility, you’re able to keep all users (including database administrators and privileged
users) under control by tracking every action to your sensitive files. As the control is done at the database
level, it doesn’t matter where the change came from or which tool had been used to make the change. In
addition, the before and after images of record changes allow you to revert a change back to its original
value when necessary.
Third Party Security Products, Network Appliances and Device Integration
VISUAL Security Suite can monitor, correlate, inspect and immediately alert you of any log file, regardless
of where it resides and the application that has produced it. In addition, it is easy to centralize the control of
all disperse information, effectively monitoring the activity of network devices such as routers, switches,
firewalls, and so on. Third party applications such as Intrusion Detection/Prevention Systems, antivirus
products, vulnerability scanners, Virtual Private Networking (VPN), and the like, can also be easily
integrated.
Business Application Monitoring
One area where most security products fail is the ability to extract relevant security information from
different business applications. Home grown applications are particularly difficult for most products.
However, as your level of maturity increases, there is a strong need to go from basic audit controls on
operating systems and equipment to business-level controls. VISUAL Security Suite can help you to
automate the control of your existing applications. It includes a universal log reader (Applications Agent)
which can read virtually any log at blazing speed. By using advanced BNF (Backus Normal Form) grammar
definitions that can be created and modified easily, integration of practically any application events can be
done in real time. In other cases, instead of text files, application security logs and events are stored in data
tables, which can easily be integrated with the VISUAL Security Suite Data Adapter.
© 2007 Tango/04 Computing Group Page 13
- 15. Tango/04 Solutions for PCI DSS Compliance
When more complex business-level controls are required (such as changes to dormant accounts in banks,
excessively discounted sales, or other domain specific checks) Data Monitor can be a perfect tool to
inspect every single one of millions of transactions in real time. Integrity checks can be placed to make sure
no unauthorized changes are done from outside the applications, bypassing the applications integrity
controls.
Examples of business applications that can be monitored with VISUAL Security Suite include SAP R/3,
Siebel, JD Edwards, SWIFT, legacy (RPG/COBOL), and practically any custom application running in any
environment, from mainframes to standalone desktop workstations. Modern Java applications can also be
monitored by using JMX (Java Management Extension) technology.
The information presented in this section is merely a subset of the kind of audit data you can collect with
VISUAL Security Suite. Please refer to Appendix A for a more complete listing by platform.
VISUAL Security Suite Output
Once the audit information you specify has been collected, it can be accessed and presented to you in a
variety of ways:
• Business and Enterprise views
• Real-time alerts
• Automated actions
• Reports
Let’s examine each one of these output mechanisms.
Business and Enterprise Views
One of the key features of VISUAL Security Suite is that it allows you to centrally manage your security
paradigm by consolidating events across all platforms in a single view. This is accomplished using the
VISUAL Security Suite SmartConsole, shown below in Figure 2.
© 2007 Tango/04 Computing Group Page 14
- 16. Tango/04 Solutions for PCI DSS Compliance
Figure 2 – The SmartConsole
Within the SmartConsole, the left most pane contains your business view as a series of hierarchical
folders that are color coded to quickly draw your attention to important events. Although a default security
configuration is shipped with VISUAL Security Suite, you are free to customize this view to best fit your
corporate needs.
Note that the folders under the iSeries and Windows Security branches are green, indicating no imminent
issues. However, there is a problem with the Infrastructure node as indicated by the red folder. Expanding
any of the folders and then double clicking on the problem node will reveal underlying messages pertaining
to the issue. These related messages contain detailed information about the problem and many soft-coded
variables that can be passed to messages sent via email or to your cell phone.
The uppermost right pane in Figure 2 summarizes your business services and the pane below it identifies
the most probable root cause of the failure. Although this figure shows both security and infrastructure
configurations, you can install the security portion alone and either grow into infrastructure monitoring at a
later date or continue to use whatever infrastructure monitoring you may already have in place.
In addition to business views, security information can also be presented in an enterprise view or
dashboard accessible through the web. Enterprise views can be especially useful for CISO’s who need a
high level glimpse of current security status but not the underlying details provided by the SmartConsole.
Figure 3 below presents a sample enterprise view of a sample compliance scenario.
© 2007 Tango/04 Computing Group Page 15
- 17. Tango/04 Solutions for PCI DSS Compliance
Figure 3 – Sample Enterprise View of a Compliance Scenario
Similar to the business view shown in Figure 2, the color of the icons provides visual information regarding
status. For instance, at a high level you can quickly see there is a problem with the System i because its
icon is red. The detail shown to the right under System i indicates a potential problem Object Access
because the icon is yellow. Double-clicking on any icon allows you to drill down for specific information
about the problem.
