SlideShare une entreprise Scribd logo

PCI DSS Success: Achieve Compliance and Increase Web Application Security

Citrix
Citrix

Beginning in January of 2015, all entities that store, process, or transmit cardholder data (CHD) will be subject to version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS). Although the changes introduced in this latest revision are relatively modest in scope, achieving and demonstrating compliance with its approximately three hundred individual requirements will still be a significant challenge, and investment, for most organizations.

Technologie
1  sur  12
Télécharger pour lire hors ligne
Solutions Brief citrix.com PCI DSS Success: Achieve Compliance and Increase Web Application Security Protect web applications and cardholder information with solutions from Citrix
Solutions Brief citrix.com PCI DSS Success 2 Beginning in January of 2015, all entities that store, process, or transmit cardholder data (CHD) will be subject to version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS). Although the changes introduced in this latest revision are relatively modest in scope, achieving and demonstrating compliance with its approximately three hundred individual requirements will still be a significant challenge, and investment, for most organizations. This white paper examines the prevailing conditions driving evolution of the PCI DSS and the resulting challenges facing today’s IT departments. It explains how Citrix® application delivery, virtualization and mobility solutions can help ease the PCI compliance burden while substantially improving the resiliency and security of an organization’s business-critical web applications. By leveraging Citrix NetScaler® , XenDesktop® , XenMobile® and other related components, IT security and compliance teams can: • Tightly control who has access to and maintain isolation of all corporate systems involving CHD – including for remote/mobile employees and external users. • Reduce the total cost of PCI compliance by satisfying numerous individual requirements with a tightly integrated platform for delivering and protecting IT services. • Reap the rewards of capabilities that go above and beyond the minimum requirements of the PCI DSS to not only provide superior protection against today’s threats but also deliver a future-proof compliance solution capable of keeping up with the standard as it continues to evolve. The net result is a solution set that enables businesses to streamline PCI compliance, both now and in the future, while also ensuring the availability, accessibility and security of business-critical applications and services. The Threat: No Signs of Slowing Down The original issues leading to the development and ensuing enforcement of the PCI DSS are alive and well today. If anything, in fact, the situation has gotten substantially worse in recent years. Just consider the following statistics: • Between 2009 and 2013, global losses from payment card fraud increased 100%, from $7 billion to $14 billion1 . • Between January 2008 and October 2014, the total number of records containing sensitive personal information involved in security breaches in the United States since 2005 increased nearly 330%, from 217 million to 930 million2 . • According to the Verizon 2014 PCI Compliance Report, payment card data remains one of the easiest types of data to convert to cash – which is why 74 percent of attacks on retail, accommodation, and food services companies target this type of information3 . 1. http://www.businessinsider.com/the-us-accounts-for-over-half-of-global-payment-card-fraud-sai-2014-3 2. http://www.privacyrights.org/data-breach 3. http://www.verizonenterprise.com/pcireport/2014/
Solutions Brief citrix.com PCI DSS Success 3 • In a survey conducted by Software Advice, more than three-quarters of consumers indicated they would be less likely or completely unwilling to buy products from a company that allowed their personal data to be compromised4 . High-profile breaches of major retailers, financial institutions and a wide variety of other businesses that process credit card data only serve to further demonstrate the need for better protection of sensitive customer information. The Response: Evolution of the PCI DSS To address mounting threats and account for the steady adoption of new technologies and delivery models, the PCI Security Standards Council has a plan in place to review prevailing conditions and issue updates to the PCI DSS approximately every three years. Consistent with this objective, version three of the standard, published in November of 2013, starts being enforced by auditors as of January 1, 2015. This latest iteration of the PCI DSS retains and builds on the same framework of core requirements used from the beginning (see Table 1). In fact, the vast majority of changes in version 3 are relatively minor tweaks that only clarify existing sub-requirements. PCI Data Security Standard – High Level Overview Organizing Principles Core Requirements Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personne 4. http://www.internetretailer.com/2014/07/17/consumer-confidence-shifts-physical-online-retailers source: page 5 of https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Solutions Brief citrix.com PCI DSS Success 4 As for entirely new or significantly enhanced sub-requirements, version 3 introduces twenty of those. Notable examples include: • New requirement 1.1.3, for a current diagram that shows cardholder data flows. • New requirement 2.4, to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards. • New requirement 6.5.10, for coding practices to protect against broken authentication and session management. • New requirement 8.5.1, for service providers with remote access to customer premises to use unique authentication credentials for each customer. • New requirement 11.3.4, to perform penetration tests to verify that the segmentation methods used to isolate the cardholder data environment (CDE) from other networks are operational and effective. For reference purposes, a complete summary of all clarifications, enhanced requirements, and new requirements incorporated in version 3 of the PCI DSS can be obtained here: https://www. pcisecuritystandards.org/documents/PCI_DSS_ v3_Summary_of_Changes.pdf PCI Compliance Challenges Taken individually, few, if any, of the new requirements or other changes introduced with version 3 of the PCI DSS qualify as being particularly onerous. This doesn’t change the fact, however, that achieving, maintaining and demonstrating compliance with the PCI DSS in its entirety requires a significant investment of time, effort and financial resources by those organizations that are subject to it. Related challenges to also acknowledge include the fact that being compliant does not necessarily translate into being adequately protected from advanced cyber threats, and that web applications, in particular, require closer attention due to the relative degree of risk they present. Compliance requires a significant investment Achieving compliance with the PCI DSS means having and maintaining an answer for approximately three hundred requirements for each and every system component included in or connected to the organization’s CDE. To reduce their compliance burden, security and networking teams need to fully exploit network segmentation techniques and technologies that can effectively isolate their organization’s CDE and shrink the amount of infrastructure designated as in-scope. Along with trimming the cost and complexity of PCI compliance, such an approach improves an organization’s ability to contain the spread of threats and simplifies associated troubleshooting and forensic efforts. For those components that remain in scope, a second strategy to reduce compliance cost and complexity is to focus on solutions that simultaneously address numerous requirements, ideally in a tightly integrated manner. Not only is the alternative of having many more solutions – each of which only covers a few requirements – often prohibitive from a cost perspective, it also leads to a highly fragmented security architecture and increased likelihood of “events of significance” slipping through the resulting gaps. Compliance doesn’t equal security The PCI DSS itself indicates that it is only a “baseline” of requirements for protecting CHD. In other words, it represents a minimum standard of due care, rather than a comprehensive treatment of everything any given organization needs to do to sufficiently defend its CDE.
Solutions Brief citrix.com PCI DSS Success 5 Compounding this situation is the nominal three-year period between updates to the PCI DSS. The delay this introduces pretty much guarantees that the specified requirements lag behind significant changes to the technology and threat landscapes, which are unfolding at a much quicker pace. The net result is that security teams will typically need to go above and beyond the requirements of the PCI DSS, both to adequately defend against emerging threats and to more closely match their organization’s actual tolerance for risk. Web applications require more attention As the front door to all sorts of lucrative information, including CHD, web applications lie squarely in the crosshairs of today’s hackers. It also doesn’t help matters that web applications and the technologies used to build them have proven to be notoriously vulnerable. Just consider the following statistics, all from 20135 : • 77% of public websites scanned were found to contain vulnerabilities • 1 in 8 websites was found to contain a critical vulnerability, making it relatively easy for hackers to gain access to sensitive data, alter the website’s content, or compromise visitors’ computers • Approximately 67 percent of websites used to distribute malware were identified as legitimate, compromised websites Another significant challenge is the increasing complexity of web properties and the diversity of components now requiring protection. These include: • Cloud-hosted web apps/sites and content delivery networks • SaaS and other cloud delivery options, such as platform as a service (PaaS) and infrastructure as a service (IaaS), where the enterprise owns and controls progressively less of the solution • Mashups, where content is dynamically pulled together from numerous external sites • Mobile solutions, where device-side micro apps communicate to sophisticated web- based back ends Strictly speaking, the issue here is not a deficiency with the PCI DSS. Section 6.6 already acknowledges the need to protect public- facing web applications by requiring organizations either to assess them for vulnerabilities or front-end them with an automated solution for detecting and protecting web-based attacks, such as a web application firewall. Instead, the issue is one of organizations not pursuing these and other complementary measures as broadly or deeply as they actually need to be performed to sufficiently address the associated risks. As a starting point for remedying this situation, security and compliance teams should consider the set of recommendations outlined in Appendix 1, “A Recipe for Web Application Protection and Compliance.” To further address the challenges of PCI compliance, they should also consider the market-leading solutions from Citrix discussed in the following sections. Citrix Solutions That Help with PCI Compliance Used either individually or in conjunction with one another, each of the following Citrix solutions provides organizations with an extensive array of capabilities to help ensure the security, accessibility, and usability of their business-critical web applications. Equally important is how they help organizations achieve compliance with the PCI DSS. 5. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
