You are on page 1of 45

XYGATE & PCI COMPLIANCE

A Solution Paper

JULY, 2007

XYPRO Technology Corporation


3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: info@xypro.com Telephone: + 1 805-583-2874 FAX: + 1 805-583-0124

Copyright 2007 by XYPRO Technology Corporation. All rights reserved.

Trademark Acknowledgments
The following are trademarks or service marks of Hewlett-Packard Company:

Distributed System Management (DSM) EDIT ENFORM Enscribe Event Management Service (EMS) FUP Guardian MEASURE NETBATCH NonStop

NonStop Kernel NonStop SQL PATHCOM PATHWAY SAFECOM SAFEGUARD SCUP SPOOLCOM TACL TEDIT

The following are trademarks or service marks of XYPRO Technology Corporation:

XY-2K XYCLOPS XYDOC XYDOC II XYGATE XYGATE/AC XYGATE/CD XYGATE/CM XYGATE/EFTP XYGATE/ESDK XYGATE/FE XYGATE/KM XYGATE/LD XYGATE/MA

XYGATE/MI XYGATE/OS XYGATE/PC XYGATE/PM UM XYGATE/PQ XYGATE/SE XYGATE/SE40 XYGATE/SM XYGATE/SP XYGATE/SR XYGATE/SW XYGATE/UA XYPRO XYTIMER XYWATCH

Table of Contents
PCI COMPLIANCE AND THE HP NONSTOP SERVER ENTERPRISE ....................................... 1 Introduction .................................................................................................................................................. 1 Overview ....................................................................................................................................................... 1 PCI Application To NonStop Server Systems............................................................................................ 2 Requirement 1: Install and maintain a firewall configuration to protect cardholder data ................... 3 Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters. ................................................................................................................................................... 4 Requirement 3: Protect stored cardholder data ........................................................................................ 6 Requirement 4. Encrypt transmission of cardholder data across open, public networks..................... 8 Requirement 5. Use and regularly update anti-virus software or programs. ........................................ 9 Requirement 6. Develop and maintain secure systems and applications................................................ 9 Requirement 7. Restrict access to cardholder data by business need-to-know.................................... 12 Requirement 8. Assign a unique ID to each person with computer access........................................... 13 Requirement 9. Restrict physical access to cardholder data. ................................................................ 15 Requirement 10. Track and monitor all access to network resources and cardholder data............... 16 Requirement 11. Regularly test security systems and processes. .......................................................... 18 Requirement 12. Maintain a policy that addresses information security for employees and contractors. ................................................................................................................................................. 19 Conclusion................................................................................................................................................... 22 Disclaimer.................................................................................................................................................... 22 PCI REQUIREMENTS SUMMARY ............................................................................................... 23 XYGATE PRODUCTS................................................................................................................... 42

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise

PCI Compliance and the HP NonStop Server Enterprise


Introduction
PCI is a standard based on the Visa Account Information Security program (AIS) and Cardholder Information Security Program (CISP), MasterCard Site Data Protection program (SDP), American Express Security Operating Policy (DSOP), Discover Information Security and Compliance (DISC), and JCB International Credit Card security standards. All of these companies worked together to merge their standards into a single standard that is much easier to implement for companies that accept payment card transactions. The entire PCI standard can be found at https://www.pcisecuritystandards.org/. This paper shows where PCI is applicable to the HP NonStopTM Server enterprises and how XYPRO products can help the IT groups in their efforts to comply with this standard. It provides a summary list of the PCI requirements and explains the XYGATE products applicable to each.

Overview
The Payment Card Industry Data Security Standard (PCI) defines how payment card (credit and debit) card information should be handled. Both physical and logical security measures are considered. The PCI Security Standards Council is the organization that maintains the PCI standards and works to broaden the number of merchants and processors that have implemented the standards. PCI standard compliance is required by the various payment card organizations and enforced by the agreements these organizations have with their various merchants and processors. The payment card organizations have different implementation requirements for merchants and service providers based on transaction volume. The following table shows some of the requirements of the various payment cards. Payment Card Level Annual Onsite Assessment QSA1 QSA No QSA No No No QSA QSA No QSA No No No Yes Self Assessment No No Yes No Yes Yes Yes No No Yes No Yes Yes Yes No Quarterly Network Assessment ASV2 ASV ASV ASV ASV ASV ASV ASV ASV ASV ASV ASV ASV ASV ASV

Visa Service Provider Visa Service Provider Visa Service Provider Visa Merchant Visa Merchant Visa Merchant Visa Merchant Mastercard Service Provider Mastercard Service Provider Mastercard Service Provider Mastercard Merchant Mastercard Merchant Mastercard Merchant Mastercard Merchant American Express Service

1 2 3 1 2 3 4 1 2 3 1 2 3 4

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise Provider American Express Merchant American Express Merchant American Express Merchant
1

1 2 3

Yes No No

No No No

ASV ASV Recommended

QSA means that only a company that has been certified as a Quality Security Assessor can perform the annual onsite assessment. 2 ASV means that only a company that has been certified as an Approved Scanning Vendor can perform the quarterly network assessment.

PCI Application To NonStop Server Systems


The PCI standard must be implemented by service providers and merchants to secure the cardholder data in an orderly consistent manner. The PCI standard is divided into twelve areas: Area Build and Maintain A Secure Network Build and Maintain A Secure Network Protect Cardholder Data Protect Cardholder Data Maintain A Vulnerability Management Program Maintain A Vulnerability Management Program Implement Strong Access Control Measures Implement Strong Access Control Measures Implement Strong Access Control Measures Monitor and Test Networks Monitor and Test Networks Maintain an Information Security Policy Requirement 1 2 3 4 5 6 7 8 9 10 11 12 Title Firewalls Eliminate vendor defaults Protect stored data Encrypt data during transmission Use and update anti-virus software Develop and maintain secure systems and applications Restrict access by need-to-know Assign a unique ID to each user who has access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security

Because standards have to apply to a diverse array of service providers and merchants, which can range from multinational, multi-billion dollar organizations to small community banks and even smaller merchants, the PCI standards are stated as simply as possible, without specific details of how the goal of the standard is to be achieved. One first step that any organization using HP NonStop servers can take in meeting these standards is to obtain the definitive books on HP NonStop Server security, Securing Your HP NonStop Server: A Practical Handbook (ISBN: 978-1555583149) and Securing HP NonStop Servers In An Open Systems World: TCP/IP, OSS and SQL (ISBN: 78-1555583446). A second step would be the use of XYPROs XYGATE /SW Security Compliance Wizard. This product with its friendly and flexible GUI can greatly assist in determining the differences between the current security configuration of a NonStop server system and those required for the security standards defined by PCI.

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise What follows is a discussion of each set of PCI requirements, with an explanation of how XYPROs XYGATE products can be used to meet the IT department compliance requirements for payment card applications in the NonStop Server areas of the enterprise.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data


1.1 Establish firewall configuration standards that include: 1.1.1 A formal process for approving and testing all external network connections 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone 1.1.4 Description of groups, roles, and responsibilities for logical management of network components 1.1.5 Documented list of services and ports necessary for business 1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). 1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented. 1.1.8 Quarterly review of firewall and router rule sets. 1.1.9 Configuration standards for routers. 1.2 Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment. 1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system components storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following: 1.3.1 Restricting inbound Internet traffic to Internet protocol (IP) addresses with the DMZ (ingress filters). 1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ 1.3.3 Implementing stateful inspection, also known as dynamic packet filter (that is, only "established" connections are allowed into the network) 1.3.4 Placing the database in an internal network zone, segregated from the DMZ 1.3.5 Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment 1.3.6 Securing and synchronizing router configuration files, For example, running configuration files (for normal functioning of the routers) and start-up configuration files (when machines are re-booted) should have the same secure configuration 1.3.7 Denying all other inbound and outbound traffic not specifically allowed. 1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environments or from controlling any traffic (if such traffic is necessary for business purposes)

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise 1.3.9 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees) which are used to access the organizations network 1.4 Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files) 1.4.1 Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic 1.4.2 Restrict output traffic from payment card applications to IP addresses within the DMZ 1.5 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT)

Discussion: The goal of this requirement is to assure the payment card companies that the most common external threat, outside compromise of the network, is reduced. The most effective manner of controlling an external access point is to put a firewall in front of it. This requirement discusses the minimum necessary implementation of firewall security to provide outside assurance. XYGATE Solution: The great majority of the points within this requirement are met with a properly implemented and maintained firewall. The security required in point 1.4 can be substantially enhanced on the NonStop platform by using XYGATE /CM to limit incoming IP addresses by service requested. This, for example, permits the security administrator to enable one set of IP addresses for FTP use, another for ODBC, and a third for Telnet access to an interactive TACL session.

Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters.
2.1 Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts). 2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. 2.2 Develop Configuration standards for all system components. Assure that these standards address all know security vulnerabilities and are consistent with industryaccepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards technology (NIST) and Center for Internet Security (CIS). 2.2.1 Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers).

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise

2.2.2 Disable all unnecessary and insecure services and protocols (service and protocols not directly needed to perform the devices' specified function) 2.2.3 Configure system security parameters to prevent misuse 2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other nonconsole administrative access. 2.4 Hosting providers must protect each entity's hosted environment and data. These providers must meet specific requirements as detailed in Appendix A: "PCI DSS Applicability for Hosting Providers."

Discussion: This requirement tightens security by removing all the expected values for the initial system. Each point within the requirement deals with a different area of initial system setup. Many of these changes are human driven, requiring adherence to Corporate Policies, Procedures, and Documentation to set the values and Audit investigation to ensure that manual procedures are followed. Then the system configuration must be monitored on a regular basis. XYPRO Solution: XYGATE /SW can be used to monitor the system security configuration. By using XYGATE /SW System Policies, Best Practices, and Integrity Checks, patterns can be investigated to assure that inappropriate values are not present and that flags will be raised if they are found. Some examples are: - Flagging userids for which passwords have expired, not been changed, or which have not been used in the recent past - Comparing Safeguard globals to Best Practice values, flagging any value that deviates from the desired - Specifically monitoring SUPER.SUPER and NULL.NULL, the two default userids that are delivered with the system. - Setting Integrity Checks for important system configuration files and startup scripts such as the PORTCONF definition file, Safeguard startup file, Spooler startup file, TCPIP startup file, and TMF startup file to ensure that any change is detected. Best Practices for the NonStop server are defined in the books Securing Your HP NonStop Server: A Practical Handbook (ISBN: 978-1555583149) and Securing HP NonStop Servers In An Open Systems World: TCP/IP, OSS and SQL (ISBN: 78-1555583446). XYGATE /SW, the Security Compliance Wizard, has Best Practices pre-defined for easy monitoring to ensure that the system configuration meets these Best Practices. XYGATE /PQ is used to ensure that passwords are not easy to guess and are changed on regular basis. By expiring all the passwords when the users to which these passwords apply are first created, the security administrators can be assured that users have up-to-date passwords that have been changed since the userids were created and are updated regularly. XYPRO has a suite of encryption products that can be used to secure any type of administrative access to the NonStop server. The XYGATE /HE product can be used to encrypt both Telnet

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise sessions and FTP, and can be configured to deny service if such encryption does not occur. XYGATE /SH provides Secure Shell (SSH ) encryption functionality between an HP Nonstop server and other platforms that provide SSH capabilities. XYGATE /SC provides a PC encryption utility that can be placed in the PCs communication stack without interfering with existing communication utilities. Finally, the most versatile encryption tool kit for the NonStop server, XYGATE /ESDK, is available for any company that chooses to implement its own encryption transactions. The XYGATE /ESDK software has a FIPS 140.2 certification.

Requirement 3: Protect stored cardholder data


3.1 Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal and/or regulatory purposes, as documented in the data retention policy. 3.2 Do not store sensitive authentication data subsequent to authorization (even if encrypted). 3.2.1 Do not store the full contents of any track from the magnetic stripe. 3.2.2 Do not store the card-validation code or value used to verify card-notpresent transactions. 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block. 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed.) 3.4 Render PAN at a minimum unreadable anywhere it is stored (including data on a portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches: - Strong one-way hash functions - Truncation - Index tokens and pads (pads must be securely stored) - Strong cryptography with associated key management processes and procedures. 3.4.1 If disk encryption is used (rather than file- or column-level database encryption) logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts Disk encryption is not part of the XYGATE product offering. 3.5 Protect encryption keys used for encryption of cardholder data against both data disclosure and misuse. 3.5.1 Restrict access to keys to the fewest number of custodians necessary 3.5.2 Store keys securely in the fewest possible locations and forms 3.6 Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data, including the following:

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise

3.6.1 Generation of strong keys 3.6.2 Secure key distribution 3.6.3 Secure key storage 3.6.4 Periodic changing of keys 3.6.5 Destruction of old keys 3.6.6 Split knowledge and establishment of dual control of keys so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key. 3.6.7 Prevention of unauthorized substitution of keys. 3.6.8 Replacement of known or suspected compromised keys 3.6.9 Revocation of old or invalid keys 3.6.10 Requirements for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities

Discussion: This requirement is the heart of PCI: compromise of cardholder data must be avoided at all costs. Measures mandated in this requirement include designing application requirements to minimize the retention of cardholder data in memory, display of cardholder information, security of the computers resources to prohibit unauthorized access to cardholder data, and encryption of the card holder data to ensure that it is not compromised in storage or in transit. Encryption of the data also requires proper key management procedures and software to ensure that the keys used to encrypt the data remain secure. Enforcement of good design practices on any application that is developed to handle cardholder data must exist within the corporation. Only properly written Corporate Policies, Procedures and Documentation that are enforced by management and regularly audited can increase the likelihood that any given transaction will remain secure. Once the policies, procedures, and documentation exist, however, security software is required to give the programmers and nonapplication users the tools necessary to build the security into the NonStop server environment. XYGATE Solution: The first layer of protection of the NonStop server environment must be closest to the heart of the operating system: object level security that prevents unauthorized access to resources of any sort. XYGATE /OS provides pattern-driven predictive subject-operation-object security that can be defined for all resources on the NonStop server. Access to cardholder data stored on disk can be restricted to authorized userids and authorized requesting processes. The second layer of protection is encryption which makes any data revealed through error or malicious action unusable until it is decrypted. The XYGATE products provide two ways to encrypt cardholder information in storage. First, XYGATE /FE can be used to encrypt and decrypt entire files. Second, XYGATE /ESDK can be used to add encryption transactions to any application, allowing the application programs to control what data is encrypted and when it is decrypted. When encryption is incorporated into the environment, key management must be included. XYGATE /KM provides strong key creation using split-administration and optionally allowing N of M key reconstruction. With these features, the security administrator can define how many users are required to create a key (split-administration) and can opt to use the N of M key reconstruction algorithm, so that initiating of key availability requires only a subset (N of M) of the key creators to be present. Thus, the security administrator can require five users to create the master key for the system, but only 3 out of the 5 may be necessary to start key management

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise services. Once keys are created, they can be used for general encryption or decryption, or can be defined to be keys for a specific customer. Please note that point 3.4.1 mentions encryption of the entire physical or logical disk. XYPRO does not recommend this practice, and thus does not supply a product that performs full disk encryption. Full disk encryption is, at this time, very costly in terms of computer processing time for encryption and decryption. Since a substantial part of the data in any application is formatted in a structured file where one record or one set of records is read or written at a time, the encryption operations can occur over and over again in the course of a very short time period. Computing power is conserved when encryption occurs on a file or record basis, so that only the necessary data is encrypted or decrypted when an I/O operation occurs. Please note that 3.6.5 deals with the destruction of keys. XYPROs XYGATE /KM key management software does not destroy keys. Once a key has been used for an encryption operation, it is retained forever. It can be archived to remove it from daily use, but never destroyed. A key that has been destroyed cannot be recovered for use in decrypting old data, which would be lost without the proper decryption key.