Real-time Alerts
Besides visual notification, with VISUAL Security Suite you can also define alarms and actions to send
alerts regarding urgent situations in real-time. These alerts can take various forms such as email, SMS
messaging, sound or video. Having real-time access to your security information facilitates
compliance with PCI DSS and minimizes exposure if a malicious security event occurs, such as an
unauthorized user accessing your credit card files. Being notified the instant a suspicious activity
occurs gives you total control - even if the incident occurs after hours or over the weekend.
Automated Actions
© 2007 Tango/04 Computing Group Page 16
- 18. Tango/04 Solutions for PCI DSS Compliance
In addition to real-time alerts, VISUAL Security Suite can be configured to automatically respond to events
that you define. For example, if a user changes a critical system setting, VISUAL Security Suite can send
you a real-time alert and also initiate predefined actions such as reverting the system setting back to its
original value, ending the user’s job and disabling his/her user profile to prevent further malicious actions.
Compliance Reports
VISUAL Security Suite includes a robust reporting system so you can perform forensic analyses, review
events against security policies and comply with regulations and standards such as PCI DSS. We ship over
200 built-in reports to provide you with all the information you’ll need to satisfy your auditors. Figure 4
below shows a segment of the reporting system in addition to the data selection parameters for one of the
reports.
Figure 4 – Segment of the Reporting System and Sample Data Selection Screen
It’s worth noting that our built-in reports can be customized so you can create your own sub report version.
Furthermore, reports can be generated in different formats such as .pdf, .xls, .doc, .html and can also be
scheduled and automatically emailed to the appropriate stakeholders.
© 2007 Tango/04 Computing Group Page 17
- 19. Tango/04 Solutions for PCI DSS Compliance
A sample report depicting User Inactivity on the Windows platform is shown below in Figure 5. This
particular report will help you to meet PCI DSS requirement 8.5.5, which states that you should remove
inactive user accounts at least every 90 days.
Figure 5 – Windows User Inactivity Report
As indicated in Figure 5, our report shows users defined on a particular domain, the number of days they
have been inactive and whether or not their profile is enabled. By running this report you can identify users
who have not signed on for 90 days (or any time period) and take appropriate action. A similar report is
also available for the System i.
Figure 6 below, presents a segment of a Data Monitor report showing detailed information about a data
record change. As indicated, Data Monitor can capture and report the date and time of a file access, the
type of access (read, update, insert, deletion, etc), the actual user and even the before and after images of
the accessed data record.
© 2007 Tango/04 Computing Group Page 18
- 20. Tango/04 Solutions for PCI DSS Compliance
Figure 6 – Data Monitor Report Segment
As shown in Figure 6 you can even instruct Data Monitor to hide sensitive field values in the generated
reports, such as Social Security or credit card numbers. This feature is essential in order to ensure and
protect the privacy of consumer information.
The Data Monitor module also has many other advanced features including the ability to:
• Select the files you want to monitor and even particular fields within those files;
• Select particular users or user groups to monitor;
• Store your audit data on a different LPAR or platform which might be more secure or where
storage space is less expensive;
• “Enrich” the audit data so, for instance, an account number can appear as a customer name on
your reports, making them easier to read;
• Include information on your reports that is not stored in the journal such as user group or class.
© 2007 Tango/04 Computing Group Page 19
- 21. Tango/04 Solutions for PCI DSS Compliance
Ease of Use
VISUAL Security Suite is fast to deploy and easy to use so Complete Coverage for the System i
you can immediately begin to monitor and protect your
As a Premier IBM Business Partner,
corporate assets as soon as you install the product. We Tango/04 provides the most complete
offer Professional Services to help you configure business functionality on the market for auditing
views, real-time alerts and automated actions to meet your System i security environments. With more
than 15 years experience on this platform,
specific compliance needs. We also train your designated Tango/04 works directly with IBM
staff so they can add additional controls as you need them laboratories in Rochester, Minnesota to take
due to changes in regulations or in your corporate advantage of new i5 technology
developments.
environment.
We continuously invest in improvements and
support for the latest versions of i5/OS in
Because the SmartConsole component allows you to
order to offer you the best solution on the
centralize the management of your security controls market.
across platforms, within a single view, your security staff (Refer to Appendix A for more information
will be highly productive as they maintain the integrity of regarding our technology alliance with IBM)
your compliance plan.
Tango/04 Solutions and the PCI DSS Requirements
The twelve high level requirements of PCI DSS are broken down into numerous sub-requirements totaling
just over 200 individual items for which you must demonstrate compliance. Although achieving sustainable
compliance can be quite challenging, the burden can be significantly eased with the use of our
multiplatform, real-time security solution. Having the ability to consolidate events from different platforms
into a single view through the SmartConsole will also simplify your compliance efforts and help you to be
more productive. For specific details regarding the manner in which we meet many of the PCI DSS
requirements, please refer to Appendix B.