Solutions Brief citrix.com PCI DSS Success 6 Citrix NetScaler Citrix NetScaler is an all-in-one application delivery controller that enables organizations to address all of their web application security and optimization needs with a single, strategic platform. In addition to supporting NetScaler AppFirewall and NetScaler Gateway™ as tightly integrated software modules, NetScaler provides an extensive set of load balancing, application acceleration and infrastructure- layer security capabilities – including extensive protections for DDoS attacks. The result is a highly cost effective solution that thoroughly secures an organization’s web applications at the same time that it substantially enhances their performance, accessibility, and availability. With NetScaler MobileStream, these same capabilities and benefits are extended to also ensure optimal performance and security for mobile networks and services. NetScaler AppFirewall NetScaler AppFirewall™ is the industry’s highest performing, ICSA-certified and NSS Labs Recommended solution for protecting web and web services applications from all known and zero-day application-layer attacks6 . Featuring a hybrid security model, NetScaler AppFirewall blocks all deviations from normal application behavior while efficiently scanning for thousands of automatically updated threat and vulnerability signatures. It analyzes all bi-directional traffic, including SSL-encrypted sessions, to protect against an extensive range of threats without any modification to the applications its defending. In support of PCI security audits, NetScaler AppFirewall can generate a comprehensive report that not only details all security protections defined in the application firewall policy that pertain to PCI requirements, but also highlights those configuration settings that are “out-of-compliance.” In addition, administrators can configure it to prevent the inadvertent leakage or theft of sensitive information, such as credit card numbers or custom-defined data objects, by either removing or masking content from application responses, so that sensitive information is not disclosed to anyone without a “need to know.” NetScaler Gateway NetScaler Gateway is a secure application, desktop and data access solution that gives IT administrators granular application-level and device-level policy and action controls over access to corporate content, while allowing users to work from anywhere using SmartAccess and the XenMobile Micro VPN technologies. It provides a single point of control and tools to help IT administrators ensure compliance with regulations and protect corporate information with the highest levels of security, both within and outside the enterprise. At the same time, NetScaler Gateway empowers users with a single point of access— optimized for roles, applications, devices and networks—to the enterprise applications and data they need. This unique combination of capabilities helps maximize the productivity of today’s mobile workforce. Citrix XenDesktop XenDesktop is a comprehensive desktop virtualization and VDI solution that delivers a complete Windows desktop and application experience as an on-demand cloud service. With XenDesktop, IT teams can quickly and securely deliver any type of virtual desktop or Windows, web and SaaS application to any PC, Mac, tablet, smartphone, laptop or thin client – all with a high-definition user experience. In terms of PCI compliance, a major advantage of XenDesktop is that it introduces an operating model that effectively isolates client networks and devices from the datacenter and CDE, 6. http://www.citrix.com/content/dam/citrix/en_us/documents/oth/web-application-firewall-comparative-analysis.pdf
Solutions Brief citrix.com PCI DSS Success 7 thereby allowing them to be designated as “out of scope.” With XenDesktop, general-purpose, always-on and full-network layer connections can be replaced with tightly controlled and monitored access to individual applications and resources. Moreover, the nature of this “access” is such that while users retain all of the application functionality they are used to, the target resources – including all CHD and other sensitive data – never leave the CDE/datacenter. Citrix XenMobile XenMobile is a comprehensive solution for managing mobile devices, apps and data. With XenMobile, users have single-click access to all of their mobile, SaaS and Windows apps from a unified corporate app store, while IT gains control over mobile devices with full configuration, security, provisioning and support capabilities. Users get the freedom to experience work and life their way, while IT gets the capabilities and control it needs to extend protection across the mobile environment and ensure compliance with applicable standards and regulations. Key features and capabilities IT teams can leverage to help achieve PCI DSS compliance include the following: • Tight integration with NetScaler Gateway melds “need to know” with “secure enough to know” by delivering the ability to tightly control which users have access to which resources, under which specific operating conditions and from which devices. • The Micro VPN features replaces full network- layer connections with secure, per-application tunnels, thereby reducing the potential for users (or hackers) to “hop around” and gain access to other, unauthorized systems and resources. • For Worx-enabled mobile apps, a dedicated, encrypted workspace provides protection for all sensitive data regardless of who owns the client device. Meeting and Exceeding Multiple PCI Requirements Together, the Citrix solutions introduced in the previous section provide a tightly integrated platform that enables enterprise security and compliance teams to meet and, in many cases, exceed numerous PCI DSS requirements. Requirement 1: Install and maintain a firewall configuration to protect cardholder data The Citrix platform can be used to deny all traffic from untrusted networks and hosts (requirement 1.2) by restricting connections to: • Approved protocols and methods. • Sessions originating from trusted networks and devices. • Authenticated users with right levels of authorization for the resources being accessed. • Precisely the individual resources needed, as opposed to entire segments/networks. It can also be used to facilitate implementation of a DMZ (requirement 1.3) by providing highly secure, fully locked-down intermediary devices for brokering, controlling and monitoring traffic from/to the Internet. Requirement 2: Protect stored cardholder data Logging capabilities can be configured to omit card verification codes, personal identification numbers (PINs) and primary account numbers (PANs) from transaction and activity logs (requirements 3.2.2, 3.2.3, and 3.4). In addition, NetScaler AppFirewall can mask or block PANs (requirement 3.3) and otherwise prevent leakage of CHD, regardless of programmer oversight, logic flaws or targeted attacks.
Solutions Brief citrix.com PCI DSS Success 8 FIPS 140-2, Level 2 compliant versions of NetScaler, NetScaler AppFirewall and NetScaler Gateway provide secure storage for the keys and certificates used for encryption of cardholder data and all application-specific and network-layer connections/tunnels (requirement 3.5.2). Requirement 3: Encrypt transmission of cardholder data across open, public networks Each of the Citrix solutions can be used to SSL- enable applications that were not designed to use secure communications protocols (requirement 4.1). In addition, the NetScaler AppFirewall can inspect the contents of all SSL/ TLS encrypted sessions, ensuring session validity and blocking attacks – a capability that is not generally available in traditional network firewall and intrusion prevention products. Requirement 4: Protect all systems against malware and regularly update anti-virus software or programs. Integral device inspection capabilities can deny access and alert administrators when client anti- malware solutions are out-of-date, disabled, or otherwise misconfigured (requirements 5.2 and 5.3). Going above and beyond the letter of the PCI DSS requirements, the Citrix platform also provides an additional layer of malware protection for all devices and systems by delivering a robust set of network-based defenses for both known and unknown threats. Requirement 5: Develop and maintain secure systems and applications As discussed previously, NetScaler AppFirewall provides unparalleled protection against threats and vulnerabilities targeting modern web applications and services, in all of their diverse and complex forms. Requirements 6/7: Restrict access to cardholder data by business need to know / Identify and authenticate access to system components The Citrix solutions support all of the associated sub-requirements. Robust policy development and enforcement capabilities enable granular control over who has access and to which specific information resources. Support is provided for multiple user authentication mechanisms, including the use of two-factor methods for remote access scenarios, and all passwords are encrypted during transmission. Conclusion Citrix application delivery, desktop virtualization, and mobility management solutions substantially reduce the burden of achieving, maintaining and demonstrating compliance with the Payment Card Industry Data Security Standard, while simultaneously improving the security, accessibility, and performance of an organization’s web applications and mobile services. By taking advantage of Citrix NetScaler, NetScaler AppFirewall, NetScaler Gateway, Citrix XenDesktop and Citrix XenMobile IT security and compliance teams can: • Tightly control who has access to and maintain isolation of all corporate systems involving cardholder data – including for remote/mobile employees and external users. • Reduce the total cost of PCI compliance by satisfying numerous individual requirements with a tightly integrated platform for delivering and protecting IT services. • Reap the rewards of capabilities that go above and beyond the minimum requirements to not only provide superior protection against today’s threats but also deliver a future-proof PCI compliance solution capable of keeping up with the standard as it continues to evolve.