Requirement 4. Encrypt transmission of cardholder data across open, public networks


4.1 Use strong cryptography and security protocols such as Secure Sockets Layer (SSL) /Transport Layer Security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. 4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. 4.2 Never send unencrypted PANs by e-mail Discussion: Requirement four deals with cardholder data in transit. This requirement states in its first line that encryption for all transmission is required. Point 4.1 suggest some of the acceptable encryption protocols, such as SSL and TLS, but does not address other protocols such as 3DES or AES. (Both of these protocols have NIST and ISO standards defining them, and SSL/TLS is defined in RFC 2246.) XYGATE Solution: XYGATE /HE on the NonStop server works with SSL/TLS encryption modules on other hosts or personal computer platforms to encrypt and decrypt traffic from any TCPIP port on the NonStop server system. XYGATE /HE, for example, will encrypt and decrypt FTP traffic to another NonStop server, IBM platform machine or Windows computer, as long as the target machine also supports SSL/TLS encryption. XYGATE /HE works with Telnet, FTP, ODBC, RSC, TOP and HTTP. XYGATE /SH provides Secure Shell (SSH) encryption functionality between an HP Nonstop server and other platforms that provide SSH capabilities including Secure Tunneling, SFTP and SCP.

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise XYGATE /SC is a Windows-based application that provides client side SSL/TLS encryption from MS-Windows XP/Win 2000/Win 2003 platforms to an HP NonStop server. Please note that wireless networks are not generally connected to the NonStop server, so point 4.1.1 does not apply.

Requirement 5. Use and regularly update anti-virus software or programs.


5.1 Deploy anti-virus software on all systems commonly affected by viruses 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs.

Discussion: This requirement exists to define reasonable protection for end-user platforms and small processing systems where multiple connectivity to the Internet for both secure and non-secure activity leaves the system open to attack from programs that perform malicious action. The most common malicious program, or malware, is a computer virus that enters through the network connection, installs itself into the system, and performs some sort of inappropriate activity at some point in the future. Many companies offer protection against this malware, with a suite of software tools that are referred to as anti-virus software. Traditional consumer anti-virus protection is not available for the NonStop server, though, since there has yet to be a virus attack on the NonStop server. The most likely malware to be found on the NonStop server is a Trojan Horse, which is a program that looks innocuous but performs malicious activity to the detriment of the application owner. XYGATE Solution: Traditional consumer anti-virus is not applicable to the HP NonStop server, but XYGATE /SW can be used to watch for Trojan Horses using the Integrity Check feature. Integrity Checks investigate defined lists of resources such as files or subvolumes to see if the current characteristics of the resource match the previously stored characteristics. An integrity check for a file will check characteristics such as the EOF, Last Create Date, Last Modification Date and File Code against the previously stored values. Since most malware will causes changes in these file characteristics, any file that has changed is flagged for investigation. XYGATE /SW permits the security administrator to define actions that will be performed if Integrity Check violations are found. For example, e-mail can be sent warning security administrators of the integrity check failure.

Requirement 6. Develop and maintain secure systems and applications.

XYPRO Technology Corporation

July 2007

PCI Compliance and the HP NonStop Server Enterprise 6.1 Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet.) Update standards to address new vulnerability issues. 6.3 Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. 6.3.1 Test of all security patches and systems and software configuration changes before deployment. 6.3.2 Separate development, test, and production environments. 6.3.3 Separation of duties between development, test, and production environments. 6.3.4 Production data (live PANs) are not used for testing or development. 6.3.5 Removal of test data and accounts before production systems become active. 6.3.6 Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers. 6.3.7 Review custom code prior to release to production or customers in order to identify any potential coding vulnerability. 6.4 Follow change control procedures for all system and software configurations changes. The procedures must include the following: 6.4.1 6.4.2 6.4.3 6.4.4 Documentation of impact Management sign-off by appropriate parties Testing of operational functionality Back-out procedures

6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include: 6.5.1 Unvalidated input 6.5.2 Broken access control (for example, malicious use of user Ids) 6.5.3 Broken authentication and session management (use of account credentials and session cookies) 6.5.4 Cross-site scripting (XSS) attacks 6.5.5 Buffer overflows 6.5.6 Injection flaws (for example, structure query language (SQL) injection) 6.5.7 Improper error handling 6.5.8 Insecure storage 6.5.9 Denial of service 6.5.10 Insecure configuration management 6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: - Having all custom application code review for common vulnerabilities by an organization that specializes in application security - Installing an application layer firewall in front of web-facing applications. Discussion:

XYPRO Technology Corporation

10

July 2007

PCI Compliance and the HP NonStop Server Enterprise Requirement 6 is a mandate to develop secure systems and applications. This mandate breaks down into two different areas of responsibility. Secure applications must be developed by the application team, or, if the application has been purchased from a third party, the third party must be contacted to ensure that these requirements are met by the third party. Secure systems are generally the responsibility of a different group of people, usually the systems management and systems operations groups. Secure applications begin with a secure design. This design is supplied to a programming group that understands the principles of secure computing and builds these details into the environment. The programming group supplies completed code to a testing group, which tests in an environment separate from that of the developers who built the application. This testing group works with the requirements to ensure that the code meets the requirements of the application and the security requirements in the companys Policies, Procedures, and Documentation guides. Finally, a production group integrates the code into a separate production environment which is not normally accessible to the development or testing groups. For applications that deal with cardholder data, secure application design includes encryption of data at rest and data in transit. Additionally, the procedures followed to upgrade the application must include security considerations at all turns. Secure systems are up-to-date systems. The system components and any third party software must be regularly updated to prevent exploitation of known errors in either. The companys Policies, Procedures, and Documentation manual must include policies for upgrade management. These systems separate the development, testing, and production groups from each other so that cross-contamination is avoided. XYGATE Solution: Secure applications require encryption. XYGATE /ESDK is a toolkit for developer use that provides encryption API calls. With XYGATE /ESDK, the developer can request keys from the XYGATE /KM key management system or create net keys, establish encryption sessions, encrypt and decrypt information, create a Message Authentication Code (MAC) or validate a MAC, or destroy an encryption session as needed throughout the application. The XYGATE /KM key management system can work with XYGATE /ESDK for application encryption services. It can also be used with the XYGATE /FE file encryption system that encrypts and decrypts, compresses and decompresses, and translates files for secure transmission. XYGATE /KM creates keys, maintains key, supplies keys on request, and archives keys as needed. Secure systems begin with a keystroke audited TACL. XYGATE /AC supplies keystroke auditing so no action is invisible. It also supplies action control, so users can have access to sensitive actions in a controlled manner, with authentication and auditing. XYGATE /PC provides the equivalent action control for processes. In many shops, the primary use for the master SUPER.SUPER userid is to manage processes that are otherwise secured against operations or technical support. With XYGATE /PC, these processes can be managed by authorized users without giving these users access to the process object file or code. Once user actions are audited, the next stop is to secure system resources. XYGATE /OS works with Safeguard to provide pattern-controlled predictive security that provides user, operation, and object control.

XYPRO Technology Corporation

11

July 2007

PCI Compliance and the HP NonStop Server Enterprise

Requirement 7. Restrict access to cardholder data by business need-to-know.


7.1 Limit access to computing resources and cardholder information only to those individuals who job requires such access. 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user's need to know and is set to "deny all" unless specifically allowed.

Discussion: Good security can be defined with three phrases: - Need to know - Least privileges - Separation of duties This requirement deals with the first element, Need To Know. This principle restricts access to a resource to only those individuals who must have access to that resource in order to perform their jobs. XYGATE Solution: All XYGATE modules have as their core purpose the implementation of security rules that provide separation of duties, limit access to need to know and provide the least privilege necessary for the execution of a persons duties. One module deals with the authentication that will be needed to provide secured authorization. Three modules limit access so that all access that is not explicitly approved will be denied. XYGATE /UA manages authentication. No security model is valid until there is a positive action whereby a person accessing the computing environment proves his or her identity as an authorized user. XYGATE /OS secures resources at the SUBJECT - OPERATION - OBJECT level, where operations are the basic computer operations of Open, Read, Write, Execute and Purge. All subjects and objects can be defined as patterns, so the security can be predictive, which means that it is in place and enforceable even before the resource exists on the system. For example, XYGATE /OS can be defined to enforce a rule that says only the userid defined as the owner for the data can open any of the files in which the data is stored and even then, can only open it with the specified authorized programs. This means that any malicious use of the userid that owns the data still wont yield access to the data, because malicious use does not generally occur from within authorized programs, and unauthorized programs wont be allowed access. XYGATE /AC secures resources using the USER ACTION model. All security rules in XYGATE /AC are based on the action as perceived by the user. So, a security rule can be created that allows an authorized user to start an application, but not access the data in the application or modify the programs that make up the application. Another sample security rule is one that allows a user access to a privileged program in order to execute a small subset of commands. XYGATE /CM manages three separate security actions - processing a logon, starting a program, and altering the priority of an executing program.