Valid for Cross Compliance
We understand that many companies today are subject to multiple regulations such as PCI and SOX or
HIPAA or GLBA. Despite the fact that the details of complying with these laws differ, they all share common
objectives. That is, the intent of these regulations is to protect consumers, shareholders and patients from
the disclosure of private information and financial misstatements. The Tango/04 security solution aptly
supports this intent by providing you with the capabilities of real-time alerts, automated actions, visual
status displays by PC or web, monitoring of data changes at the field level and overall abundant reporting.
When used together, these aspects of our solution are very powerful and can be easily implemented at
your company to help you successfully comply with multiple regulations.
Extendability
One of the best parts about the Tango/04 solution suite is that you can implement it in a step-by-step
fashion. Start with your most critical platform and begin to define the security controls you need to monitor
and report on. Because our solution is so easy to use, you’ll find that once you’ve defined a business view
and associated it with alarms and actions, it’s a snap to define other security views.
© 2007 Tango/04 Computing Group Page 20
- 22. Tango/04 Solutions for PCI DSS Compliance
Although VISUAL Security Suite can be used exclusively as a security compliance solution, it shares a
number of modules and agents with VISUAL Message Center, Tango/04’s solution for IT infrastructure
monitoring and Business Service Management (BSM). This concept allows you to expand the scope of the
solution in a progressive fashion over time as shown in Figure 7.
Security
BSM/SLM
Applications
Management
Infrastructure
Security
BSM
Operations
Figure 7 – Extend the Tango/04 Security Solution to Infrastructure and BSM
It also allows you to create dashboards in order to visualize the impact of security problems on your
different business applications. Integrating IT with business operations will not only facilitate corporate
support for your compliance activities, but will also help your company function more efficiently as a whole.
As various departments work together, increases in productivity are achieved, resulting in overall cost
reductions.
Maximize Your Return on Investment
Because Security, Infrastructure and BSM all share the same concepts in terms of installation,
configuration and training time, your initial investment can be reused to monitor the status of services,
SLAs, user experience and application availability. Security administrators, auditors and operation
managers can all have different views of the SmartConsole to focus in on what they need to know. In
essence, you have one console with many possibilities at your finger tips.
© 2007 Tango/04 Computing Group Page 21
- 23. Summary
Summary
If you’ve read this far, it’s likely that you’re required to comply with PCI DSS and are looking for ideas on
how best to do so. Clearly, you need to develop a compliance paradigm that’s comprehensive, sustainable
and does not overburden your staff or your corporate bank account. While you’re at it, you might as well
define a strategy that will benefit your company beyond compliance requirements. Namely, you want to
develop a security plan that not only satisfies your auditing requirements but one that also provides the
added benefits of increased productivity and overall cost reduction.
Multiplatform Cross Compliance
The Tango/04 security solution can assist you in attaining sustainable compliance across multiple
regulations and standards. With our built-in real-time alerting capability, you’ll not only meet mandated PCI
DSS requirements but you will also have instant awareness of the efficacy of your security plan. This
enables you to address problems as they occur, before they propagate and when they are easiest to fix.
With our multi-platform capabilities, we can consolidate security information across your enterprise in a
single view, greatly simplifying the task of assessing compliance. Our rich reporting feature will also help
you to satisfy the needs of your external auditor as you demonstrate compliance year after year.
Field Proven in Different Industries
The Tango/04 security solution is fast to deploy, easy to use and field proven. We have over one thousand
customers across the globe and our technology has been adopted by 7 of the 18 largest banks in the
world. In fact, Henry Schein Inc. – a Fortune 500 distributor of healthcare products with global operations
based in Melville, NY – is just one of our customers to effectively meet compliance obligations year after
year using VISUAL Security Suite. Our customer base also includes a number of well known enterprises
such as BankBoston, CocaCola, Dole Fresh Fruit, Pfizer, Shell, Office Depot and Nike.
Unique Extensibility
Beyond security auditing, our software also offers infrastructure monitoring, application monitoring and
business service management, so you can continue to align IT with the business side of the house using a
single software solution. The beauty of our solution is that you can implement additional controls and
functions in a stepwise manner and at your own pace.
Consider the Tango/04 family of solutions to help you achieve your compliance goals, protect your
corporate assets and facilitate business management. As you continue to grow into the Tango/04 solutions
you will increase productivity levels and save money over time.
© 2007 Tango/04 Computing Group Page 22
- 24. Appendix A – Tango/04 Security Solutions
Appendix A – Tango/04 Security Solutions
VISUAL Security Suite: List of Controls
As previously discussed and illustrated (see Error! Reference source not found. on pageError!