Solutions Brief citrix.com PCI DSS Success 9 For more information on Citrix NetScaler and other solutions from Citrix, please visit www.citrix.com. Appendix 1: A Recipe for Web Application Protection and Compliance The following recommendations outline an approach organizations can use to improve the security of their web application environments and cost effectively ensure compliance with applicable PCI DSS requirements. Recommendation #1 – Establish and minimize the scope of the problem Inventory all web applications and associated data stores. Eliminate all instances of capturing/ storing prohibited information. Re-assess the need to handle and/or store all other cardholder information. If it is not needed, then it should not be processed/stored. Follow the other recommendations below to ensure that all remaining cardholder data is efficiently and effectively protected at all times. Recommendation #2 – Approach PCI DSS compliance sensibly Although requirement 6.6 of the PCI DSS presents a choice between conducting code reviews and installing an application layer firewall, organizations need to understand that the best approach is to implement both of these measures. That said, if a choice must be made – perhaps due to financial constraints – then organizations should favor the approach of using an application layer firewall because of the numerous advantages it yields, including delivering protection that is continuous, that accounts for both known and unknown attacks, and that accommodates multiple applications simultaneously. Recommendation #3 – Approach PCI DSS compliance strategically To the extent possible, ensure that actions taken to fulfill a specific requirement can actually be leveraged to support multiple requirements, or at least help address other needs the enterprise has – including compliance with other regulations. Overall, this strategy should not be difficult to pursue, especially since the requirements of the PCI DSS are fundamentally sound security practices that can be applied to all types of data and computing resources. For example, web application firewalls: (a) can be used to address numerous PCI DSS requirements, (b) can be used to protect more than just CHD, and (c) at least in the case of the Citrix offering, can be deployed in the form of a full-featured application delivery controller that also provides substantial performance and availability benefits. Recommendation # 4 – Approach PCI DSS compliance as an ongoing/continuous effort On one hand, compliance must be re-validated annually. On the other hand, an even more important concern is that the organization does not suffer a loss/theft of cardholder data, at any time, period. As a result, security operations personnel should routinely audit the usage logs for web applications to help detect any abnormal or unauthorized activities that might be occurring. Furthermore, organizations need to account for the fact that web applications are rarely static; they are always being modified to incorporate new
Solutions Brief citrix.com PCI DSS Success 10 functionality. As a result, the security team will need to periodically re-assess all web applications to ensure they are still handling sensitive information properly. In this regard, a web application firewall could be used (a) to alert an administrator of any changes in application behavior that may result in violations, and (b) to mitigate the deficient condition until such time that the application is fixed. Finally, it is also unlikely that the applicable requirements will remain static. Organizations, therefore, must monitor the activities of the PCI Security Standards Council and be prepared to address any new requirements that emerge. Once again, a robust web application firewall could be a boon in such a situation based on its potential to support compliance without having to modify all of the affected applications. Recommendation #5 – Approach compliance realistically Despite all of an organization’s best efforts, the potential for a security incident involving cardholder data will always remain. Stakeholders must manage expectations accordingly and be prepared for such a situation. Having the appropriate people, processes, and technology in place in advance is critical to being able to execute a swift response and minimize the impact – including any fallout from governing regulatory bodies. Recommendation # 6 – Be sure to secure the back end Web applications rarely operate alone. They may be the primary interface for handling data, but they almost always rely on databases as well. Thus, organizations ultimately need to implement appropriate security measures for these crucial back-end components too, including: access control, data encryption, and logging/auditing for all data access and configuration activities. Appendix 2: PCI Security Requirements Supported by Citrix Solutions Citrix application networking, virtualization, and mobility solutions support many of the approximately three hundred requirements specified in the PCI DSS, as summarized in the following table. PCI DSS Requirement Supported Sub-Requirements Description of Capabilities Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.2, 1.2.1, 1.3, 1.3.1, 1.3.8 Features such as SmartAccess, Micro VPN and centralized authentication and authorization capabilities enable administrators to fully implement a least privileges access control model for all networks involving cardholder data (i.e., deny all users, devices, applications, and data except for that which is necessary). Availability of security-hardened appliances facilitates creation of DMZs to act as buffer zones between the Internet and internal CDE networks and systems. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1, 2.2, 2.2.3, 2.3 The NetScaler/NetScaler AppFirewall PCI Compliance Report indicates whether the default password has been changed for the system’s root account and flags use/availability of insecure management protocols or interfaces. In addition, all solution components require user authentication and implement strong encryption for all non-console and remote administration sessions, whether the component is accessed directly or via the applicable central management system (e.g., Command Center).
Solutions Brief citrix.com PCI DSS Success 11 Requirement 3: Protect stored cardholder data 3.2, 3.2.2, 3.2.3, 3.3, 3.4, 3.5, 3.5.2 NetScaler AppFirewall enables masking/blocking of Primary Account Numbers (PANs), and a confidential logging feature can be utilized to keep all PANs and other sensitive authentication data (SAD) from being logged. FIPS 140-2, Level 2 compliant hardware appliances, provides secure storage of private keys used for encrypting cardholder data and related communication sessions. Requirement 4: Encrypt transmission of cardholder data across open, public networks 4.1, 4.2 Secure remote access is enabled by a full-featured SSLVPN capability. In addition, the Micro VPN feature enables secure tunnels to be established in an even tighter, per-user, per- application manner. Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 5.2, 5.3 Integral device inspection capabilities can deny access and alert administrators when client anti-malware solutions are out-of-date, disabled, or otherwise misconfigured. Requirement 6: Develop and maintain secure systems and applications 6.6 NetScaler AppFirewall, available either as a standalone solution or an integrated module of the NetScaler application delivery controller, is an ICSA-certified solution that provides fully automated protection of public-facing web applications and web services from both known and unknown threats. Requirement 7: Restrict access to cardholder data by business need to know 7.2, 7.2.1, 7.2.2, 7.2.3 Granular, policy-based control over users, applications, devices and data enables organizations to implement definitive least privileges access control that truly limits access to cardholder data based on business need to know, with “deny all” for everything else. Tight integration with Active Directory and other identity stores, plus support for role based access control, enables enforcement of privileges assigned to individuals based on job classification and function. Requirement 8: Identify and authenticate access to system components 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.2, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.3, 8.5, 8.6 Native capabilities and tight integration with Active Directory and other identity stores support a wide range of authentication policies, including: use of unique user IDs, immediate revocation for terminated users, culling of inactive accounts, lockout after a specified number of failed login attempts, lockout duration, idle session timeouts, and password reset and minimum strength requirements. Support is also provided for several forms of multi-factor authentication, including tokens and smartcards. Requirement 9: Restrict physical access to cardholder data n/a n/a Requirement 10: Track and monitor all access to network resources and cardholder data 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4, 10.6, 10.6.1, 10.6.2, 10.6.3 Extensive logs/audit trails are maintained for all device configurations, system changes, alerts, access sessions and detected/prevented threats. Daily and periodic review of log data is supported with both native, customizable reporting capabilities and the ability to write log data to a syslog server for archival and analysis by third-party management solutions (including popular security event and information management systems). Requirement 11: Regularly test security systems and processes 11.4 NetScaler delivers multi-layer protection against distributed and non-distributed denial of service attacks designed to take down an enterprise’s external-facing services, or mask other threats/attacks intent on finding and ex-filtrating sensitive data. In addition, NetScaler AppFirewall uses an automatically updated database of signatures to scan for and block a wide range of known threats and vulnerability- based exploits. Requirement 12: Maintain a security policy that addresses information security for all personnel n/a n/a
1114/PDF Corporate Headquarters Fort Lauderdale, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA EMEA Headquarters Schaffhausen, Switzerland India Development Center Bangalore, India Online Division Headquarters Santa Barbara, CA, USA Pacific Headquarters Hong Kong, China Latin America Headquarters Coral Gables, FL, USA UK Development Center Chalfont, United Kingdom About Citrix Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com. Copyright © 2014 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler, XenDesktop,XenMobile, NetScaler Gateway and NetScaler AppFirewall are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies. Solutions Brief citrix.com PCI DSS Success 12