XYPRO Technology Corporation

12

July 2007

PCI Compliance and the HP NonStop Server Enterprise

Requirement 8. Assign a unique ID to each person with computer access.


8.1 Identify all users with a unique username before allowing them to access system components or cardholder data. 8.2 Employ at least one of the methods below, in addition to unique identification, to authenticate all users: - Password - Token devices (e.g., SecureID, certificates, or public key) - Biometrics 8.3 Implement 2-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as RADIUS or TACACS with tokens, or VPN with individual certificates. 8.4 Encrypt all passwords during transmission and storage, on all system components. 8.5 Ensure proper user authentication and password management for non-consumer users and administrators, on all system components: 8.5.1 Control the addition, deletion, and modification of user Ids, credentials, and other identifier objects. 8.5.2 Verify user identity before performing password resets. 8.5.3 Set first-time passwords to a unique value per user and change immediately after first use. 8.5.4 Immediately revoke access of terminated users 8.5.5 Remove inactive user accounts at least every 90 days. 8.5.6 Enable accounts used by vendors for remote maintenance only during the time needed. 8.5.7 Distribute password procedures and policies to all user who have access to cardholder information. 8.5.8 Do not use group, shared, or generic accounts/passwords. 8.5.9 Change user passwords at least every 90 days. 8.5.10 Require a minimum password length of at least seven characters. 8.5.11 Use passwords containing both numeric and alphabetic characters. 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.

XYPRO Technology Corporation

13

July 2007

PCI Compliance and the HP NonStop Server Enterprise 8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID. 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. 8.5.16 Authenticate all access to any database containing cardholder information. This includes access by applications, administrators, and all other users.

Discussion: This requirement is concerned with user authentication controls. A person logs on to a userid with some authentication information that is unique to the person - something he or she knows, something he or she has, something he or she is, or a combination of the three. The authentication information must remain private; the person who uses the userid must understand that the information is to remain private, and steps must be taken to assure that authentication information is reliable. Without these steps, any subsequent authorization made based on the authentication cannot be trusted. The most secure first step for authentication is to commit to the one person - one userid model. That is, one person has one userid. No two people share a userid. No user has more than one userid. With the assurance that only one person is using one userid, authentication of the userid ensures that the person performing any authorized actions is indeed the real person who is really allowed to take these actions. The second step is to make the authentication operation less open to compromise. The use of a password to authorize a user relies on something the user knows. Since it is intangible, it can be stolen or revealed without the authorized user knowing about the loss. Also, since it is intangible, it has to be remembered. By adding on a token device or biometric, the chance of unauthorized use drops substantially, since the theft of a token means that the authorized user cant have access to the system, and the biometric value cannot be stolen at all. Finally, this requirement defines measures to take to reduce the opportunity for an unauthorized user to attempt access. XYPRO Solution: XYGATE /SM is the tool to use to create userids. XYGATE /SM interfaces with Safeguard and with the XYPRO Personnel Database, allowing the userid that is created to be associated with the demographic data. Details from the customizable Personnel Database are also available with XYGATE /PR, the help desk application that resets passwords for already created userids. XYGATE /SM can also be used to revoke access in any of three ways. The user can be frozen, which does not delete the userid but prevents any logon. Any batch jobs owned by the user will continue to execute. Secondly, the user can be expired, which also does not delete the userid but prevents any logons. Batch jobs will not execute, since the Netbatch system checks the authentication of the user before starting the job. Finally, XYGATE /SM can be used to delete the userid, which will prevent logons and prevent batch jobs from executing. Additionally, a deleted userid leaves disk files previously owned by the user without a valid owner, leaving the disk files orphaned. XYGATE /UA performs authorization. It integrates with Safeguard, and it has extensions that support LDAP and interface with a corporate RSA ACE Server. XYGATE /UA controls who can logon to which services on the NonStop server based on rules that match userids to ports and to requesting processes. Additionally, XYGATE /UA has extended controls that define what

XYPRO Technology Corporation

14

July 2007

PCI Compliance and the HP NonStop Server Enterprise happens when too many invalid password attempts occur. For example, one set of users can have their privileges suspended for 5 minutes after six bad attempts and another group can have their access to the NonStop server frozen. In an environment where Safeguard is not in use, XYGATE /CM can provide controls on a logon based on the incoming partys IP address and the userid the user is logging on to. All XYGATE modules that perform a logon or verify the userids identity before executing a sensitive command support the use of an RSA SecureID token in addition to the password. All XYGATE modules that make up the PC-based XYGATE Configuration and Auditing package provide built-in password encryption from the PC to the NonStop server so a network sniffer cannot be used to steal passwords. XYGATE /PQ can be used with or without Safeguard to provide password quality and network password change controls. In either case, XYGATE /PQ can set a password so that the user must change it as part of the first logon. Password content can be limited to rules, such as it must contain one letter, one number, one special character and cannot have more than 2 repeating characters. Passwords can also be generated, if desired. The value of a password can be split among many users. Password change intervals can be defined and a password history is retained, allowing the security administrator to preclude users from re-using previous passwords. Monitoring of a users use of the system is managed with XYGATE /SW. Regular reports can be generated showing userids that have not logged on the last 30, 60 or 90 days, users that have expired, users with passwords that have expired, how the XYGATE /PQ and XYGATE /UA Security Event Exit Processes are defined, what orphaned files exist, and what the current settings are for the Safeguard global security variables. XYGATE /AC keystroke-audited sessions provide a password timeout facility. After a set amount of time, the user is required to re-authenticate his or her identity before execution can continue. Additionally, XYGATE /AC can be configured to control access to user actions that affect databases containing cardholder information. XYGATE /AC can authenticate the user to ensure that the user is authorized to perform actions such as using FUP to load the database or using SQLCI to generate ad-hoc queries against the database. At the system resource level, XYGATE /OS can be used to define who can access specific system resources, such as the programs that manage the cardholder database.

Requirement 9. Restrict physical access to cardholder data.


9.1 Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data. 9.1.1 Use cameras to monitor sensitive areas. Audit collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. 9.1.2 Restrict physical access to publicly accessible network jacks. 9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices. 9.2 Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. 9.3 Make sure all visitors are handled as follows:

XYPRO Technology Corporation

15

July 2007

PCI Compliance and the HP NonStop Server Enterprise

9.3.1 Authorized before entering areas where cardholder data is processed or maintained. 9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees. 9.3.3 Asked to surrender the physical token before leaving the facility or at the date of expiration. 9.4 Use a visitor log to maintain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law. 9.5 Store media back-ups in a secure locations, preferably in an off-site facility, such as alternate or backup site, or a commercial storage facility. 9.6 Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data. 9.7 Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data including the following: 9.7.1 Classify the media so it can be identified as confidential. 9.7.2 Send the media by secured courier or other delivery method that can be accurately tracked. 9.8 Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals). 9.9 Maintain strict control over the storage and accessibility of media that contains cardholder data. 9.9.1 Properly inventory all media and make sure it is securely stored. 9.10 Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows: 9.10.1 Cross-cut shred, incinerate, or pulp hardcopy materials. 9.10.2 Purge, degauss, shred, or otherwise destroy electronic media so that the cardholder data cannot be reconstructed. Discussion: This requirement is not applicable to HP NonStop server. This is a function of the physical access controls to the computing environment and is defined in Corporate Policies, Procedures and Documentation.

Requirement 10. Track and monitor all access to network resources and cardholder data.
10.1 Establish a process for linking all access to system components (especially those done with administrative privileges such as root) to an individual user.

XYPRO Technology Corporation

16

July 2007

PCI Compliance and the HP NonStop Server Enterprise 10.2 Implement automated audit trails to reconstruct the following events, for all system components: 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.6 10.2.7 All individual user accesses to cardholder data All actions taken by any individual with root or administrative privileges Access to all audit trails Invalid logical access attempts Use of identification and authentication mechanisms Initialization of the audit logs Creation and deletion of system -level objects.