Bookmark not defined.), VISUAL Security Suite can collect auditing information from multiple platforms
and make it available for you to filter and analyze within a single console. Below is a summary of the types
of events we can monitor by platform:
System i: DB2 UDB: Windows:
• System access • Use of special editing tools • Changes in auditing
• Profile and user activity or (e.g. DFU, STRSQL) configuration, privileges,
inactivity • Exit point control directory services, domain
• Adopted security • SQL statement level policies…
• Sensitive commands auditing • Complete event log
• Object access • File access at record level monitoring (real-time)
• System values • Auto control of logs with
• Spool files any format
• Any type of log such as • Control of Active directory,
QSYSOPR, QHST or IIS, firewall service,
system audit log Exchange, Citrix, remote
• Use of service systems access…
• Message queues • Changes to system folders
• Invalid logins
• Inactive users
SQL Server: Oracle: Linux, UNIX, AIX:
• Instance status • SQL statements run by • Complete verification of
• Changes to roles and sysda syslogs (real-time)
users • User SQL statements • Changes made to system
• Transaction log • Role and user monitoring configuration
• Connections and access • Critical processes • Control of super users
• SQL statements • Special permissions • Invalid logins
• Locks • Relevant users • Changes to folders/objects
• Table auditing (field level) • Table auditing (field level) • Changes in privileges and
• Objects • Super user activity user accounts
• Errors • Authentication • Change in security policies
• Windows processes • Log monitoring • Sensitive command
management
• Suspicious processes
© 2007 Tango/04 Computing Group Page 23
- 25. Appendix A – Tango/04 Security Solutions
Beyond platform specific abilities, a full array of other third party products, including middleware, network
equipment, appliances, firewalls, IDS, antivirus systems, etc. can also be integrated easily. Business
applications logs can be monitored in real time, and custom business-specific controls are easy to create
and maintain. Overall, Tango/04 offers the most comprehensive security solution on the market.
Tango/04 Solutions Offer Extensive Coverage for the System i
Although our security solutions are multi-platform capable, it’s important to stress our strength on the i5
platform for those of you that manage System i centric shops. Tango/04 is a Premier IBM Business Partner
and key member of IBM’s Autonomic Computing initiative. In addition to receiving industry recognition on
numerous occasions, our solutions have been validated by IBM and designated as IBM ServerProven.
Other associations we have with IBM include:
• IBM PartnerWorld for Developers (Advanced Member)
• IBM ISV Advantage Agreement
• IBM OS Early Code Release member
• IBM ServerProven Solution Provider
Technology Alliances outside of IBM
In addition to our strong ties to IBM, the success of our solution also relies on the working relationships we
have with other platform providers. These include:
• Microsoft Developer Network (MSDN)
• Microsoft Early Code Release member
• Red Hat Linux Partner
Professional Services
We provide top notch professional services to help you install "Tango/04 pre-sale activities, post-sale
and configure our products across your critical platforms to implementation and support services
meet your specific security needs. We’ll work together with exceeded our expectations. The
Tango/04 employees are intelligent,
your staff to add the precise controls you need in order to helpful, funny, patient and honest. The
achieve compliance year after year. We’re not happy with any training they provided was outstanding."
implementation unless you are completely satisfied. David Dresdow, Team Leader
JDEdwards System Administration
In fact, since 2004 we’re proud to say that all of our projects for
Stora Enso
security, data protection and operations monitoring have been
implemented on time and with full customer satisfaction. The
loyalty and high rate of customer satisfaction is one of the best
guarantees we can offer you.
© 2007 Tango/04 Computing Group Page 24
- 26. Appendix B – PCI DSS Requirements
Appendix B – PCI DSS Requirements
PCI DSS is a private industry standard applicable to organizations that store, process or transmit credit
card information. The intent of the standard is to protect consumers by offering a single approach to
safeguarding sensitive data for all credit card brands.
The standard consists of 12 high-level requirements as depicted in Table 1.
Table 1 : PCI DSS Requirements
1. Install and Maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
12.Maintain a policy that addresses information security
Each high level requirement is broken up into a number of detailed sub-requirements leading to a total of
just over 200 individual checklist items. In practical terms, compliance simply cannot be achieved without
the help of automated software technology. The Tango/04 security solution set can easily be used to
support your PCI DSS compliance efforts. Our multi-platform, real-time technology is especially strong in
helping you comply with Requirement 10. That being said, our solution can also be used to facilitate
compliance with many of the other requirements as described in the remainder of this appendix where we
present a mapping of our solution to specific PCI DSS requirements.
© 2007 Tango/04 Computing Group Page 25
- 27. Appendix B – PCI DSS Requirements
Mapping of Tango/04 Solutions to PCI DSS Detailed Requirements
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Detailed Description of top level requirement:
Firewalls are computer devices that control computer traffic allowed into and out of a company’s network,
as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all
network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from the Internet, whether entering the system as
e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access.
Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key
systems. Firewalls are a key protection mechanism for any computer network.
Tango/04 Solution: Although our technology is not a firewall solution, we can help you support this
requirement because VISUAL Security Suite can monitor logs and alerts coming from many system
components including firewalls (in addition to antivirus software, IDS, applications, web servers and
network devices). Events are sent to a centralized console where they are consolidated into a single view
for further analysis. Beyond that we provide you with the ability to generate real-time alerts when a
suspicious event occurs so you can take immediate action to the problem at hand. Our technology
additionally includes the ability to perform actions (such as disabling a user at once from several platforms
and domains, modifying a system setting, or ending a process) when an alert is generated so incidents can
be handled automatically.
Requirement 2: Do not use vendor supplied defaults for system passwords and other security
parameters
Detailed Description of top level requirement:
Hackers (external and internal to a company) often use vendor default passwords and other vendor default
settings to compromise systems. These passwords and settings are well known in hacker communities and
easily determined via public information.
Sub-requirement 2.2.3 Configure system security parameters to prevent misuse
Tango/04 Solution: Once system settings have been defined, VISUAL Security Suite can monitor those
values and alert appropriate personnel in real-time when changes are made. Information concerning
security policy exceptions is consolidated and presented in the Tango/04 console for quick visual
identification. Color coding is possible to immediately attract attention according to the impact of the
problem. Our technology also includes the ability to perform automatic actions (such as disabling a user at
© 2007 Tango/04 Computing Group Page 26
- 28. Appendix B – PCI DSS Requirements
once from several platforms and domains, modifying a system setting, or ending a process) when an alert
is generated so incidents can be handled immediately, minimizing risk.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Detailed Description of top level requirement:
Encryption is a critical component of cardholder data protection. If an intruder circumvents other network
security controls and gains access to encrypted data, without the proper cryptographic keys, the data is
unreadable and unusable to that person. Other effective methods of protecting stored data should be
considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not
storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed
and not sending PAN in unencrypted e-mails.
Tango/04 Solution: Although we do not provide data encryption, we strongly support this top-level
requirement in general by providing layers of defense that surround your critical data files. For example, our
technology provides you with object access control by monitoring file reads, deletes, insertions, changes,
restores and renames regardless of the platform or form in which the data is stored (e.g. database or
spreadsheet). We also monitor object access denials so you know if a user has attempted to get to
sensitive information such as cardholder data. In addition, we audit changes to file security itself, so you’ll
know if someone has modified the list of users who have authority to the file.
If any of these events occur, we can alert you in real-time so that you’re able to immediately attend to the
potential security infraction. Along with alerts we can also execute automatic actions, such as disabling a
user profile or ending their job in order to minimize risk and potential exposure while you execute other
defensive measures.
In many cases, malicious access or updates to your data occurs by an actual employee – someone who
has been recognized as an authorized user. If this occurs, our solution has the ability to provide you with
“who, what, when, how and where” type of information in addition to the before and after images of the data
change.
Multiple layers of defense such as these significantly add strength to the protection of your cardholder data.
Sub-requirement 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number
of digits to be displayed).
Tango/04 Solution: This requirement is easily satisfied with the use of our Data Monitor module which
tracks changes to critical files at the field level. Data Monitor has the capacity to hide sensitive fields within
generated reports as shown in Figure 8.
© 2007 Tango/04 Computing Group Page 27
- 29. Appendix B – PCI DSS Requirements
Figure 8 – Data Monitor Report Segment
During configuration, as you define the sensitive files you wish to audit, you simply indicate the fields within
those files that you do not want to display.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Detailed Description of top level requirement:
Many vulnerabilities and malicious viruses enter the network via employees’ e-mail activities. Anti-virus
software must be used on all systems commonly affected by viruses to protect systems from malicious
software.
Sub-requirement 5.2: Ensure that all anti-virus mechanisms are current, actively running, and capable of
generating audit logs.
Tango/04 Solution: Although our technology is not an anti-virus solution, we can help you support this
requirement because VISUAL Security Suite can monitor logs and alerts coming from many system
components including antivirus software (in addition to firewalls, IDS, applications, web servers and
network devices). Events are sent to a centralized console where they are consolidated into a single view
for further analysis. Beyond that we provide you with the ability to generate real-time alerts when a
suspicious event occurs so you can take immediate action to the problem at hand. Our technology
additionally includes the ability to perform actions (such as disabling a user at once from several platforms
and domains, modifying a system setting, or ending a process) when an alert is generated so incidents can
be handled automatically.