Recommandé

Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...IJERA Editor
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoJonathan Eubanks
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 

Recommandé

Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...
Analysis of Payment Card Industry Data Security Standard [PCI DSS] Compliance...IJERA Editor
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
PCI DSS Certification
PCI DSS CertificationPCI DSS Certification
PCI DSS Certificationhodonoghue
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoJonathan Eubanks
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-IT Strategy Group
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1leon bonilla
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0Brown Smith Wallace
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity ManagementDon Lovett
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dssVikrant Burbure
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceKimberly Simon MBA
 
Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2waizou
 

Contenu connexe

Tendances

IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET Journal
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wpEdward Lam
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report- Mark - Fullbright
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance reportBee_Ware
 
Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0Brown Smith Wallace
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity ManagementDon Lovett
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote VendorsObserveIT
 

Tendances (20)

IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital ForensicIRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
 
Tripwire pci basics_wp
Tripwire pci basics_wpTripwire pci basics_wp
Tripwire pci basics_wp
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI compliance
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity Management
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Approach pci- dss
Approach pci- dssApproach pci- dss
Approach pci- dss
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 

En vedette

Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2waizou
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsJason Dover
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defenseamiable_indian
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Amazon Web Services
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceSchellman & Company
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveAlgoSec
 
Audit technique de code
Audit technique de codeAudit technique de code
Audit technique de codeMehdi TAZI
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...Amazon Web Services
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...Amazon Web Services
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017Joseph John
 

En vedette (20)

Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2Devops mycode devoxx-france-2015-v2
Devops mycode devoxx-france-2015-v2
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Presentation_Borne
Presentation_BornePresentation_Borne
Presentation_Borne
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
 
PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016PCI Compliance NOT for Dummies epb 30MAR2016
PCI Compliance NOT for Dummies epb 30MAR2016
 
Audit technique de code
Audit technique de codeAudit technique de code
Audit technique de code
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017CRS Company Overview -Feb 6 2017
CRS Company Overview -Feb 6 2017
 

Similaire à PCI DSS Success: Achieve Compliance and Increase Web Application Security

Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standardsUlf Mattsson
 
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and ChallengesIRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and ChallengesIRJET Journal
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance ReportHolly Vega
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0David Spinks
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROFitCEO, Inc. (FCI)
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Cloud Standards Customer Council
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyUlf Mattsson
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios
 
Presentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudPresentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudHassan EL ALLOUSSI
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 
Application Security and PA DSS Certification
Application Security and PA DSS CertificationApplication Security and PA DSS Certification
Application Security and PA DSS CertificationDigital Security
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceSonatype
 

Similaire à PCI DSS Success: Achieve Compliance and Increase Web Application Security (19)

Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
 
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and ChallengesIRJET- Data Privacy and Security Industry – Opportunities and Challenges
IRJET- Data Privacy and Security Industry – Opportunities and Challenges
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Update to PCI DSS v3.2
Update to PCI DSS v3.2Update to PCI DSS v3.2
Update to PCI DSS v3.2
 
Update to PCI DSS v3.2
Update to PCI DSS v3.2Update to PCI DSS v3.2
Update to PCI DSS v3.2
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0Legal And Regulatory Issues Cloud Computing...V2.0
Legal And Regulatory Issues Cloud Computing...V2.0
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMROPCI DSS Reaper - Are you ready - VIMRO
PCI DSS Reaper - Are you ready - VIMRO
 
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0Security for Cloud Computing: 10 Steps to Ensure Success V3.0
Security for Cloud Computing: 10 Steps to Ensure Success V3.0
 
Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
 
Presentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudPresentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloud
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
 
Application Security and PA DSS Certification
Application Security and PA DSS CertificationApplication Security and PA DSS Certification
Application Security and PA DSS Certification
 
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI ComplianceTools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance
 

Plus de Citrix

Building The Digital Workplace
Building The Digital WorkplaceBuilding The Digital Workplace
Building The Digital WorkplaceCitrix
 
Maximize your Investment in Microsoft Office 365 with Citrix Workspace
Maximize your Investment in Microsoft Office 365 with Citrix Workspace Maximize your Investment in Microsoft Office 365 with Citrix Workspace
Maximize your Investment in Microsoft Office 365 with Citrix Workspace Citrix
 
XenApp on Google Cloud Deployment Guide
XenApp on Google Cloud Deployment GuideXenApp on Google Cloud Deployment Guide
XenApp on Google Cloud Deployment GuideCitrix
 
Deploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
Deploying Citrix XenApp & XenDesktop Service on Google Cloud PlatformDeploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
Deploying Citrix XenApp & XenDesktop Service on Google Cloud PlatformCitrix
 
Manage Risk by Protecting the Apps and Data That Drive Business Productivity
Manage Risk by Protecting the Apps and Data That Drive Business ProductivityManage Risk by Protecting the Apps and Data That Drive Business Productivity
Manage Risk by Protecting the Apps and Data That Drive Business ProductivityCitrix
 
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?Citrix
 
Workforce Flexibility Can Drive Greater Engagement & Productivity
Workforce Flexibility Can Drive Greater Engagement & ProductivityWorkforce Flexibility Can Drive Greater Engagement & Productivity
Workforce Flexibility Can Drive Greater Engagement & ProductivityCitrix
 
Citrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix
 
The Growing U.S. IT Productivity Gap
The Growing U.S. IT Productivity GapThe Growing U.S. IT Productivity Gap
The Growing U.S. IT Productivity GapCitrix
 
Citrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix
 
Citrix Synergy 2017: Technology Keynote Sketch Notes
Citrix Synergy 2017: Technology Keynote Sketch NotesCitrix Synergy 2017: Technology Keynote Sketch Notes
Citrix Synergy 2017: Technology Keynote Sketch NotesCitrix
 
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch NotesCitrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch NotesCitrix
 