10.3 Record at least the following audit trail entries for each event, for all system components: 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 User identification Type of event Date and time Success or failure indication Origination of event Identify or name of affected data system component, or resource

10.4 Synchronize all critical system clocks and times. 10.5 Secure audit trails so they cannot be altered. 10.5.1 Limit viewing of audit trails to those with a job-related need. 10.5.2 Protect audit trail files from unauthorized modifications. 10.5.3 Promptly back-up audit trail files to centralized log server or media that is difficult to alter. 10.5.4 Copy logs for wireless networks onto a log server on the internal LAN 10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alters (although new data being added should not cause an alter). 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). 10.7 Retain audit trail history for at least one year, with a minimum of three months online availability.

Discussion: Requirement 10 deals with auditing access to security resources including cardholder data. The primary principle of auditing is showing who did which operation to what secured resource. XYGATE Solution: All NonStop server based XYGATE modules except XYGATE /SW and XYGATE /MA have builtin auditing that tracks all security actions that each module has taken, including the time and

XYPRO Technology Corporation

17

July 2007

PCI Compliance and the HP NonStop Server Enterprise date, the originating user, the userid under which the action executed, details of the action and a session id that allows association of all actions taken in the same session. XYGATE /SW and XYGATE /MA are reporting programs and thus do not execute any actions. XYGATE /MA reports on actions and XYGATE /SW reports on the integrity of the definitions of what gets audited when. All XYGATE modules that audit support the specification of up to nine different and simultaneous audit files. Three types of audit files are supported. First, audits can be written to either local or remote disk file locations, so audit traffic can be routed to a central NonStop server. Next, audits can be written to processes, allowing the NonStop utility EMS to be used to monitor outputs or any third-party monitor process. Finally, audits can be written to an external IP address, allowing audits to be written off-box to a secured location such as a centralized log server. On NonStop servers, XYGATE /OS can be used to secure all system resources, including audit files. Pattern entries can be created that allow audit files to be written to by authorized programs that perform the normal auditing activity and read only by authorized individuals who generate reports while screening out all other access. XYGATE /RM works on the PC to run and display audit reports. The security for XYGATE /RM allows access to these reports to be limited to those who have authorized access. XYGATE /SW generates system integrity and security policy violation reports. XYGATE /MA can move all specified audit data into a single SQL database that can have defined retention and archival schedules.

Requirement 11. Regularly test security systems and processes.


11.1 Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use. 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.3 Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment. The penetration test must include the following: 11.3.1 Network-layer penetration tests. 11.3.2 Application-layer penetration tests. 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and instruction prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. 11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files, and configure the software to perform critical file comparisons at least weekly.

XYPRO Technology Corporation

18

July 2007

PCI Compliance and the HP NonStop Server Enterprise Discussion: This requirement discusses the need to regularly test the security environment and to watch for unauthorized changes to important system content and configuration files. Some of the testing as defined in this requirement must be performed by organizations external to the company being tested. Other portions of the testing and regular monitoring can be performed with software running on the NonStop servers. XYGATE Solution: XYPRO products deal specifically with points 11.4 and 11.5. Point 11.4 requires monitoring of unusual system events that can indicate that an intruder is attempting to gain access to the system. Point 11.5 requires monitoring of critical system files and configurations to ensure that they have not been subjected to unauthorized modification. XYGATE /MA provides the services needed to meet point 11.4. XYGATE/MA reports on system activity and can be configured to generate e-mail, EMS, SNMP or syslog alerts when specified critical security events occur. XYGATE /SW regularly compares the current security configuration of a system to the ideal configuration defined in Best Practices and to the configuration of the system at the most recent previous collection, allowing the security administrator to find deviations from the authorized configuration.

Requirement 12. Maintain a policy that addresses information security for employees and contractors.
12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following: 12.1.1 Addresses all requirements in this specification. 12.1.2 Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment. 12.1.3 Includes a review at least once a year and updates when the environment changes. 12.2 Develop daily operational security procedures that are consistent with requirements in this specification. 12.3 Develop usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following: 12.3.1 Explicit management approval 12.3.2 Authentication for the use of the technology 12.3.3 List all such devices and personnel with access. 12.3.4 Labeling of devices with owner, contact information, and purpose 12.3.5 Acceptable uses of the technologies 12.3.6 Acceptable network locations for the technologies 12.3.7 List of company-approved products 12.3.8 Automatic disconnect of modem sessions after a specific period of inactivity.

XYPRO Technology Corporation

19

July 2007

PCI Compliance and the HP NonStop Server Enterprise 12.3.9 Activation of modems for vendors only when needed by vendors, with immediate deactivation after use. 12.3.10 When accessing cardholder data remotely via modem, prohibition of storage of cardholder data on local hard drives, floppy disks, or other external media. Prohibits of cut-and-paste and print functions during remove access. 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors. 12.5 Assign to an individual or team the following information security management responsibilities: 12.5.1 Establish, document, and distribute security policies and procedures. 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.3 Establish, document, and distribute security incident responsible and escalation procedures to ensure timely and effective handling of all situations. 12.5.4 Administer user accounts, including additions, deletions and modifications. 12.5.5 Monitor and control all access to data. 12.6 Implement a format security awareness program to make all employees aware of the importance of cardholder data security. 12.6.1 Educate employees upon hire and at least annually. 12.6.2 Require employees to acknowledge in writing that they have read and understood the company's security policy and procedures. 12.7 Screen potential employees to minimize the risk of attacks from internal sources. 12.8 If cardholder data is shared with service provides, then contractually the following is required: 12.8.1 Service providers must adhere to the PCI DSS requirements. 12.8.2 Agreement that includes an acknowledgement that the service provider is responsible for the security of the cardholder data the provider possesses. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. 12.9.1 Create the incident responsible plan to be implement in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contract strategies. 12.9.2 Test the plan at least annually 12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts 12.9.4 Provide appropriate training to staff with security breach response responsibilities 12.9.5 Include alerts from intrusion detection, intrusion prevalent, and file integrity monitoring systems. 12.9.6 Develop processes to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments.

XYPRO Technology Corporation

20

July 2007

PCI Compliance and the HP NonStop Server Enterprise 12.10 All processors and service providers must maintain and implement policies and procedure to manage connected entities, to include the following: 12.10.1 12.10.2 12.10.3 12.10.4 Maintain a list of connected entities. Ensure proper due diligence is conducted prior to connecting an entity. Ensure the entity is PCI DSS compliant. Connect and disconnect entities by following an established process.

Discussion: This requirement deals with the creation of security policies for the organization. Necessary portions of the policy are delineated, procedures that implement the policy are mandated, and dissemination of the policy to all interested parties is defined. Handling of security breaches is dealt with. This requirement also requires other companies that do business with this company to follow these same security goals. XYPRO Solution: XYGATE modules provide tools for accomplishing these goals. Achieving point 12.2, which requires operational security procedures, is easier when tools such as XYGATE /MA and XYGATE /SW are used to prove that the required operational procedures are in place, and to verify their execution by showing that operational security requirements are met. Point 12.3.3 requires a list of devices and the personnel with access to these devices. Access maps for system resources are available with XYGATE /SW, which provides access mapping tools for secured resources. Point 12.3.8 states that a policy must exist to force the automatic disconnection of modem sessions after a period of inactivity. XYGATE /AC can force these disconnects. XYGATE /AC controlled TACL sessions can have a timeout defined for them that will be applied uniformly. XYGATE /HE also provides inactivity timeouts for FTP, ODBC, and other types of TCP/IP sessions. Point 12.3.9 limits connectivity availability for vendors. The requirement as written applies to modems, but in an environment where vendors connect via the Internet, all vendor access should follow the PCI standards. XYGATE /CM can be configured to allow vendors to logon through only approved IP addresses and can optionally enforce session encryption on a vendor. By using NetBatch to switch XYGATE /CM control rules in and out, vendor access can be enabled and disabled in a controlled, audited manner. Point 12.5.4 requires a defined set of personnel to be responsible for administration of user accounts. XYGATE /SM provides this user administration with controls to limit which user can perform which tasks and audit who performed each action. XYGATE /PQ allows security administrators to define who can reset passwords for which sets of users. XYGATE /PR can be installed on the PCs of authorized help desk personnel to allow them to reset passwords for the sets of users for which they are authorized to reset the passwords. Point 12.5.5 requires a set of personnel to monitor and control all access to data. This is the goal behind all XYGATE security software, which are the tools that the users monitoring and controlling access can use.