Requirement 6: Development and maintain secure systems and applications
Detailed Description of top level requirement:
Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these
vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently
© 2007 Tango/04 Computing Group Page 28
- 30. Appendix B – PCI DSS Requirements
released, appropriate software patches to protect against exploitation by employees, external hackers, and
viruses. Note: Appropriate software patches are those patches that have been evaluated and tested
sufficiently to determine that the patches do not conflict with existing security configurations. For in-house
developed applications, numerous vulnerabilities can be avoided by using standard system development
processes and secure coding techniques.
Sub-requirement 6.3: Develop software applications based on industry best practices and incorporate
information security throughout the software development life cycle.
6.3.2 Separate development, test and production environments
6.3.3 Separation of duties between development, test and production environments
Tango/04 Solution: The intent of these sub-requirements is to prevent developers from making changes
and installing them directly in the production environment. VISUAL Security Suite can help you support
these requirements because we are able to monitor user activity such as access to applications and
command usage, including SQL statements executed. Along those same lines, we can also audit the
movement of objects and programs from one environment to another, verifying that the promotion was
done by an authorized user. We can also monitor object access such as a user reading or updating a
critical data file. The ability to identify who is accessing what files helps you to maintain separation of
duties, by making sure that users are not inappropriately updating information that doesn’t correspond to
their job role.
If the policy you define regarding separation of duties is not followed, we can issue real-time alerts to
enable you to take immediate action.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Detailed Description of top level requirement:
This requirement ensures critical data can only be accessed by authorized personnel.
Sub-requirement 7.1 Limit access to computing resources and cardholder information only to those
individuals whose job requires such access.
Sub-requirement 7.2 Establish a mechanism for systems with multiple users that restricts access based
on a user’s need to know and is set to “deny all” unless specifically allowed.
Tango/04 Solution: Our technology is extremely capable in this area because access as well as
modifications to critical data files on several platforms can be monitored and reported on. Specifically, our
technology provides you with object access control by monitoring file reads, deletes, insertions, changes,
restores and renames regardless of the platform or form in which the data is stored (e.g. database or
spreadsheet). We also monitor object access denials so you know if a user has attempted to get to
sensitive information such as cardholder data. If any of these events occur, we can alert you in real-time so
© 2007 Tango/04 Computing Group Page 29
- 31. Appendix B – PCI DSS Requirements
that you’re able to immediately attend to the potential security infraction. Along with alerts we can also
execute automatic actions, such as disabling a user profile or ending their job in order to minimize risk and
potential exposure while you execute other defensive measures.
In many cases, malicious access or updates to your data may take place by an actual employee –
someone who has been recognized as an authorized user. If this occurs, our solution has the ability to
provide you with detailed tracking information including “who, what, when, how and where” in addition to
the before and after images of the data change. As the control is done at the database level, it doesn’t
matter where the change came from or which tool had been used to make the change. Real-time alerts can
also be triggered when data files are inappropriately read or modified so you can react immediately to
unauthorized data access attempts.
Requirement 8: Assign a unique ID to each person with computer access
Detailed Description of top level requirement:
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data
and systems are performed by, and can be traced to, known and authorized users.
Sub-requirement 8.5: Ensure proper user authentication and password management for non-consumer
users and administrators on all system components as follows:
8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other
identifier objects
8.5.5 Remove inactive user accounts at least every 90 days
Tango/04 Solution: Continuous user profile monitoring and regularly scheduled reporting allows easy
tracking of user accounts and access rights for your users. Procedures to keep authentication and access
mechanisms in check include ongoing monitoring of user profile creation, deletion, changes to user profiles,
and management of passwords. User activity such as log-ins and access to applications are also audited.
Access right rules can be enforced using simple (IP address filtering) or complex custom rules (such as
automatically holding user processes for a profile corresponding to an employee currently on vacation, until
the incident is investigated). Correlation technology can be used to check authentication mechanisms.
Real-time alerts can be executed when a suspicious event occurs (such as the granting of special authority
to an existing user profile) and built-in reports can be run in order to provide user activity information to the
appropriate management personnel.
8.5.9 Change user passwords at least every 90 days
8.5.10 Require a minimum password length of at least seven characters
8.5.11 Use passwords containing both numeric and alphabetic characters
8.5.12 Do not allow an individual to submit a new password that is the same as any of
the last four passwords he or she has used
© 2007 Tango/04 Computing Group Page 30
- 32. Appendix B – PCI DSS Requirements
8.5.13 Limit repeated access attempts by locking out the user ID after not more than six
attempts
8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID
8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter
the password to re-activate the terminal
Tango/04 Solution: On the System i, sub-requirements 8.5.9 through 8.5.15 all correspond to system
values settings which are easily monitored with VISUAL Security Suite. When changes are made to these
settings we can alert appropriate personnel in real-time and also perform automatic actions (such as
disabling a user at once from several platforms and domains, modifying a system setting, or ending a
process) so incidents can be handled immediately.