Synergy 2017: Colin Powell Innovation Super Session Sketch Notes
Synergy 2017: Colin Powell Innovation Super Session Sketch NotesSynergy 2017: Colin Powell Innovation Super Session Sketch Notes
Synergy 2017: Colin Powell Innovation Super Session Sketch NotesCitrix
 
Who Are Citrix Customers?
Who Are Citrix Customers?Who Are Citrix Customers?
Who Are Citrix Customers?Citrix
 
Manage risk by protecting apps, data and usage
Manage risk by protecting apps, data and usageManage risk by protecting apps, data and usage
Manage risk by protecting apps, data and usageCitrix
 
Enterprise Case Study: Enabling a More Mobile Way of Working
Enterprise Case Study: Enabling a More Mobile Way of Working Enterprise Case Study: Enabling a More Mobile Way of Working
Enterprise Case Study: Enabling a More Mobile Way of Working Citrix
 
Life in the Digital Workspace
Life in the Digital WorkspaceLife in the Digital Workspace
Life in the Digital WorkspaceCitrix
 
Comparing traditional workspaces to digital workspaces
Comparing traditional workspaces to digital workspacesComparing traditional workspaces to digital workspaces
Comparing traditional workspaces to digital workspacesCitrix
 
4 Ways to Ensure a Smooth Windows 10 Migration
4 Ways to Ensure a Smooth Windows 10 Migration4 Ways to Ensure a Smooth Windows 10 Migration
4 Ways to Ensure a Smooth Windows 10 MigrationCitrix
 
Citrix Paddington
Citrix PaddingtonCitrix Paddington
Citrix PaddingtonCitrix
 

Plus de Citrix (20)

Building The Digital Workplace
Building The Digital WorkplaceBuilding The Digital Workplace
Building The Digital Workplace
 
Maximize your Investment in Microsoft Office 365 with Citrix Workspace
Maximize your Investment in Microsoft Office 365 with Citrix Workspace Maximize your Investment in Microsoft Office 365 with Citrix Workspace
Maximize your Investment in Microsoft Office 365 with Citrix Workspace
 
XenApp on Google Cloud Deployment Guide
XenApp on Google Cloud Deployment GuideXenApp on Google Cloud Deployment Guide
XenApp on Google Cloud Deployment Guide
 
Deploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
Deploying Citrix XenApp & XenDesktop Service on Google Cloud PlatformDeploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
Deploying Citrix XenApp & XenDesktop Service on Google Cloud Platform
 
Manage Risk by Protecting the Apps and Data That Drive Business Productivity
Manage Risk by Protecting the Apps and Data That Drive Business ProductivityManage Risk by Protecting the Apps and Data That Drive Business Productivity
Manage Risk by Protecting the Apps and Data That Drive Business Productivity
 
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
How do Organizations Plan to Assure Application Delivery in a Multi-Cloud World?
 
Workforce Flexibility Can Drive Greater Engagement & Productivity
Workforce Flexibility Can Drive Greater Engagement & ProductivityWorkforce Flexibility Can Drive Greater Engagement & Productivity
Workforce Flexibility Can Drive Greater Engagement & Productivity
 
Citrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment Guide
 
The Growing U.S. IT Productivity Gap
The Growing U.S. IT Productivity GapThe Growing U.S. IT Productivity Gap
The Growing U.S. IT Productivity Gap
 
Citrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment GuideCitrix Cloud Services: Total Economic Benefits Assessment Guide
Citrix Cloud Services: Total Economic Benefits Assessment Guide
 
Citrix Synergy 2017: Technology Keynote Sketch Notes
Citrix Synergy 2017: Technology Keynote Sketch NotesCitrix Synergy 2017: Technology Keynote Sketch Notes
Citrix Synergy 2017: Technology Keynote Sketch Notes
 
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch NotesCitrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
Citrix Synergy 2017: Malcolm Gladwell Innovation Super Session Sketch Notes
 
Synergy 2017: Colin Powell Innovation Super Session Sketch Notes
Synergy 2017: Colin Powell Innovation Super Session Sketch NotesSynergy 2017: Colin Powell Innovation Super Session Sketch Notes
Synergy 2017: Colin Powell Innovation Super Session Sketch Notes
 
Who Are Citrix Customers?
Who Are Citrix Customers?Who Are Citrix Customers?
Who Are Citrix Customers?
 
Manage risk by protecting apps, data and usage
Manage risk by protecting apps, data and usageManage risk by protecting apps, data and usage
Manage risk by protecting apps, data and usage
 
Enterprise Case Study: Enabling a More Mobile Way of Working
Enterprise Case Study: Enabling a More Mobile Way of Working Enterprise Case Study: Enabling a More Mobile Way of Working
Enterprise Case Study: Enabling a More Mobile Way of Working
 
Life in the Digital Workspace
Life in the Digital WorkspaceLife in the Digital Workspace
Life in the Digital Workspace
 
Comparing traditional workspaces to digital workspaces
Comparing traditional workspaces to digital workspacesComparing traditional workspaces to digital workspaces
Comparing traditional workspaces to digital workspaces
 
4 Ways to Ensure a Smooth Windows 10 Migration
4 Ways to Ensure a Smooth Windows 10 Migration4 Ways to Ensure a Smooth Windows 10 Migration
4 Ways to Ensure a Smooth Windows 10 Migration
 