XYPRO Technology Corporation

21

July 2007

PCI Compliance and the HP NonStop Server Enterprise Point 12.9.5 mandates the use of an alert feature, so that the appropriate individuals can be appraised of any attempted system intrusions. XYGATE /MA can generate e-mail or SMS alerts for activity that fits the company-specified security events.

Conclusion
PCI requirements are imposed by the payment card organizations. Companies that want to offer the ability to pay with a credit or debit card have no recourse except compliance with PCI standards. Fortunately for companies that use the HP NonStop server, compliance becomes easier with the use of XYGATE products.

Disclaimer
XYPRO has designed this document primarily to be educational. Readers should note that this document has not been endorsed by Visa, Mastercard, American Express, JCB International Credit Card, or the Payment Card Security Standards Council. Issues discussed in this paper will evolve over time. Accordingly, companies interested in these issues should seek counsel from their legal specialist regarding the specific terms of the companys contract with a payment card organization. In determining the propriety of any specific procedure or test, the IT professional should apply his or her own professional judgement to the specific control circumstances presented by a particular system or information technology environment. XYPRO makes no representations or warranties and provides no assurance that an organizations use of this document or of XYPROs XYGATE products will result in full compliance with the Payment Card Industry Data Security Standard. Internal controls, whether automated or manual, no matter how well designed and operated, can only provide reasonable insurance of achieving data security. The likelihood of achievement is affected by limitations in the companys security environment. These include the realities that human judgement in decision making can be faulty and that breakdowns in internal security can occur because of human factors such as errors or inappropriate override of defined security standards and controls.

XYPRO Technology Corporation

22

July 2007

PCI Requirements Summary

PCI Requirements Summary


Number 1 Requirement Install and maintain a firewall configuration to protect cardholder data Summary This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. Network Configuration Requirements External To The NonStop Server This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

1.1

Establish firewall configuration standards that include:

1.1.1

A formal process for approving and testing all external network connections

1.1.2

A current network diagram with all connections to cardholder data, including any wireless networks Requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone Description of groups, roles, and responsibilities for logical management of network components Documented list of services and ports necessary for business

1.1.3

1.1.4

1.1.5

1.1.6

Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented. Quarterly review of firewall and router rule sets.

1.1.7

This requirement is met with Corporate Policies, Procedures and Documentation.

1.1.8

This requirement is met with Corporate Policies, Procedures and Documentation.

XYPRO Technology Corporation

23

July 2007

PCI Requirements Summary Number 1.1.9 Requirement Configuration standards for routers. Summary This requirement is met with Corporate Policies, Procedures and Documentation. Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server

1.2

Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment. Build a firewall configuration that restricts connections between publicly accessible servers and any system components storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following: Restricting inbound Internet traffic to Internet protocol (IP) addresses with the DMZ (ingress filters). Not allowing internal addresses to pass from the Internet into the DMZ Implementing stateful inspection, also known as dynamic packet filter (that is, only "established" connections are allowed into the network) Placing the database in an internal network zone, segregated from the DMZ Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment Securing and synchronizing router configuration files, For example, running configuration files (for normal functioning of the routers) and startup configuration files (when machines are rebooted) should have the same secure configuration Denying all other inbound and outbound traffic not specifically allowed. Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environments or from controlling any traffic (if such traffic is necessary for business purposes)

1.3

1.3.1

Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server

1.3.8

XYPRO Technology Corporation

24

July 2007

PCI Requirements Summary Number 1.3.9 Requirement Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees) which are used to access the organizations network Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files) Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic Restrict output traffic from payment card applications to IP addresses within the DMZ Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT) Do not use vendor supplied defaults for system passwords and other security parameters Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts). For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy keys, default service set identifier (SSID), passwords and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. Develop Configuration standards for all system components. Assure that these standards address all know security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards technology (NIST) and Center for Internet Security (CIS). Summary Network Configuration Requirements External To The NonStop Server

1.4

Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server Network Configuration Requirements External To The NonStop Server

1.4.1

1.4.2

1.5

XYGATE/SW rules; use XYGATE/PQ to force system passwords to change This requirement is met with Corporate Policies, Procedures and Documentation.

2.1

2.1.1

Network Configuration Requirements External To The NonStop Server

2.2

XYGATE/SW Best Practices as defined in the books Securing Your HP NonStop Server: A Practical Handbook (ISBN: 9781555583149) and Securing HP NonStop Servers In An Open Systems World: TCP/IP, OSS and SQL (ISBN: 78-1555583446)

XYPRO Technology Corporation

25

July 2007

PCI Requirements Summary Number 2.2.1 Requirement Implement only one primary function per server (for example, web servers, database servers, and DNS should be implemented on separate servers) Disable all unnecessary and insecure services and protocols (service and protocols not directly needed to perform the devices' specified function) Configure system security parameters to prevent misuse Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers. Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for webbased management and other non-console administrative access Hosting providers must protect each entity's hosted environment and data. These providers must meet specific requirements as detailed in Appendix A: "PCI DSS Applicability for Hosting Providers." Protect stored cardholder data Summary This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/SW for monitoring

2.2.2

2.2.3

XYGATE/SW for monitoring, XYGATE/SM for global security settings XYGATE/SW for monitoring

2.2.4

2.3

XYGATE/HE, XYGATE/SH, XYGATESC, XYGATE/ESDK

2.4

This requirement is met with Corporate Policies, Procedures and Documentation.

XYGATE/OS for object level security. XYGATE/ESDK for application and database level security. This requirement is met with Corporate Policies, Procedures and Documentation.

3.1

Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal and/or regulatory purposes, as documented in the data retention policy Do not store sensitive authentication data subsequent to authorization (even if encrypted)

3.2

This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

3.2.1

Do not store the full contents of any track from the magnetic stripe.

3.2.2

Do not store the card-validation code or value used to verify card-not-present transactions

XYPRO Technology Corporation

26

July 2007

PCI Requirements Summary Number 3.2.3 Requirement Do not store the personal identification number (PIN) or the encrypted PIN block. Summary This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/KM and XYGATE/FE will provide the strong cryptography with associated key management processes. XYGATE/ESDK provides tools to be included in any in-house development

3.3

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed.) Render PAN at a minimum unreadable anywhere it is stored (including data on a portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches: - Strong one-way hash functions Truncation - Index tokens and pads (pads must be securely stored) - Strong cryptography with associated key management processes and procedures.

3.4

3.4.1

If disk encryption is used (rather than file- or column-level database encryption) logical access must be managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts). Decryption keys must not be tied to user accounts Protect encryption keys used for encryption of cardholder data against both data disclosure and misuse.

Not included in the XYGATE Product offering

3.5

XYGATE/KM and XYGATE/ESDK integrated into the application. XYGATE/OS to protect at the resource level XYGATE/KM and XYGATE/ESDK integrated into the application. XYGATE/OS to protect at the resource level XYGATE/KM and XYGATE/ESDK integrated into the application. XYGATE/OS to protect at the resource level This requirement is met with Corporate Policies, Procedures and Documentation.

3.5.1

Restrict access to keys to the fewest number of custodians necessary

3.5.2

Store keys securely in the fewest possible locations and forms

3.6

Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data, including the following:

XYPRO Technology Corporation

27

July 2007

PCI Requirements Summary Number 3.6.1 Requirement Generation of strong keys Summary XYGATE/KM and XYGATE/ESDK integrated into the application XYGATE/KM and XYGATE/ESDK integrated into the application XYGATE/KM and XYGATE/ESDK integrated into the application This requirement is met with Corporate Policies, Procedures and Documentation. Required solution not included in the XYGATE Product offering XYGATE/KM and XYGATE/ESDK integrated into the application

3.6.2

Secure key distribution

3.6.3

Secure key storage

3.6.4

Periodic changing of keys

3.6.5

Destruction of old keys

3.6.6

Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key) Prevention of unauthorized substitution of keys

3.6.7

XYGATE/KM and XYGATE/ESDK integrated into the application XYGATE/KM and XYGATE/ESDK integrated into the application XYGATE/KM and XYGATE/ESDK integrated into the application This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/HE, XYGATE/SH and XYGATE/FE will encrypt all varieties of data transmission. XYGATE/ESDK can be incorporated to appropriate applications. XYGATE/SC provides the encryption component for the PC.