In Windows and most Unix/Linux platforms, our technology can audit if the policy is set to the right value
and generate real- time alerts in case of differences. Furthermore, we can also send alerts in real time
when any changes to the security policy occur. With regard to 8.5.13, automated actions can easily be
defined to disable a user ID if more that six failed attempts were detected.
8.5.16 Authenticate all access to any database containing cardholder data. This includes
access by applications, administrators, and all other users
Tango/04 Solution: Access and modifications to critical data files on several platforms can be monitored
and reported on. As the control is done at the database level, it doesn’t matter where the change came
from (i.e. applications, administrators or your users). Changes to data records are available on leading
databases at the field level and reports show “before” and “after” images. Real-time alerts can also be
triggered when data files are inappropriately read or modified so you can react immediately to unauthorized
data access attempts.
Regularly Monitor and Test Networks
Requirement 10: Track and access all access to network resources and cardholder data
Detailed Description of top level requirement:
Logging mechanisms and the ability to track user activities are critical. The presence of logs in all
environments allows thorough tracking and analysis if something does go wrong. Determining the cause of
a compromise is very difficult without system activity logs.
Sub-requirement 10.1: Establish a process for linking all access to system components (especially
access done with administrative privileges such as root) to each individual user.
Tango/04 Solution: Our technology is able to monitor user activity such as access to applications and
command usage, including SQL statements executed. Real-time alerts can be generated when sensitive
commands are used so you can immediately react to the event.
© 2007 Tango/04 Computing Group Page 31
- 33. Appendix B – PCI DSS Requirements
Sub-requirement 10.2: Implement automated audit trails to reconstruct the following events for all system
components:
10.2.1 All individual accesses to cardholder data.
Tango/04 Solution: Data Monitor can track read, update, insert and delete actions taken against any file.
For changed records, it will show “before” and “after” versions of the record. You can also mask or hide
data in the reports such as credit cards.
10.2.2 All actions taken by any individual with root or administrative privileges.
Tango/04 Solution: With VISUAL Security Suite we can audit commands and SQL statements executed,
objects accessed, created, deleted, restored, file changes, authorization failures, user log-ons and much
more.
10.2.3 Access to all audit trails.
Tango/04 Solution: Authorized users can access our Reporting System which includes over 200 built-in
reports that run over the collected audit data that we store in our own data files. You can also easily build
custom sub-reports. In addition, we are also open about our file structure, so you can run query’s over the
data as well.
Besides historical reports, our real-time alerting capacity let’s you know instantly if a suspicious security
event has occurred so you can address the situation on the spot. You also have the ability to automatically
respond to events. For example, if a user is attempting to access a critical file after hours, we can call your
cell phone and simultaneously end the user’s job and disable his profile to prevent any unwarranted
updates to the file.
10.2.4 Invalid logical access attempts.
Tango/04 Solution: We can track all invalid user log-ins, providing date/time of failed log-in, all user
attributes (such as user class) as well as device and IP address of the attempt.
10.2.6 Initialization of the audit logs.
Tango/04 Solution: VISUAL Security Suite can promptly alert you regarding any attempt to clear the audit
logs where they are generated (for instance, the Windows Event Log on Windows servers). Our technology
can also monitor changes to logs other than operating system logs, such as application logs, in real time.
Attempts to clear the collected audit log events once they have been processed, correlated and archived
(i.e, once they are stored in the historical event log repositories) can be monitored in real time as well (see
requirement 10.5.5).
10.2.7 Creation and deletion of system-level objects.
Tango/04 Solution: VISUAL Security Suite can easily audit the creation/deletion of all objects at any level.
Sub-requirement 10.3: Record at least the following audit trail entries for each event, for all system
components:
© 2007 Tango/04 Computing Group Page 32
- 34. Appendix B – PCI DSS Requirements
10.3.1 User identification
10.3.2 Type of event
10.3.3 Date and time
10.3.4 Success or failure indication
10.3.5 Origination of event
10.3.6 Identity or name of affected data, system component, or resource
Tango/04 Solution: VISUAL Security Suite audit entries include all of the above information and more.
Below is an example of the information received when a user changed a system value:
Figure 9 – Sample Message Triggered by a System Value Change
The additional tabs shown above include additional information that can be passed as soft-coded variables
to messages you can send by email or as a text message to a cell phone.
The Data Monitor module can be used to track file access and can report on data file changes by showing
the “before” and “after” image as previously shown in Figure 7. Confidential information can be masked on
reports and shown as “Restricted” so actual data, such as credit card numbers, is not visible. The data can
also be enhanced to render it more readable. For example, an account code that reads 374404534 can be
enhanced to reflect that the account belongs to “JOHN SMITH”. We can also provide additional data such
as the user class, group, country and accounting code.