Citrix Paddington
Citrix PaddingtonCitrix Paddington
Citrix Paddington
 

Dernier

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 

Dernier (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 

PCI DSS Success: Achieve Compliance and Increase Web Application Security

  • 1. Solutions Brief citrix.com PCI DSS Success: Achieve Compliance and Increase Web Application Security Protect web applications and cardholder information with solutions from Citrix
  • 2. Solutions Brief citrix.com PCI DSS Success 2 Beginning in January of 2015, all entities that store, process, or transmit cardholder data (CHD) will be subject to version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS). Although the changes introduced in this latest revision are relatively modest in scope, achieving and demonstrating compliance with its approximately three hundred individual requirements will still be a significant challenge, and investment, for most organizations. This white paper examines the prevailing conditions driving evolution of the PCI DSS and the resulting challenges facing today’s IT departments. It explains how Citrix® application delivery, virtualization and mobility solutions can help ease the PCI compliance burden while substantially improving the resiliency and security of an organization’s business-critical web applications. By leveraging Citrix NetScaler® , XenDesktop® , XenMobile® and other related components, IT security and compliance teams can: • Tightly control who has access to and maintain isolation of all corporate systems involving CHD – including for remote/mobile employees and external users. • Reduce the total cost of PCI compliance by satisfying numerous individual requirements with a tightly integrated platform for delivering and protecting IT services. • Reap the rewards of capabilities that go above and beyond the minimum requirements of the PCI DSS to not only provide superior protection against today’s threats but also deliver a future-proof compliance solution capable of keeping up with the standard as it continues to evolve. The net result is a solution set that enables businesses to streamline PCI compliance, both now and in the future, while also ensuring the availability, accessibility and security of business-critical applications and services. The Threat: No Signs of Slowing Down The original issues leading to the development and ensuing enforcement of the PCI DSS are alive and well today. If anything, in fact, the situation has gotten substantially worse in recent years. Just consider the following statistics: • Between 2009 and 2013, global losses from payment card fraud increased 100%, from $7 billion to $14 billion1 . • Between January 2008 and October 2014, the total number of records containing sensitive personal information involved in security breaches in the United States since 2005 increased nearly 330%, from 217 million to 930 million2 . • According to the Verizon 2014 PCI Compliance Report, payment card data remains one of the easiest types of data to convert to cash – which is why 74 percent of attacks on retail, accommodation, and food services companies target this type of information3 . 1. http://www.businessinsider.com/the-us-accounts-for-over-half-of-global-payment-card-fraud-sai-2014-3 2. http://www.privacyrights.org/data-breach 3. http://www.verizonenterprise.com/pcireport/2014/
  • 3. Solutions Brief citrix.com PCI DSS Success 3 • In a survey conducted by Software Advice, more than three-quarters of consumers indicated they would be less likely or completely unwilling to buy products from a company that allowed their personal data to be compromised4 . High-profile breaches of major retailers, financial institutions and a wide variety of other businesses that process credit card data only serve to further demonstrate the need for better protection of sensitive customer information. The Response: Evolution of the PCI DSS To address mounting threats and account for the steady adoption of new technologies and delivery models, the PCI Security Standards Council has a plan in place to review prevailing conditions and issue updates to the PCI DSS approximately every three years. Consistent with this objective, version three of the standard, published in November of 2013, starts being enforced by auditors as of January 1, 2015. This latest iteration of the PCI DSS retains and builds on the same framework of core requirements used from the beginning (see Table 1). In fact, the vast majority of changes in version 3 are relatively minor tweaks that only clarify existing sub-requirements. PCI Data Security Standard – High Level Overview Organizing Principles Core Requirements Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personne 4. http://www.internetretailer.com/2014/07/17/consumer-confidence-shifts-physical-online-retailers source: page 5 of https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
  • 4. Solutions Brief citrix.com PCI DSS Success 4 As for entirely new or significantly enhanced sub-requirements, version 3 introduces twenty of those. Notable examples include: • New requirement 1.1.3, for a current diagram that shows cardholder data flows. • New requirement 2.4, to maintain an inventory of system components in scope for PCI DSS to support development of configuration standards. • New requirement 6.5.10, for coding practices to protect against broken authentication and session management. • New requirement 8.5.1, for service providers with remote access to customer premises to use unique authentication credentials for each customer. • New requirement 11.3.4, to perform penetration tests to verify that the segmentation methods used to isolate the cardholder data environment (CDE) from other networks are operational and effective. For reference purposes, a complete summary of all clarifications, enhanced requirements, and new requirements incorporated in version 3 of the PCI DSS can be obtained here: https://www. pcisecuritystandards.org/documents/PCI_DSS_ v3_Summary_of_Changes.pdf PCI Compliance Challenges Taken individually, few, if any, of the new requirements or other changes introduced with version 3 of the PCI DSS qualify as being particularly onerous. This doesn’t change the fact, however, that achieving, maintaining and demonstrating compliance with the PCI DSS in its entirety requires a significant investment of time, effort and financial resources by those organizations that are subject to it. Related challenges to also acknowledge include the fact that being compliant does not necessarily translate into being adequately protected from advanced cyber threats, and that web applications, in particular, require closer attention due to the relative degree of risk they present. Compliance requires a significant investment Achieving compliance with the PCI DSS means having and maintaining an answer for approximately three hundred requirements for each and every system component included in or connected to the organization’s CDE. To reduce their compliance burden, security and networking teams need to fully exploit network segmentation techniques and technologies that can effectively isolate their organization’s CDE and shrink the amount of infrastructure designated as in-scope. Along with trimming the cost and complexity of PCI compliance, such an approach improves an organization’s ability to contain the spread of threats and simplifies associated troubleshooting and forensic efforts. For those components that remain in scope, a second strategy to reduce compliance cost and complexity is to focus on solutions that simultaneously address numerous requirements, ideally in a tightly integrated manner. Not only is the alternative of having many more solutions – each of which only covers a few requirements – often prohibitive from a cost perspective, it also leads to a highly fragmented security architecture and increased likelihood of “events of significance” slipping through the resulting gaps. Compliance doesn’t equal security The PCI DSS itself indicates that it is only a “baseline” of requirements for protecting CHD. In other words, it represents a minimum standard of due care, rather than a comprehensive treatment of everything any given organization needs to do to sufficiently defend its CDE.
  • 5. Solutions Brief citrix.com PCI DSS Success 5 Compounding this situation is the nominal three-year period between updates to the PCI DSS. The delay this introduces pretty much guarantees that the specified requirements lag behind significant changes to the technology and threat landscapes, which are unfolding at a much quicker pace. The net result is that security teams will typically need to go above and beyond the requirements of the PCI DSS, both to adequately defend against emerging threats and to more closely match their organization’s actual tolerance for risk. Web applications require more attention As the front door to all sorts of lucrative information, including CHD, web applications lie squarely in the crosshairs of today’s hackers. It also doesn’t help matters that web applications and the technologies used to build them have proven to be notoriously vulnerable. Just consider the following statistics, all from 20135 : • 77% of public websites scanned were found to contain vulnerabilities • 1 in 8 websites was found to contain a critical vulnerability, making it relatively easy for hackers to gain access to sensitive data, alter the website’s content, or compromise visitors’ computers • Approximately 67 percent of websites used to distribute malware were identified as legitimate, compromised websites Another significant challenge is the increasing complexity of web properties and the diversity of components now requiring protection. These include: • Cloud-hosted web apps/sites and content delivery networks • SaaS and other cloud delivery options, such as platform as a service (PaaS) and infrastructure as a service (IaaS), where the enterprise owns and controls progressively less of the solution • Mashups, where content is dynamically pulled together from numerous external sites • Mobile solutions, where device-side micro apps communicate to sophisticated web- based back ends Strictly speaking, the issue here is not a deficiency with the PCI DSS. Section 6.6 already acknowledges the need to protect public- facing web applications by requiring organizations either to assess them for vulnerabilities or front-end them with an automated solution for detecting and protecting web-based attacks, such as a web application firewall. Instead, the issue is one of organizations not pursuing these and other complementary measures as broadly or deeply as they actually need to be performed to sufficiently address the associated risks. As a starting point for remedying this situation, security and compliance teams should consider the set of recommendations outlined in Appendix 1, “A Recipe for Web Application Protection and Compliance.” To further address the challenges of PCI compliance, they should also consider the market-leading solutions from Citrix discussed in the following sections. Citrix Solutions That Help with PCI Compliance Used either individually or in conjunction with one another, each of the following Citrix solutions provides organizations with an extensive array of capabilities to help ensure the security, accessibility, and usability of their business-critical web applications. Equally important is how they help organizations achieve compliance with the PCI DSS. 5. http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