3.6.8

Replacement of known or suspected compromised keys Revocation of old or invalid keys

3.6.9

3.6.10

Requirements for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities Encrypt transmission of cardholder data across open, public networks

XYPRO Technology Corporation

28

July 2007

PCI Requirements Summary Number 4.1 Requirement Use strong cryptography and security protocols such as Secure Sockets Layer (SSL) /Transport Layer Security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks. Summary XYGATE/HE, XYGATE/SH and XYGATE/FE will encrypt all varieties of data transmission. XYGATE/ESDK can be incorporated to appropriate applications. XYGATE/SC provides the encryption component for the PC.

4.1.1

For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. Never send unencrypted PANs by e-mail

Network Configuration Requirements External To The NonStop Server

4.2

This requirement is met with Corporate Policies, Procedures and Documentation. Traditional consumer anti-virus is not applicable to the HP NonStop serve XYGATE/SW Integrity Checks provide an object file validation that is close to the same functionality as a virus-check or registry-guard on the PC XYGATE/SW protects against Trojan Horses.

Use and regularly update anti-virus software or programs Deploy anti-virus software on all systems commonly affected by viruses

5.1

5.1.1

Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. Develop and maintain secure systems and applications

5.2

XYGATE/SW

This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

6.1

Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release

XYPRO Technology Corporation

29

July 2007

PCI Requirements Summary Number 6.2 Requirement Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet.) Update standards to address new vulnerability issues. Develop software applications based on industry best practices and incorporate information security throughout the software development life cycle. Test of all security patches and systems and software configuration changes before deployment Separate development, test, and production environments Summary This requirement is met with Corporate Policies, Procedures and Documentation.

6.3

This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/OS provides strong object separation; XYGATE/CM can control execution in CPU resources The XYGATE Products can be used to maintain secure systems This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

6.3.1

6.3.2

6.3.3

Separation of duties between development, test, and production environments Production data (live PANs) are not used for testing or development

6.3.4

6.3.5

Removal of test data and accounts before production systems become active

6.3.6

Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Follow change control procedures for all system and software configurations changes. The procedures must include the following: Documentation of impact

6.3.7

6.4

6.4.1

6.4.2

Management sign-off by appropriate parties

XYPRO Technology Corporation

30

July 2007

PCI Requirements Summary Number 6.4.3 Requirement Testing of operational functionality Summary This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

6.4.4

Back-out procedures

6.5

Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in software development processes, to include: Unvalidated input

6.5.1

This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/ESDK can be used to enforce proper storage

6.5.2

Broken access control (for example, malicious use of user Ids)

6.5.3

Broken authentication and session management (use of account credentials and session cookies) Cross-site scripting (XSS) attacks

6.5.4

6.5.5

Buffer overflows

6.5.6

Injection flaws (for example, structure query language (SQL) injection)

6.5.7

Improper error handling

6.5.8

Insecure storage

XYPRO Technology Corporation

31

July 2007

PCI Requirements Summary Number 6.5.9 Requirement Denial of service Summary This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. Not included in the XYGATE Product offering

6.5.10

Insecure configuration management

6.6

Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: - Having all custom application code review for common vulnerabilities by an organization that specializes in application security - Installing an application layer firewall in front of web-facing applications Restrict access to cardholder data by business need-to-know Limit access to computing resources and cardholder information only to those individuals who job requires such access

7 7.1

All XYGATE modules XYGATE/AC and XYGATE/OS can provide action control and object control to authorized individuals only XYGATE/AC, XYGATE/CM and XYGATE/OS

7.2

Establish a mechanism for systems with multiple users that restricts access based on a user's need to know and is set to "deny all" unless specifically allowed. Assign a unique ID to each person with computer access

XYGATE/AC supports the functional use of unique userids; XYGATE/SM creates userids XYGATE/UA, XYGATE/CM, XYGATE/SM XYGATE/UA-LDAP, XYGATE/UA-RSA for user authentication, XYGATE/AC for timeout management, XYGATE/PQ for quality control on passwords This requirement is met with Corporate Policies, Procedures and Documentation.

8.1

Identify all users with a unique username before allowing them to access system components or cardholder data. Employ at least one of the methods below, in addition to unique identification, to authenticate all users: - Password - Token devices (e.g., SecureID, certificates, or public key) - Biometrics Implement 2-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as RADIUS or TACACS with tokens, or VPN with individual certificates.

8.2

8.3

XYPRO Technology Corporation

32

July 2007

PCI Requirements Summary Number 8.4 8.5 Requirement Encrypt all passwords during transmission and storage, on all system components. Ensure proper user authentication and password management for non-consumer users and administrators, on all system components: Control the addition, deletion, and modification of user Ids, credentials, and other identifier objects. Verify user identity before performing password resets. Set first-time passwords to a unique value per user and change immediately after first use Immediately revoke access of terminated users Remove inactive user accounts at least every 90 days Enable accounts used by vendors for remote maintenance only during the time needed Distribute password procedures and policies to all user who have access to cardholder information Do not use group, shared, or generic accounts/passwords Change user passwords at least every 90 days Summary All XYGATE modules All XYGATE modules

8.5.1

XYGATE/SM

8.5.2 8.5.3 8.5.4 8.5.5 8.5.6 8.5.7

XYGATE/SM, XYGATE/PR XYGATE/SM to administer, XYGATE/PQ to enforce XYGATE/SM to administer XYGATE/SM to remove, XYGATE/SW to monitor XYGATE.SM, XYGATE/AC, XYGATE/CM or XYGATE/UA This requirement is met with Corporate Policies, Procedures and Documentation. All XYGATE modules XYGATE/PQ to administer, XYGATE/UA to prompt for change XYGATE/PQ XYGATE/PQ XYGATE/UA to prompt for change XYGATE/UA

8.5.8 8.5.9

8.5.10 8.5.11 8.5.12

Require a minimum password length of at least seven characters User passwords containing both numeric and alphabetic characters Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used Limit repeated access attempts by locking out the user ID after not more than six attempts Set the lockout duration to thirty minutes or until administrator enables the user ID If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal Authenticate all access to any database containing cardholder information. This includes access by applications, administrators, and all other user

8.5.13

8.5.14 8.5.15

XYGATE/UA XYGATE/AC

8.5.16

XYGATE/AC, XYGATE/OS

XYPRO Technology Corporation

33

July 2007

PCI Requirements Summary Number 9 9.1 Requirement Restrict physical access to cardholder data Use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data Use cameras to monitor sensitive areas. Audit collected data and correlate with other entries. Store for at least three months, unless otherwise restricted by law. Restrict physical access to publicly accessible network jacks Summary Not applicable to HP NonStop server This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

9.1.1

9.1.2

9.1.3

Restrict physical access to wireless access points, gateways, and handheld devices.

9.2

Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible Make sure all visitors are handled as follows:

9.3

9.3.1

Authorized before entering areas where cardholder data is processed or maintained

9.3.2

Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees Asked to surrender the physical token before leaving the facility or at the date of expiration

9.3.3

9.4

Use a visitor log to maintain a physical audit trail of visitor activity. Retain this log for a minimum of three months, unless otherwise restricted by law. Store media back-ups in a secure locations, preferably in an off-site facility, such as alternate or backup site, or a commercial storage facility.

9.5

XYPRO Technology Corporation

34

July 2007

PCI Requirements Summary Number 9.6 Requirement Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data. Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data including the following: Classify the media so it can be identified as confidential Summary This requirement is met with Corporate Policies, Procedures and Documentation.

9.7

This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. All XYGATE modules All XYGATE modules

9.7.1

9.7.2

Send the media by secured courier or other delivery method that can be accurately tracked

9.8

Ensure management approves any and all media that is moved from a secured area (especially when media is distributed to individuals) Maintain strict control over the storage and accessibility of media that contains cardholder data Properly inventory all media and make sure it is securely stored.

9.9

9.9.1

9.10

Destroy media containing cardholder data when it is no longer needed for business or legal reasons as follows: Cross-cut shred, incinerate, or pulp hardcopy materials

9.10.1

9.10.2

Purge, degauss, shred, or otherwise destroy electronic media so that the cardholder data cannot be reconstructed. Track and monitor all access to network resources and cardholder data Establish a process for linking all access to system components (especially those done with administrative privileges such as root) to an individual user.