Real-time alerts can also be generated to immediately inform you of any suspicious security events.
Sub-requirement 10.5: Secure audit trails so they cannot be altered.
© 2007 Tango/04 Computing Group Page 33
- 35. Appendix B – PCI DSS Requirements
10.5.5 Use file integrity monitoring/change detection software on logs to ensure that
existing log data cannot be changed without generating alerts (although new data being
added should not cause an alert).
Tango/04 Solution: VISUAL Security Suite can promptly alert you regarding any attempt to change a file
(including log files) in most operating systems and databases. Encryption technologies could also be
integrated and used to further protect the historical event log repositories. Note, however, that encryption
can be resource consuming and very intrusive when there is a need to extract forensic data or generate
historical auditing reports. Consequently, our recommendation for this particular requirement is to use Data
Monitor, the Tango/04 technology that permits you to monitor changes or deletions to a database at the
record and field levels, including the monitoring of our own auditing database files.
Sub-requirement 10.6: Review logs for all system components at least daily. Log reviews should include
those servers that perform security functions like IDS and authentication (AAA) servers.
Tango/04 Solution: Reports can be scheduled to run daily and automatically emailed to appropriate
personnel. Reports can also be generated in various formats (e.g., .pdf, .xls, .doc) so you can easily sort
and analyze the information.
A major benefit of implementing our technology is that real-time alerts can be generated at the time a
potential security breach is happening. This means that instead of finding out about a potential breach
after the fact when reviewing logs, that you can be alerted immediately and you can even take automated
actions based on the event and threat level.
Sub-requirement 10.7: Retain your audit trail history for a period that is consistent with its effective use, as
well as legal regulations. An audit history usually covers a period of at least one year, with a minimum of
three months available online.
Tango/04 Solution: A major advantage of our solution is that the audit data is stored in its own database.
Because customers are urged to only monitor for exceptions or deviations from the security policy, the
amount of information stored is reasonable from a DASD standpoint. This is extremely useful because it
gives you the ability to run audit reports long after the journals have been removed from your system.
With the Data Monitor product, which logs information about file updates, the data can even be stored on a
different iSeries system or LPAR as well as a different platform such as a Windows server. This is a great
advantage because of the added security and heavily decreased costs (disk space on Windows is much
cheaper than on the System i).
Requirement 11: Regularly test security systems and processes
Detailed Description of top level requirement:
Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new
software. Systems, processes, and custom software should be tested frequently to ensure security is
maintained over time and with any changes in software.
© 2007 Tango/04 Computing Group Page 34
- 36. Appendix B – PCI DSS Requirements
Sub-requirement 11.4 Use network intrusion detection systems, host-based intrusion detection systems,
and intrusion prevention systems to monitor all network traffic and alert personnel to suspected
compromises. Keep all intrusion detection and prevention engines up-to-date.
Tango/04 Solution: Our technology supports this requirement because VISUAL Security Suite can monitor
logs and alerts coming from many system components such as intrusion detection systems (in addition to
firewalls, anti-virus software, applications, web servers and network devices). We also directly integrate
with one of the most powerful and comprehensive exit point solutions for the System i which provides
protection for more than 2,000 access functions.
Events of interest from all sources are sent to a centralized console (either PC or web based) where they
are consolidated into a single view for further analysis. We also provide the ability to generate real-time
alerts when a suspicious event occurs so you can take immediate action to the problem at hand. Our
solution also enables you to define an escalation list for critical events so you can be sure they are
addressed.
Our rich reporting system lets you conduct forensic analysis over events as a means of evaluating and
improving the security systems and processes you have in place. Beyond that, our technology additionally
includes the ability to perform actions (such as disabling a user at once from several platforms and
domains, modifying a system setting, or ending a process) when an alert is generated so incidents can be
handled automatically, minimizing total risk exposure.
Sub-requirement 11.5: Deploy file integrity monitoring to alert personnel to unauthorized modification of
critical system or content files, and perform critical file comparisons at least daily (or more frequently if the
process can be automated).
Tango/04 Solution: The Data Monitor product has the ability to monitor any files on your system for
changes. Reports can be run to see all forensic information about the change, including the “before and
after” images of the records changed. Real-time alerts can also be fired so you know immediately if a
record has been changed by an unauthorized user, outside of normal business hours or even if a change
exceeds a predefined threshold. For example, you may want to be notified immediately if a customer
service representative has given a customer more than a 15% discount on his/her purchase.
Our technology can also provide you with real-time alerts when a suspicious security event occurs.
© 2007 Tango/04 Computing Group Page 35