  • 6. Solutions Brief citrix.com PCI DSS Success 6 Citrix NetScaler Citrix NetScaler is an all-in-one application delivery controller that enables organizations to address all of their web application security and optimization needs with a single, strategic platform. In addition to supporting NetScaler AppFirewall and NetScaler Gateway™ as tightly integrated software modules, NetScaler provides an extensive set of load balancing, application acceleration and infrastructure- layer security capabilities – including extensive protections for DDoS attacks. The result is a highly cost effective solution that thoroughly secures an organization’s web applications at the same time that it substantially enhances their performance, accessibility, and availability. With NetScaler MobileStream, these same capabilities and benefits are extended to also ensure optimal performance and security for mobile networks and services. NetScaler AppFirewall NetScaler AppFirewall™ is the industry’s highest performing, ICSA-certified and NSS Labs Recommended solution for protecting web and web services applications from all known and zero-day application-layer attacks6 . Featuring a hybrid security model, NetScaler AppFirewall blocks all deviations from normal application behavior while efficiently scanning for thousands of automatically updated threat and vulnerability signatures. It analyzes all bi-directional traffic, including SSL-encrypted sessions, to protect against an extensive range of threats without any modification to the applications its defending. In support of PCI security audits, NetScaler AppFirewall can generate a comprehensive report that not only details all security protections defined in the application firewall policy that pertain to PCI requirements, but also highlights those configuration settings that are “out-of-compliance.” In addition, administrators can configure it to prevent the inadvertent leakage or theft of sensitive information, such as credit card numbers or custom-defined data objects, by either removing or masking content from application responses, so that sensitive information is not disclosed to anyone without a “need to know.” NetScaler Gateway NetScaler Gateway is a secure application, desktop and data access solution that gives IT administrators granular application-level and device-level policy and action controls over access to corporate content, while allowing users to work from anywhere using SmartAccess and the XenMobile Micro VPN technologies. It provides a single point of control and tools to help IT administrators ensure compliance with regulations and protect corporate information with the highest levels of security, both within and outside the enterprise. At the same time, NetScaler Gateway empowers users with a single point of access— optimized for roles, applications, devices and networks—to the enterprise applications and data they need. This unique combination of capabilities helps maximize the productivity of today’s mobile workforce. Citrix XenDesktop XenDesktop is a comprehensive desktop virtualization and VDI solution that delivers a complete Windows desktop and application experience as an on-demand cloud service. With XenDesktop, IT teams can quickly and securely deliver any type of virtual desktop or Windows, web and SaaS application to any PC, Mac, tablet, smartphone, laptop or thin client – all with a high-definition user experience. In terms of PCI compliance, a major advantage of XenDesktop is that it introduces an operating model that effectively isolates client networks and devices from the datacenter and CDE, 6. http://www.citrix.com/content/dam/citrix/en_us/documents/oth/web-application-firewall-comparative-analysis.pdf
  • 7. Solutions Brief citrix.com PCI DSS Success 7 thereby allowing them to be designated as “out of scope.” With XenDesktop, general-purpose, always-on and full-network layer connections can be replaced with tightly controlled and monitored access to individual applications and resources. Moreover, the nature of this “access” is such that while users retain all of the application functionality they are used to, the target resources – including all CHD and other sensitive data – never leave the CDE/datacenter. Citrix XenMobile XenMobile is a comprehensive solution for managing mobile devices, apps and data. With XenMobile, users have single-click access to all of their mobile, SaaS and Windows apps from a unified corporate app store, while IT gains control over mobile devices with full configuration, security, provisioning and support capabilities. Users get the freedom to experience work and life their way, while IT gets the capabilities and control it needs to extend protection across the mobile environment and ensure compliance with applicable standards and regulations. Key features and capabilities IT teams can leverage to help achieve PCI DSS compliance include the following: • Tight integration with NetScaler Gateway melds “need to know” with “secure enough to know” by delivering the ability to tightly control which users have access to which resources, under which specific operating conditions and from which devices. • The Micro VPN features replaces full network- layer connections with secure, per-application tunnels, thereby reducing the potential for users (or hackers) to “hop around” and gain access to other, unauthorized systems and resources. • For Worx-enabled mobile apps, a dedicated, encrypted workspace provides protection for all sensitive data regardless of who owns the client device. Meeting and Exceeding Multiple PCI Requirements Together, the Citrix solutions introduced in the previous section provide a tightly integrated platform that enables enterprise security and compliance teams to meet and, in many cases, exceed numerous PCI DSS requirements. Requirement 1: Install and maintain a firewall configuration to protect cardholder data The Citrix platform can be used to deny all traffic from untrusted networks and hosts (requirement 1.2) by restricting connections to: • Approved protocols and methods. • Sessions originating from trusted networks and devices. • Authenticated users with right levels of authorization for the resources being accessed. • Precisely the individual resources needed, as opposed to entire segments/networks. It can also be used to facilitate implementation of a DMZ (requirement 1.3) by providing highly secure, fully locked-down intermediary devices for brokering, controlling and monitoring traffic from/to the Internet. Requirement 2: Protect stored cardholder data Logging capabilities can be configured to omit card verification codes, personal identification numbers (PINs) and primary account numbers (PANs) from transaction and activity logs (requirements 3.2.2, 3.2.3, and 3.4). In addition, NetScaler AppFirewall can mask or block PANs (requirement 3.3) and otherwise prevent leakage of CHD, regardless of programmer oversight, logic flaws or targeted attacks.
  • 8. Solutions Brief citrix.com PCI DSS Success 8 FIPS 140-2, Level 2 compliant versions of NetScaler, NetScaler AppFirewall and NetScaler Gateway provide secure storage for the keys and certificates used for encryption of cardholder data and all application-specific and network-layer connections/tunnels (requirement 3.5.2). Requirement 3: Encrypt transmission of cardholder data across open, public networks Each of the Citrix solutions can be used to SSL- enable applications that were not designed to use secure communications protocols (requirement 4.1). In addition, the NetScaler AppFirewall can inspect the contents of all SSL/ TLS encrypted sessions, ensuring session validity and blocking attacks – a capability that is not generally available in traditional network firewall and intrusion prevention products. Requirement 4: Protect all systems against malware and regularly update anti-virus software or programs. Integral device inspection capabilities can deny access and alert administrators when client anti- malware solutions are out-of-date, disabled, or otherwise misconfigured (requirements 5.2 and 5.3). Going above and beyond the letter of the PCI DSS requirements, the Citrix platform also provides an additional layer of malware protection for all devices and systems by delivering a robust set of network-based defenses for both known and unknown threats. Requirement 5: Develop and maintain secure systems and applications As discussed previously, NetScaler AppFirewall provides unparalleled protection against threats and vulnerabilities targeting modern web applications and services, in all of their diverse and complex forms. Requirements 6/7: Restrict access to cardholder data by business need to know / Identify and authenticate access to system components The Citrix solutions support all of the associated sub-requirements. Robust policy development and enforcement capabilities enable granular control over who has access and to which specific information resources. Support is provided for multiple user authentication mechanisms, including the use of two-factor methods for remote access scenarios, and all passwords are encrypted during transmission. Conclusion Citrix application delivery, desktop virtualization, and mobility management solutions substantially reduce the burden of achieving, maintaining and demonstrating compliance with the Payment Card Industry Data Security Standard, while simultaneously improving the security, accessibility, and performance of an organization’s web applications and mobile services. By taking advantage of Citrix NetScaler, NetScaler AppFirewall, NetScaler Gateway, Citrix XenDesktop and Citrix XenMobile IT security and compliance teams can: • Tightly control who has access to and maintain isolation of all corporate systems involving cardholder data – including for remote/mobile employees and external users. • Reduce the total cost of PCI compliance by satisfying numerous individual requirements with a tightly integrated platform for delivering and protecting IT services. • Reap the rewards of capabilities that go above and beyond the minimum requirements to not only provide superior protection against today’s threats but also deliver a future-proof PCI compliance solution capable of keeping up with the standard as it continues to evolve.