10 10.1

XYPRO Technology Corporation

35

July 2007

PCI Requirements Summary Number 10.2 Requirement Implement automated audit trails to reconstruct the following events, for all system components: All individual user accesses to cardholder data All actions taken by any individual with root or administrative privileges Access to all audit trails Invalid logical access attempts Use of identification and authentication mechanisms Initialization of the audit logs Creation and deletion of system -level objects. Record at least the following audit trail entries for each event, for all system components: User identification Type of event Date and time Success or failure indication Origination of event Identify or name of affected data system component, or resource Synchronize all critical system clocks and times Secure audit trails so they cannot be altered Limit viewing of audit trails to those with a jobrelated need Protect audit trail files from unauthorized modifications Promptly back-up audit trail files to centralized log server or media that is difficult to alter Copy logs for wireless networks onto a log server on the internal LAN Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alters (although new data being added should not cause an alter). Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Summary All XYGATE modules

10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.6 10.2.7 10.3 10.3.1 10.3.2 10.3.3 10.3.4 10.3.5 10.3.6 10.4 10.5 10.5.1 10.5.2 10.5.3

All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules All XYGATE modules Not included in the XYGATE Product offering XYGATE/OS XYGATE/OS, XYGATE/RM XYGATE/OS All XYGATE modules

10.5.4

Network Configuration Requirements External To The NonStop Server XYGATE/OS and XYGATE/MA

10.5.5

10.6

XYGATE/CM facilitates

XYPRO Technology Corporation

36

July 2007

PCI Requirements Summary Number 10.7 Requirement Retain audit trail history for at least one year, with a minimum of three months online availability. Regularly test security systems and processes Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use. Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Perform penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment) The penetration test must include the following: Network-layer penetration tests Application-layer penetration tests Use network intrusion detection systems, hostbased intrusion detection systems, and instruction prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files, and configure the software to perform critical file comparisons at least weekly. Maintain a policy that addresses information security for employees and contractors Establish, publish, maintain, and disseminate a security policy that accomplishes the following: Summary XYGATE/MA facilitates

11 11.1

XYGATE/SW and XYGATE/MA Not included in the XYGATE Product offering

11.2

Not included in the XYGATE Product offering

11.3

Not included in the XYGATE Product offering

11.3.1 11.3.2 11.4

Not included in the XYGATE Product offering Not included in the XYGATE Product offering XYGATE/MA to report and alert on system activity

11.5

XYGATE/SW Integrity Checks

12 12.1

XYGATE/SW Integrity Checks This requirement is met with Corporate Policies, Procedures and Documentation.

XYPRO Technology Corporation

37

July 2007

PCI Requirements Summary Number 12.1.1 Requirement Addresses all requirements in this specification Summary This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

12.1.2

Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment Includes a review at least once a year and updates when the environment changes

12.1.3

12.2

Develop daily operational security procedures that are consistent with requirements in this specification Develop usage policies for critical employeefacing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage policies require the following Explicit management approval

12.3

12.3.1

This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/SW This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

12.3.2

Authentication for the use of the technology

12.3.3 12.3.4

List all such devices and personnel with access Labeling of devices with owner, contact information, and purpose

12.3.5

Acceptable uses of the technologies

12.3.6

Acceptable network locations for the technologies

12.3.7

List of company-approved products

XYPRO Technology Corporation

38

July 2007

PCI Requirements Summary Number 12.3.8 12.3.9 Requirement Automatic disconnect of modem sessions after a specific period of inactivity Activation of modems for vendors only when needed by vendors, with immediate deactivation after use Summary XYGATE/AC for modem disconnect XYGATE/AC for modem disconnect, XYGATE/CM, XYGATE/HE and XYGATE/UA for port protection in general This requirement is met with Corporate Policies, Procedures and Documentation.

12.3.10

When accessing cardholder data remotely via modem, prohibition of storage of cardholder data on local hard drives, floppy disks, or other external media. Prohibits of cut-and-paste and print functions during remove access. Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors. Assign to an individual or team the following information security management responsibilities: Establish, document, and distribute security policies and procedures

12.4

This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/SW and XYGATE/MA help with monitor This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/SM, XYGATE/PQ, XYGATE/PR XYGATE/SW, XYGATE/OS, XYGATE/MA This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

12.5

12.5.1

12.5.2

Monitor and analyze security alerts and information, and distribute to appropriate personnel Establish, document, and distribute security incident responsible and escalation procedures to ensure timely and effective handling of all situations Administer user accounts, including additions, deletions and modifications Monitor and control all access to data Implement a format security awareness program to make all employees aware of the importance of cardholder data security Educate employees upon hire and at least annually

12.5.3

12.5.4 12.5.5 12.6

12.6.1

12.6.2

Require employees to acknowledge in writing that they have read and understood the company's security policy and procedures

XYPRO Technology Corporation

39

July 2007

PCI Requirements Summary Number 12.7 Requirement Screen potential employees to minimize the risk of attacks from internal sources. Summary This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

12.8

If cardholder data is shared with service provides, then contractually the following is required: Service providers must adhere to the PCI DSS requirements

12.8.1

12.8.2

Agreement that includes an acknowledgement that the service provider is responsible for the security of the cardholder data the provider possesses Implement an incident response plan. Be prepared to respond immediately to a system breach. Create the incident responsible plan to be implement in the event of system compromise. Ensure the plan addresses, at a minimum, specific incident response procedures, business recovery and continuity procedures, data backup processes, roles and responsibilities, and communication and contract strategies. Test the plan at least annually

12.9

12.9.1

12.9.2

This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. XYGATE/MA provides an ALERT facility This requirement is met with Corporate Policies, Procedures and Documentation.

12.9.3

Designate specific personnel to be available on a 24/7 basis to respond to alerts

12.9.4

Provide appropriate training to staff with security breach response responsibilities

12.9.5

Include alerts from intrusion detection, intrusion prevalent, and file integrity monitoring systems Develop processes to modify and evolve the incident response plan according to lessons learned and to incorporate industry developments

12.9.6

XYPRO Technology Corporation

40

July 2007

PCI Requirements Summary Number 12.10 Requirement All processors and service providers must maintain and implement policies and procedure to manage connected entities, to include the following: Maintain a list of connected entities Summary This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation. This requirement is met with Corporate Policies, Procedures and Documentation.

12.10.1

12.10.2

Ensure proper due diligence is conducted prior to connecting an entity

12.10.3

Ensure the entity is PCI DSS compliant

12.10.4

Connect and disconnect entities by following an established process

XYPRO Technology Corporation

41

July 2007

XYGATE Products

XYGATE Products
Product XYGATE /AC XYGATE /PC XYGATE /CM XYGATE /OS XYGATE /PQ Description This product provides action control, keystroke auditing and allows authorized users to execute programs using a sensitive userid. This product provides process control; allows specific users to control processes that are not their own. This is a supported $CMON process, with IP address controls and user logon limitations. This security event exit process works with Safeguard to provide a pattern driven, predictive object oriented security This product can optionally work as a security event exit process works with Safeguard or it can stand alone. It provides password quality and network password synchronization. This security event exit process provides enhanced authorization services including LDAP support and an interface to the RSA ACE Server. This API toolkit provides all the software needed to include encryption services in a customer-written application. This product is has been placed on the Pre-Validation List for the Federal Information Processing Standards Publications (FIPS) 140-2: Security Requirements for Cryptographic Modules. FIPS 140-2 validation is a requirement for any cryptographic product which will be used in a U.S. government agency network. This communication control process provides encryption command security for FTP, and encryption for other NonStop server communications interfaces, such as Telnet and ODBC. This product provides file encryption/decryption, compression/decompression and character set translation. This product resides on a PC platform to provide SSL/TLS security for use with XYGATE /HE or other host SSL/TLS encryption product. This product is a Secure Shell program for the NonStop server OSS environment. This key management product creates, stores, supplies and archives keys for use by other encryption application, such as XYGATE /FE or applications that have XYGATE /ESDK integrated into them. This auditing environment provides a way to combine all Safeguard, EMS, and XYGATE product audits into a single database. Reports can be generated, or audits can be filtered for events that trigger actions such as e-mail, EMS, SNMP or syslog alerts. This product provides collects data from the NonStop server to build a series of reports documenting compliance, deviation from Best Practice standards and security environment integrity.

XYGATE /UA XYGATE /ESDK

XYGATE /HE

XYGATE /FE XYGATE /SC XYGATE /SH XYGATE /KM

XYGATE /MA

XYGATE /SW

XYPRO Technology Corporation

42

July 2007