  • 9. Solutions Brief citrix.com PCI DSS Success 9 For more information on Citrix NetScaler and other solutions from Citrix, please visit www.citrix.com. Appendix 1: A Recipe for Web Application Protection and Compliance The following recommendations outline an approach organizations can use to improve the security of their web application environments and cost effectively ensure compliance with applicable PCI DSS requirements. Recommendation #1 – Establish and minimize the scope of the problem Inventory all web applications and associated data stores. Eliminate all instances of capturing/ storing prohibited information. Re-assess the need to handle and/or store all other cardholder information. If it is not needed, then it should not be processed/stored. Follow the other recommendations below to ensure that all remaining cardholder data is efficiently and effectively protected at all times. Recommendation #2 – Approach PCI DSS compliance sensibly Although requirement 6.6 of the PCI DSS presents a choice between conducting code reviews and installing an application layer firewall, organizations need to understand that the best approach is to implement both of these measures. That said, if a choice must be made – perhaps due to financial constraints – then organizations should favor the approach of using an application layer firewall because of the numerous advantages it yields, including delivering protection that is continuous, that accounts for both known and unknown attacks, and that accommodates multiple applications simultaneously. Recommendation #3 – Approach PCI DSS compliance strategically To the extent possible, ensure that actions taken to fulfill a specific requirement can actually be leveraged to support multiple requirements, or at least help address other needs the enterprise has – including compliance with other regulations. Overall, this strategy should not be difficult to pursue, especially since the requirements of the PCI DSS are fundamentally sound security practices that can be applied to all types of data and computing resources. For example, web application firewalls: (a) can be used to address numerous PCI DSS requirements, (b) can be used to protect more than just CHD, and (c) at least in the case of the Citrix offering, can be deployed in the form of a full-featured application delivery controller that also provides substantial performance and availability benefits. Recommendation # 4 – Approach PCI DSS compliance as an ongoing/continuous effort On one hand, compliance must be re-validated annually. On the other hand, an even more important concern is that the organization does not suffer a loss/theft of cardholder data, at any time, period. As a result, security operations personnel should routinely audit the usage logs for web applications to help detect any abnormal or unauthorized activities that might be occurring. Furthermore, organizations need to account for the fact that web applications are rarely static; they are always being modified to incorporate new
  • 10. Solutions Brief citrix.com PCI DSS Success 10 functionality. As a result, the security team will need to periodically re-assess all web applications to ensure they are still handling sensitive information properly. In this regard, a web application firewall could be used (a) to alert an administrator of any changes in application behavior that may result in violations, and (b) to mitigate the deficient condition until such time that the application is fixed. Finally, it is also unlikely that the applicable requirements will remain static. Organizations, therefore, must monitor the activities of the PCI Security Standards Council and be prepared to address any new requirements that emerge. Once again, a robust web application firewall could be a boon in such a situation based on its potential to support compliance without having to modify all of the affected applications. Recommendation #5 – Approach compliance realistically Despite all of an organization’s best efforts, the potential for a security incident involving cardholder data will always remain. Stakeholders must manage expectations accordingly and be prepared for such a situation. Having the appropriate people, processes, and technology in place in advance is critical to being able to execute a swift response and minimize the impact – including any fallout from governing regulatory bodies. Recommendation # 6 – Be sure to secure the back end Web applications rarely operate alone. They may be the primary interface for handling data, but they almost always rely on databases as well. Thus, organizations ultimately need to implement appropriate security measures for these crucial back-end components too, including: access control, data encryption, and logging/auditing for all data access and configuration activities. Appendix 2: PCI Security Requirements Supported by Citrix Solutions Citrix application networking, virtualization, and mobility solutions support many of the approximately three hundred requirements specified in the PCI DSS, as summarized in the following table. PCI DSS Requirement Supported Sub-Requirements Description of Capabilities Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.2, 1.2.1, 1.3, 1.3.1, 1.3.8 Features such as SmartAccess, Micro VPN and centralized authentication and authorization capabilities enable administrators to fully implement a least privileges access control model for all networks involving cardholder data (i.e., deny all users, devices, applications, and data except for that which is necessary). Availability of security-hardened appliances facilitates creation of DMZs to act as buffer zones between the Internet and internal CDE networks and systems. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1, 2.2, 2.2.3, 2.3 The NetScaler/NetScaler AppFirewall PCI Compliance Report indicates whether the default password has been changed for the system’s root account and flags use/availability of insecure management protocols or interfaces. In addition, all solution components require user authentication and implement strong encryption for all non-console and remote administration sessions, whether the component is accessed directly or via the applicable central management system (e.g., Command Center).
  • 11. Solutions Brief citrix.com PCI DSS Success 11 Requirement 3: Protect stored cardholder data 3.2, 3.2.2, 3.2.3, 3.3, 3.4, 3.5, 3.5.2 NetScaler AppFirewall enables masking/blocking of Primary Account Numbers (PANs), and a confidential logging feature can be utilized to keep all PANs and other sensitive authentication data (SAD) from being logged. FIPS 140-2, Level 2 compliant hardware appliances, provides secure storage of private keys used for encrypting cardholder data and related communication sessions. Requirement 4: Encrypt transmission of cardholder data across open, public networks 4.1, 4.2 Secure remote access is enabled by a full-featured SSLVPN capability. In addition, the Micro VPN feature enables secure tunnels to be established in an even tighter, per-user, per- application manner. Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 5.2, 5.3 Integral device inspection capabilities can deny access and alert administrators when client anti-malware solutions are out-of-date, disabled, or otherwise misconfigured. Requirement 6: Develop and maintain secure systems and applications 6.6 NetScaler AppFirewall, available either as a standalone solution or an integrated module of the NetScaler application delivery controller, is an ICSA-certified solution that provides fully automated protection of public-facing web applications and web services from both known and unknown threats. Requirement 7: Restrict access to cardholder data by business need to know 7.2, 7.2.1, 7.2.2, 7.2.3 Granular, policy-based control over users, applications, devices and data enables organizations to implement definitive least privileges access control that truly limits access to cardholder data based on business need to know, with “deny all” for everything else. Tight integration with Active Directory and other identity stores, plus support for role based access control, enables enforcement of privileges assigned to individuals based on job classification and function. Requirement 8: Identify and authenticate access to system components 8.1, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.2, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.3, 8.5, 8.6 Native capabilities and tight integration with Active Directory and other identity stores support a wide range of authentication policies, including: use of unique user IDs, immediate revocation for terminated users, culling of inactive accounts, lockout after a specified number of failed login attempts, lockout duration, idle session timeouts, and password reset and minimum strength requirements. Support is also provided for several forms of multi-factor authentication, including tokens and smartcards. Requirement 9: Restrict physical access to cardholder data n/a n/a Requirement 10: Track and monitor all access to network resources and cardholder data 10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4, 10.6, 10.6.1, 10.6.2, 10.6.3 Extensive logs/audit trails are maintained for all device configurations, system changes, alerts, access sessions and detected/prevented threats. Daily and periodic review of log data is supported with both native, customizable reporting capabilities and the ability to write log data to a syslog server for archival and analysis by third-party management solutions (including popular security event and information management systems). Requirement 11: Regularly test security systems and processes 11.4 NetScaler delivers multi-layer protection against distributed and non-distributed denial of service attacks designed to take down an enterprise’s external-facing services, or mask other threats/attacks intent on finding and ex-filtrating sensitive data. In addition, NetScaler AppFirewall uses an automatically updated database of signatures to scan for and block a wide range of known threats and vulnerability- based exploits. Requirement 12: Maintain a security policy that addresses information security for all personnel n/a n/a
  • 12. 1114/PDF Corporate Headquarters Fort Lauderdale, FL, USA Silicon Valley Headquarters Santa Clara, CA, USA EMEA Headquarters Schaffhausen, Switzerland India Development Center Bangalore, India Online Division Headquarters Santa Barbara, CA, USA Pacific Headquarters Hong Kong, China Latin America Headquarters Coral Gables, FL, USA UK Development Center Chalfont, United Kingdom About Citrix Citrix (NASDAQ:CTXS) is a leader in mobile workspaces, providing virtualization, mobility management, networking and cloud services to enable new ways to work better. Citrix solutions power business mobility through secure, personal workspaces that provide people with instant access to apps, desktops, data and communications on any device, over any network and cloud. This year Citrix is celebrating 25 years of innovation, making IT simpler and people more productive. With annual revenue in 2013 of $2.9 billion, Citrix solutions are in use at more than 330,000 organizations and by over 100 million users globally. Learn more at www.citrix.com. Copyright © 2014 Citrix Systems, Inc. All rights reserved. Citrix, NetScaler, XenDesktop,XenMobile, NetScaler Gateway and NetScaler AppFirewall are trademarks of Citrix Systems, Inc. and/or one of its subsidiaries, and may be registered in the U.S. and other countries. Other product and company names mentioned herein may be trademarks of their respective companies. Solutions Brief citrix.com PCI DSS Success 12